Beyond coding. We forge. https://forgejo.org
Find a file
Giteabot 248a5b8d7a
Prevent automatic OAuth grants for public clients (#30790) (#30836)
Backport #30790 by archer-321

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section
10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: Archer <archer@beezig.eu>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 6d83f5eddc0f394f6386e80b86a3221f6f4925ff)
2024-05-07 08:14:22 +01:00
.devcontainer Switch to the maintained vitest extension (#29914) 2024-03-26 19:04:25 +01:00
.forgejo fix(release): add missing ARG RELEASE_VERSION 2024-04-17 16:06:43 +00:00
.gitea pull_request_template: test/needed label 2024-03-22 10:11:47 +01:00
assets [CHORE] Cleanup dependency 2024-03-30 00:01:42 +01:00
build s/Gitea/Forgejo in various log messages and comments 2024-04-22 14:41:17 +00:00
cmd fix(cli): admin user create first user never require a password change 2024-04-24 22:26:37 +00:00
contrib Merge branch 'rebase-forgejo-dependency' into wip-forgejo 2024-02-05 18:58:23 +01:00
custom/conf Fixup app.example.ini for task section, which is now queue.task (#30555) 2024-04-21 18:14:45 +02:00
docker [BRANDING] cosmetic s/Gitea/Forgejo/ in logs, messages, etc. 2024-02-05 16:02:14 +01:00
models Merge pull request '[v1.22/gitea] week 2024-18 cherry pick v7.0 (take 2)' (#3580) from earl-warren/forgejo:wip-v7.0-gitea-cherry-pick into v7.0/forgejo 2024-05-01 12:36:57 +00:00
modules Skip gzip for some well-known compressed file types (#30796) 2024-05-07 07:59:45 +01:00
options [I18N] Improve repo filter names 2024-05-05 12:15:56 +00:00
public [FEAT] sourcehut webhooks 2024-04-05 19:36:04 +00:00
release-notes/8.0.0 Merge pull request '[v7.0/forgejo] FIX gogs migration if gogs is hosted at a subpath' (#3588) from bp-v7.0/forgejo-4a2959b into v7.0/forgejo 2024-05-03 17:17:00 +00:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers Prevent automatic OAuth grants for public clients (#30790) (#30836) 2024-05-07 08:14:22 +01:00
services FIX gogs migration if gogs is hosted at a subpath (#3572) 2024-05-01 16:32:17 +00:00
templates Catch and handle unallowed file type errors in issue attachment API (#30791) 2024-05-07 08:12:34 +01:00
tests Catch and handle unallowed file type errors in issue attachment API (#30791) 2024-05-07 08:12:34 +01:00
tools Add svg linter and fix incorrect svgs (#30086) 2024-03-30 07:17:30 +01:00
web_src Add hover outline to heatmap squares (#30828) 2024-05-07 08:09:44 +01:00
.air.toml Exclude routers/private/tests from air (#29949) 2024-03-26 19:04:26 +01:00
.changelog.yml Adapt .changelog.yml to new labeling system (#27701) 2023-10-20 00:22:00 +02:00
.deadcode-out [DEADCODE] update 2024-04-21 18:44:11 +02:00
.dockerignore Adjust VS Code debug filename match in .gitignore (#30158) 2024-03-30 07:17:32 +01:00
.editorconfig
.eslintrc.yaml Forbid jQuery .attr (#30116) 2024-03-30 07:17:31 +01:00
.gitattributes [META] Use correct language for .tmpl 2024-02-05 14:44:33 +01:00
.gitignore move some scripts from 'build' to 'tools' directory, misc refactors (#29844) 2024-03-26 19:04:25 +01:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 08:46:56 +00:00
.gitpod.yml Switch to the maintained vitest extension (#29914) 2024-03-26 19:04:25 +01:00
.golangci.yml [GITEA] depguard sha256-simd 2024-02-05 16:54:44 +01:00
.ignore Add /public/assets to .ignore (#26232) 2023-07-30 12:34:20 +02:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.spectral.yaml
.stylelintrc.yaml Enable a few stylelint rules (#30038) 2024-03-26 19:04:28 +01:00
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile Fix build errors on BSD (in BSDMakefile) (#27594) 2023-10-13 15:38:27 +00:00
build.go User/Org Feed render description as per web (#23887) 2023-04-04 04:39:47 +01:00
CODEOWNERS [META] Add CODEOWNERS files 2024-02-05 14:44:33 +01:00
CONTRIBUTING.md docs: contributing: avoid information duplication (#3454) 2024-04-25 19:13:36 +00:00
DCO
Dockerfile fix(release): add missing ARG RELEASE_VERSION 2024-04-17 16:06:43 +00:00
Dockerfile.rootless feat(release): add OCI labels to container images 2024-04-17 05:48:38 +00:00
go.mod [CHORE] Update golang.org/x/net 2024-04-04 06:09:34 +00:00
go.sum [CHORE] Update golang.org/x/net 2024-04-04 06:09:34 +00:00
LICENSE [DOCS] LICENSE: add Forgejo Authors 2024-02-05 14:44:32 +01:00
main.go [RELEASE] decouple the release name from the version number 2024-02-17 15:27:35 +01:00
MAINTAINERS Apply to become a maintainer (#27522) 2023-10-08 10:36:40 -04:00
Makefile Upgrade github.com/editorconfig-checker/editorconfig-checker to v2.8.0 2024-05-02 17:38:26 +01:00
package-lock.json [v7.0/forgejo] Go and JS dependencies 2024-04-02 12:27:01 +02:00
package.json [v7.0/forgejo] Go and JS dependencies 2024-04-02 12:27:01 +02:00
playwright.config.js Enforce trailing comma in JS on multiline (#30002) 2024-03-26 19:04:27 +01:00
poetry.lock Update JS any PY dependencies, remove workarounds (#30085) 2024-03-30 07:17:30 +01:00
poetry.toml Clean up pyproject.toml and package.json, fix poetry options (#25327) 2023-06-18 18:13:08 +00:00
pyproject.toml Update js and py dependencies, bump python (#29561) 2024-03-06 12:10:46 +08:00
README.md [BRANDING] add Forgejo logo 2024-02-05 16:02:13 +01:00
RELEASE-NOTES.md [skip ci] docs(release-notes): 7.0.2 2024-05-01 15:05:28 +02:00
renovate.json Reduce concurrent Renovate PR's 2024-03-26 09:40:48 +01:00
tailwind.config.js Migrate font-family to tailwind (#30118) 2024-03-30 07:17:32 +01:00
updates.config.js Configure pinned JS dependencies via updates.config.js (#29696) 2024-03-20 08:46:28 +01:00
vitest.config.js Switch to happy-dom for testing (#29948) 2024-03-26 19:04:26 +01:00
webpack.config.js Update JS any PY dependencies, remove workarounds (#30085) 2024-03-30 07:17:30 +01:00

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.