[Git] - Implement new authentication #889
Labels
No labels
administration
Akkoma
Android
Bare metal
bug
Communication
Community
Cryptpad
Discussion
Documentation
duplicate
enhancement
etherpad
Feature request
Feedback
finances
Fixed
forgejo
fun_project
Goal 2024
help wanted
housekeeping
Howto
In progress
🤔️ Investigate
ios
jitsi
lacre
Lacre Test
ldap
Lemmy
LibreTranslate
low prio
Lufi
macos
Mail
Merch
monitoring
movim
needs_refine
New Auth
Nextcloud
nice to have
on hold
proposal
question
Ready
refined
Roundcube
searX
spam-protection
Staging Server
sysadmin
Themes
TOR
upstream issue
Urgent!
Website
windows
wontfix
xmpp
Yearly Report
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Disroot/Disroot-Project#889
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
As we discussed in #800 we wanted to change the way we authenticate to forgejo to cut down on spam which is infesting the instance. We kinda forgot about this since we closed the initial task, so would be good to actually put the result of the discussion in motion.
Hmmmm, we have a problem with this ticket. I have added additional authentication sources (github, gitlab, codeberg). But, it is going to be a problem adding disroot authentication before we are done with the new system I'm afraid.
oAuth sources mentioned before allow to either link to existing account or create new account upon authentication. But when linking existing account, one needs to provide password. This means you can't impersonate existing user.
But when switching to LDAP, it just authenticates user is it finds one. This means its possible to login as existing forgejo user using disroot account credentials without need to provide password for existing account. We can't do it.
One of the possibilities as in-between situation I tried was using Nextcloud since it can work as oAuth provider. However as with a lot of stuff on nextcloud this is just half-backed and introduces security issue we can't allow:
So in conclusion although providing multiple ways to authenticate, I don't see currently a way to provide disroot account. This means:
Leaving as is, and wait for new authentication system. I have added requirement to confirm email upon registration (this adds another step after the user creation which should stop some of the more stupid bots.
@Disroot/Owners need input. Of no input I will mention this on the meeting.
Thanks for all that info! I would wait for new authentication system, as we'll probably change sometime around this year.
Hopefully. The work has begun so 🤞