Beyond coding. We forge. https://forgejo.org
Find a file
Anthony Wang e86f18a05a
User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133)
* go.mod: add go-fed/{httpsig,activity/pub,activity/streams} dependency

go get github.com/go-fed/activity/streams@master
go get github.com/go-fed/activity/pub@master
go get github.com/go-fed/httpsig@master

* activitypub: implement /api/v1/activitypub/user/{username} (#14186)

Return informations regarding a Person (as defined in ActivityStreams
https://www.w3.org/TR/activitystreams-vocabulary/#dfn-person).

Refs: https://github.com/go-gitea/gitea/issues/14186

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: add the public key to Person (#14186)

Refs: https://github.com/go-gitea/gitea/issues/14186

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: go-fed conformant Clock instance

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: signing http client

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: implement the ReqSignature middleware

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: hack_16834

Signed-off-by: Loïc Dachary <loic@dachary.org>

* Fix CI checks-backend errors with go mod tidy

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Change 2021 to 2022, properly format package imports

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Run make fmt and make generate-swagger

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Use Gitea JSON library, add assert for pkp

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Run make fmt again, fix err var redeclaration

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Remove LogSQL from ActivityPub person test

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Assert if json.Unmarshal succeeds

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Cleanup, handle invalid usernames for ActivityPub person GET request

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Rename hack_16834 to user_settings

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Use the httplib module instead of http for GET requests

* Clean up whitespace with make fmt

* Use time.RFC1123 and make the http.Client proxy-aware

* Check if digest algo is supported in setting module

* Clean up some variable declarations

* Remove unneeded copy

* Use system timezone instead of setting.DefaultUILocation

* Use named constant for httpsigExpirationTime

* Make pubKey IRI #main-key instead of /#main-key

* Move /#main-key to #main-key in tests

* Implemented Webfinger endpoint.

* Add visible check.

* Add user profile as alias.

* Add actor IRI and remote interaction URL to WebFinger response

* fmt

* Fix lint errors

* Use go-ap instead of go-fed

* Run go mod tidy to fix missing modules in go.mod and go.sum

* make fmt

* Convert remaining code to go-ap

* Clean up go.sum

* Fix JSON unmarshall error

* Fix CI errors by adding @context to Person() and making sure types match

* Correctly decode JSON in api_activitypub_person_test.go

* Force CI rerun

* Fix TestActivityPubPersonInbox segfault

* Fix lint error

* Use @mariusor's suggestions for idiomatic go-ap usage

* Correctly add inbox/outbox IRIs to person

* Code cleanup

* Remove another LogSQL from ActivityPub person test

* Move httpsig algos slice to an init() function

* Add actor IRI and remote interaction URL to WebFinger response

* Update TestWebFinger to check for ActivityPub IRI in aliases

* make fmt

* Force CI rerun

* WebFinger: Add CORS header and fix Href -> Template for remote interactions

The CORS header is needed due to https://datatracker.ietf.org/doc/html/rfc7033#section-5 and fixes some Peertube <-> Gitea federation issues

* make lint-backend

* Make sure Person endpoint has Content-Type application/activity+json and includes PreferredUsername, URL, and Icon

Setting the correct Content-Type is essential for federating with Mastodon

* Use UTC instead of GMT

* Rename pkey to pubKey

* Make sure HTTP request Date in GMT

* make fmt

* dont drop err

* Make sure API responses always refer to username in original case

Copied from what I wrote on #19133 discussion: Handling username case is a very tricky issue and I've already encountered a Mastodon <-> Gitea federation bug due to Gitea considering Ta180m and ta180m to be the same user while Mastodon thinks they are two different users. I think the best way forward is for Gitea to only use the original case version of the username for federation so other AP software don't get confused.

* Move httpsig algs constant slice to modules/setting/federation.go

* Add new federation settings to app.example.ini and config-cheat-sheet

* Return if marshalling error

* Make sure Person IRIs are generated correctly

This commit ensures that if the setting.AppURL is something like "http://127.0.0.1:42567" (like in the integration tests), a trailing slash will be added after that URL.

* If httpsig verification fails, fix Host header and try again

This fixes a very rare bug when Gitea and another AP server (confirmed to happen with Mastodon) are running on the same machine, Gitea fails to verify incoming HTTP signatures. This is because the other AP server creates the sig with the public Gitea domain as the Host. However, when Gitea receives the request, the Host header is instead localhost, so the signature verification fails. Manually changing the host header to the correct value and trying the veification again fixes the bug.


