[Git] - Implement new authentication #889

New issue

Closed

opened 2024-06-10 11:39:46 +02:00 by muppeth · 3 comments

muppeth commented

2024-06-10 11:39:46 +02:00

Owner

As we discussed in #800 we wanted to change the way we authenticate to forgejo to cut down on spam which is infesting the instance. We kinda forgot about this since we closed the initial task, so would be good to actually put the result of the discussion in motion.

muppeth added this to the 24.06 - June milestone 2024-06-10 11:39:46 +02:00

muppeth added the

forgejo

label 2024-06-10 11:39:46 +02:00

muppeth self-assigned this 2024-06-10 11:39:46 +02:00

muppeth commented

2024-06-26 01:57:53 +02:00

Author

Owner

One of the possibilities as in-between situation I tried was using Nextcloud since it can work as oAuth provider. However as with a lot of stuff on nextcloud this is just half-backed and introduces security issue we can't allow:

Security considerations
Nextcloud OAuth2 implementation currently does not support scoped access. This means that every token has full access to the complete account including read and write permission to the stored files. It is essential to store the OAuth2 tokens in a safe way!

Without scopes and restrictable access it is not recommended to use a Nextcloud instance as a user authentication service.

So in conclusion although providing multiple ways to authenticate, I don't see currently a way to provide disroot account. This means:
Leaving as is, and wait for new authentication system. I have added requirement to confirm email upon registration (this adds another step after the user creation which should stop some of the more stupid bots.

@Disroot/Owners need input. Of no input I will mention this on the meeting.

Hmmmm, we have a problem with this ticket. I have added additional authentication sources (github, gitlab, codeberg). But, it is going to be a problem adding disroot authentication before we are done with the new system I'm afraid. oAuth sources mentioned before allow to either link to existing account or create new account upon authentication. But when linking existing account, one needs to provide password. This means you can't impersonate existing user. But when switching to LDAP, it just authenticates user is it finds one. This means its possible to login as existing forgejo user using disroot account credentials without need to provide password for existing account. We can't do it. One of the possibilities as in-between situation I tried was using Nextcloud since it can work as oAuth provider. However as with a lot of stuff on nextcloud this is just half-backed and introduces security issue we can't allow: > **Security considerations** > Nextcloud OAuth2 implementation currently does not support scoped access. This means that every token has full access to the complete account including read and write permission to the stored files. It is essential to store the OAuth2 tokens in a safe way! > > Without scopes and restrictable access it is not recommended to use a Nextcloud instance as a user authentication service. So in conclusion although providing multiple ways to authenticate, I don't see currently a way to provide disroot account. This means: Leaving as is, and wait for new authentication system. I have added requirement to confirm email upon registration (this adds another step after the user creation which should stop some of the more stupid bots. @Disroot/Owners need input. Of no input I will mention this on the meeting.