peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-20 01:36:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
jojo/routers/web/auth
History
jvoisin cc60e3d693 fix(oauth): only accept refresh tokens as refresh tokens (#12291) 
`handleRefreshToken` never checked `token.Type == TypeRefreshToken`. When
`InvalidateRefreshTokens` is disabled, an access token could be submitted as a
`refresh_token` and exchanged for a new token pair.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Co-authored-by: jvoisin <julien.voisin@dustri.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12291
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-04-30 19:24:13 +02:00
..
2fa.go fix: do 2FA on OpenID connect 2025-08-30 09:41:20 +02:00
auth.go refactor: change authentication to return structured data (#12202) 2026-04-22 21:00:26 +02:00
auth_test.go chore: refactor signup logic (#10915) 2026-01-26 22:55:30 +01:00
linkaccount.go refactor: change authentication to return structured data (#12202) 2026-04-22 21:00:26 +02:00
main_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
oauth.go fix(oauth): only accept refresh tokens as refresh tokens (#12291) 2026-04-30 19:24:13 +02:00
oauth_test.go chore: do not pass the full signing key to template (#10967) 2026-01-26 14:47:48 +01:00
openid.go refactor: change authentication to return structured data (#12202) 2026-04-22 21:00:26 +02:00
password.go fix: allow unactivated users to send recovery mails (#9504) 2025-10-03 07:16:24 +02:00
webauthn.go fix: do 2FA on OpenID connect 2025-08-30 09:41:20 +02:00