* Revert "If httpsig verification fails, fix Host header and try again"

This reverts commit f53e46c721.

The bug was actually caused by nginx messing up the Host header when reverse-proxying since I didn't have the line `proxy_set_header Host $host;` in my nginx config for Gitea.

* Go back to using ap.IRI to generate inbox and outbox IRIs

* use const for key values

* Update routers/web/webfinger.go

* Use ctx.JSON in Person response to make code cleaner

* Revert "Use ctx.JSON in Person response to make code cleaner"

This doesn't work because the ctx.JSON() function already sends the response out and it's too late to edit the headers.

This reverts commit 95aad98897.

* Use activitypub.ActivityStreamsContentType for Person response Content Type

* Limit maximum ActivityPub request and response sizes to a configurable setting

* Move setting key constants to models/user/setting_keys.go

* Fix failing ActivityPubPerson integration test by checking the correct field for username

* Add a warning about changing settings that can break federation

* Add better comments

* Don't multiply Federation.MaxSize by 1<<20 twice

* Add more better comments

* Fix failing ActivityPubMissingPerson test

We now use ctx.ContextUser so the message printed out when a user does not exist is slightly different

* make generate-swagger

For some reason I didn't realize that /templates/swagger/v1_json.tmpl was machine-generated by make generate-swagger... I've been editing it by hand for three months! 🤦

* Move getting the RFC 2616 time to a separate function

* More code cleanup

* Update go-ap to fix empty liked collection and removed unneeded HTTP headers

* go mod tidy

* Add ed25519 to httpsig algorithms

* Use go-ap/jsonld to add @context and marshal JSON

* Change Gitea user agent from the default to Gitea/Version

* Use ctx.ServerError and remove all remote interaction code from webfinger.go
2022-06-19 07:25:12 +02:00
.gitea Issue template form (#16349) 2021-09-15 20:33:13 +03:00
.github update discord invite (#19907) 2022-06-07 11:40:27 -04:00
assets Add the possibility to allow the user to have a favicon which differs from the main logo (#18542) 2022-05-23 23:54:48 +08:00
build Modernize JS build scripts (#19824) 2022-06-06 11:27:25 +08:00
cmd Dump should only copy regular files and symlink regular files (#20015) 2022-06-18 22:06:32 +08:00
contrib Move some helper files out of models (#19355) 2022-05-08 18:46:32 +02:00
custom/conf User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
docker feat: Add support for extra sshd_config parameters via 'Include' file (#19842) 2022-05-31 14:42:19 -04:00
docs User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
integrations User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
models User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
modules User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
options [skip ci] Updated translations via Crowdin 2022-06-18 13:10:18 +00:00
public Modernize JS build scripts (#19824) 2022-06-06 11:27:25 +08:00
routers User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
services Write Commit-Graphs in RepositoryDumper (#20004) 2022-06-17 21:19:21 +01:00
snap revert to node14 for snapcraft 2022-02-01 15:10:55 -05:00
templates User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
tools Remove legacy +build: constraint (#19582) 2022-05-02 23:22:45 +08:00
web_src Fix a JS error in initRepoCommitLastCommitLoader's entryMap (#19996) 2022-06-17 17:44:35 +08:00
.air.toml Exclude from watching tests (#17744) 2021-11-22 05:17:21 -05:00
.changelog.yml Changelog for v1.15.0-rc1 (#16422) 2021-07-15 11:47:57 -04:00
.drone.yml Use Golang 1.18 for Gitea 1.17 release (#19918) 2022-06-10 05:34:41 +02:00
.editorconfig add well-known config for OIDC (#15355) 2021-04-15 22:32:00 -04:00
.eslintrc Introduce eslint-plugin-jquery (#19690) 2022-05-12 23:51:50 +08:00
.gitattributes Update .gitattributes for .tmpl files (#18576) 2022-02-03 15:30:26 +00:00
.gitignore Validate migration files (#18203) 2022-01-26 10:45:51 +01:00
.golangci.yml Update go tool dependencies (#19676) 2022-05-10 23:55:54 +02:00
.ignore Add some .ignore entries (#18296) 2022-01-16 17:26:15 +00:00
.lgtm
.npmrc Stop packaging node_modules in release tarballs (#15273) 2021-04-09 01:08:14 -04:00
.stylelintrc Update JS dependencies (#18898) 2022-02-25 15:08:35 -05:00
BSDmakefile
build.go Remove legacy +build: constraint (#19582) 2022-05-02 23:22:45 +08:00
CHANGELOG.md Add changelog for v1.16.8 (#19724) (#19730) 2022-05-16 17:01:13 -04:00
CONTRIBUTING.md homebrew updates via cron 2022-03-03 15:59:26 -05:00
DCO
Dockerfile alpine 3.16 (#19797) 2022-05-25 07:42:28 +03:00
Dockerfile.rootless alpine 3.16 (#19797) 2022-05-25 07:42:28 +03:00
go.mod User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
go.sum User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133) 2022-06-19 07:25:12 +02:00
jest.config.js Update JS dependencies (#19675) 2022-05-10 21:44:36 +02:00
LICENSE
main.go Add support for rendering terminal output with colors (#19497) 2022-06-09 00:46:39 +03:00
MAINTAINERS Remove singuliere from MAINTAINERS (#19883) 2022-06-13 21:05:41 +01:00
Makefile Normalize line endings in fomantic build files (#19932) 2022-06-10 20:24:02 +08:00
package-lock.json Update JS dependencies (#19767) 2022-05-20 21:10:03 -04:00
package.json Update JS dependencies (#19767) 2022-05-20 21:10:03 -04:00
README.md Use Golang 1.18 for Gitea 1.17 release (#19918) 2022-06-10 05:34:41 +02:00
README_ZH.md Update TODOs badge to reflect new default branch (#18182) 2022-01-04 10:46:32 -06:00
SECURITY.md Add security policy to repo (#12536) 2020-08-19 17:15:55 +01:00
webpack.config.js Modernize JS build scripts (#19824) 2022-06-06 11:27:25 +08:00

