Archer a228ab3ab2 Prevent automatic OAuth grants for public clients (#30790) ... This commit forces the resource owner (user) to always approve OAuth 2.0 authorization requests if the client is public (e.g. native applications). As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2), > The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator. With the implementation prior to this patch, attackers with access to the redirect URI (e.g., the loopback interface for `git-credential-oauth`) can get access to the user account without any user interaction if they can redirect the user to the `/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on Linux). Fixes #25061. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> (cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1) (cherry picked from commit 1b088fade6)		2024-06-06 12:05:37 +02:00
..
api	Missed return on error part of: Fix bug on avatar (#31008) (#31019)	2024-05-31 14:56:16 +02:00
common	Use relative links for commits, mentions, and issues in markdown (#29427)	2024-03-20 08:46:28 +01:00
install	Always load or generate oauth2 jwt secret (#30942)	2024-05-24 15:15:07 +02:00
private	fix(hook): repo admins are wrongly denied the right to force merge	2024-06-02 22:05:16 +02:00
utils	Improve user search display name (#29002)	2024-02-01 17:10:16 +00:00
web	Prevent automatic OAuth grants for public clients (#30790)	2024-06-06 12:05:37 +02:00
init.go	s/Gitea/Forgejo in various log messages and comments	2024-04-22 14:41:17 +00:00