Archives
/
cgit
mirror of https://git.zx2c4.com/cgit/
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,613 Commits
16 Branches
43 Tags
37 MiB
ch/for-jason
ch/highlight-line
ch/log-commit-message
ch/dynamic-aging
ch/about-link
ch/default-pages
jd/zx2c4-deployment
master
wiki
jd/render-filter
lf/for-jason
jk/collapsible-sections
rm/namespace
lf/filter
lh/grep
lh/pretty-blob-view
v1.2.3
v1.2.2
v1.2.1
v1.2
v1.1
v1.0
v0.12
v0.11.2
v0.11.1
v0.11.0
v0.10.2
v0.10.1
v0.10
v0.9.2
v0.9.1
v0.9.0.3
v0.9.0.2
v0.9.0.1
v0.9
v0.8.3.5
v0.8.3.4
v0.8.3.3
v0.8.3.2
v0.8.3.1
v0.8.3
v0.8.2.2
v0.8.2.1
v0.8.2
v0.8.1.1
v0.8.1
v0.8
v0.7.2
v0.7.1
v0.7
v0.6.3
v0.6.2
v0.6.1
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Commit Graph

11 Commits (master)

Author SHA1 Message Date
Jason A. Donenfeld 7d87cd3a21 filters: migrate from luacrypto to luaossl 
luaossl has no upstream anymore and doesn't support OpenSSL 1.1,
whereas luaossl is quite active.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 5 years ago
Jason A. Donenfeld 82856923bf auth-filters: use crypt() in simple-authentication 
There's no use in giving a silly example to folks who will just copy it,
so instead try to do something slightly better.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 6 years ago
Jason A. Donenfeld b73df8098f auth-filters: generate secret securely 
This is much better than having the user generate it themselves.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 6 years ago
Jason A. Donenfeld c3b5b5f648 auth-filters: do not use HMAC-SHA1 
Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our
luck; SHA256 is more sensible anyway.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 6 years ago
Jason A. Donenfeld ecd6b7230c simple-authentication.lua: tie secure cookies to field names 9 years ago
Jason A. Donenfeld aa6d5b105d simple-authentication: style 
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 10 years ago
Jason A. Donenfeld 9dde6d38e9 auth: document tweakables in lua script 
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 10 years ago
Jason A. Donenfeld a431326e8f auth: have cgit calculate login address 
This way we're sure to use virtual root, or any other strangeness
encountered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 10 years ago
Jason A. Donenfeld df00ab1096 auth: lua string comparisons are time invariant 
By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 10 years ago
Jason A. Donenfeld b826537cb4 authentication: use hidden form instead of referer 
This also gives us some CSRF protection. Note that we make use of the
hmac to protect the redirect value.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 10 years ago
Jason A. Donenfeld d6e9200cc3 auth: add basic authentication filter framework 
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.

Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.

Very plugable and extendable depending on user needs.

The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 10 years ago