Gitea

Gitea - Git with a cup of tea

View the chinese version of this document

Purpose

The goal of this project is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service. Using Go, this can be done with an independent binary distribution across all platforms which Go supports, including Linux, macOS, and Windows on x86, amd64, ARM and PowerPC architectures. Want to try it before doing anything else? Do it with the online demo! This project has been forked from Gogs since 2016.11 but changed a lot.

Building

From the root of the source tree, run:

TAGS="bindata" make build

or if SQLite support is required:

TAGS="bindata sqlite sqlite_unlock_notify" make build

The build target is split into two sub-targets:

  • make backend which requires Go Stable, required version is defined in go.mod.
  • make frontend which requires Node.js LTS or greater and Internet connectivity to download npm dependencies.

When building from the official source tarballs which include pre-built frontend files, the frontend target will not be triggered, making it possible to build without Node.js and Internet connectivity.

Parallelism (make -j <num>) is not supported.

More info: https://docs.gitea.io/en-us/install-from-source/

Using

./gitea web

NOTE: If you're interested in using our APIs, we have experimental support with documentation.

Contributing

Expected workflow is: Fork -> Patch -> Push -> Pull Request

NOTES:

  1. YOU MUST READ THE CONTRIBUTORS GUIDE BEFORE STARTING TO WORK ON A PULL REQUEST.
  2. If you have found a vulnerability in the project, please write privately to security@gitea.io. Thanks!

Translating

Translations are done through Crowdin. If you want to translate to a new language ask one of the managers in the Crowdin project to add a new language there.

You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope fo fill it as questions pop up.

https://docs.gitea.io/en-us/translation-guidelines/

Crowdin

Further information

For more information and instructions about how to install Gitea, please look at our documentation. If you have questions that are not covered by the documentation, you can get in contact with us on our Discord server or create a post in the discourse forum.

We maintain a list of Gitea-related projects at gitea/awesome-gitea.
The hugo-based documentation theme is hosted at gitea/theme.
The official Gitea CLI is developed at gitea/tea.

Authors

Backers

Thank you to all our backers! 🙏 [Become a backer]

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

FAQ

How do you pronounce Gitea?

Gitea is pronounced /ɡɪti:/ as in "gi-tea" with a hard g.

Why is this not hosted on a Gitea instance?

We're working on it.

License

This project is licensed under the MIT License. See the LICENSE file for the full license text.

Screenshots

Looking for an overview of the interface? Check it out!

Dashboard User Profile Global Issues
Branches Web Editor Activity
New Migration Migrating Pull Request View
Pull Request Dark Diff Review Dark Diff Dark