forgejo

mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-10-10 19:32:02 +00:00

BtbN fd849bb9f2 Reject password reset attempts for OAuth2 users without a current password (#9060 ) Currently, if a user signed up via OAuth2 and then somehow gets their E-Mail account compromised, their Forgejo account can be taken over by requesting a password reset for their Forgejo account. This PR changes the logic so that a password reset request is denied for a user using OAuth2 if they do not already have a password set. Which should be the case for all users who only ever log in via their Auth-Provider. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9060 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: BtbN <btbn@btbn.de> Co-committed-by: BtbN <btbn@btbn.de>		2025-09-12 00:08:29 +02:00
..
2fa.go	fix: do 2FA on OpenID connect	2025-08-30 09:41:20 +02:00
auth.go	fix: email comments are removed from email addresses (#9074 )	2025-08-30 13:15:30 +02:00
auth_test.go	chore: branding import path (#7337 )	2025-03-27 19:40:14 +00:00
linkaccount.go	chore: add email blocklist unit test	2025-08-30 09:45:19 +02:00
main_test.go	chore: branding import path (#7337 )	2025-03-27 19:40:14 +00:00
oauth.go	fix: store code challenge correctly in session (#8678 )	2025-07-26 05:16:55 +02:00
oauth_test.go	fix: remove trailing slash from the issuer in oauth claims (#8028 )	2025-06-10 20:46:17 +02:00
openid.go	fix: do 2FA on OpenID connect	2025-08-30 09:41:20 +02:00
password.go	Reject password reset attempts for OAuth2 users without a current password (#9060 )	2025-09-12 00:08:29 +02:00
webauthn.go	fix: do 2FA on OpenID connect	2025-08-30 09:41:20 +02:00