gitea/routers/web
Archer 5c542ca94c
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-05-02 17:05:59 +00:00
..
admin Resolve lint for unused parameter and unnecessary type arguments (#30750) 2024-04-29 08:47:56 +00:00
auth Prevent automatic OAuth grants for public clients (#30790) 2024-05-02 17:05:59 +00:00
devtest Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
events Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
explore Refactor topic Find functions and add more tests for pagination (#30127) 2024-03-29 11:38:16 +08:00
feed Resolve lint for unused parameter and unnecessary type arguments (#30750) 2024-04-29 08:47:56 +00:00
healthcheck Always enable caches (#28527) 2023-12-19 09:29:05 +00:00
misc Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
org Fix project description rendering for org (#30587) 2024-04-19 07:58:56 +00:00
repo Fix bleve fuzziness (#30799) 2024-05-01 15:32:52 +03:00
shared Add API for `Variables` (#29520) 2024-03-28 20:40:35 +00:00
user Initial support for colorblindness-friendly themes (#30625) 2024-04-24 00:18:41 +08:00
base.go Fix panic in storageHandler (#27446) 2023-10-06 13:23:14 +00:00
githttp.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
goget.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
home.go migrate some more "OptionalBool" to "Option[bool]" (#29479) 2024-02-29 18:52:49 +00:00
metrics.go
nodeinfo.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
passkey.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
swagger_json.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
web.go Skip gzip for some well-known compressed file types (#30796) 2024-05-02 02:27:25 +00:00
webfinger.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00