mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-08-19 08:51:10 +00:00
d6838462b8
resolves #8549 This PR add a config to enforce 2FA for the whole Forgejo instance. It can be configured to `none`, `admin` or `all`. A user who is required to enable 2FA is like a disabled user. He can only see the `/user/settings/security`-Page to enable 2FA, this should be similar to a user which needs to change his password. Also api and git-commands are not allowed. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. I will do it, if the general idea of this PR is a good feature. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security features - [PR](https://codeberg.org/forgejo/forgejo/pulls/8753): <!--number 8753 --><!--line 0 --><!--description R2xvYmFsIDJGQSBlbmZvcmNlbWVudA==-->Global 2FA enforcement<!--description--> <!--end release-notes-assistant--> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8753 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Ellen Εμιλία Άννα Zscheile <fogti@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: zokki <zokki.softwareschmiede@gmail.com> Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
135 lines
3.9 KiB
Go
135 lines
3.9 KiB
Go
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// Copyright 2025 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package web
|
|
|
|
import (
|
|
"net/http"
|
|
"strconv"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
"forgejo.org/models/db"
|
|
repo_model "forgejo.org/models/repo"
|
|
user_model "forgejo.org/models/user"
|
|
"forgejo.org/modules/base"
|
|
"forgejo.org/modules/log"
|
|
"forgejo.org/modules/optional"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/sitemap"
|
|
"forgejo.org/modules/structs"
|
|
"forgejo.org/modules/web/middleware"
|
|
"forgejo.org/routers/web/auth"
|
|
"forgejo.org/routers/web/user"
|
|
"forgejo.org/services/context"
|
|
)
|
|
|
|
const (
|
|
// tplHome home page template
|
|
tplHome base.TplName = "home"
|
|
)
|
|
|
|
// Home render home page
|
|
func Home(ctx *context.Context) {
|
|
if ctx.IsSigned {
|
|
if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {
|
|
ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
|
|
ctx.HTML(http.StatusOK, auth.TplActivate)
|
|
return
|
|
}
|
|
if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {
|
|
log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())
|
|
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
|
ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
|
|
return
|
|
}
|
|
if ctx.Doer.MustChangePassword {
|
|
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
|
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
|
|
middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
|
|
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
|
|
return
|
|
}
|
|
if ctx.Doer.MustHaveTwoFactor() {
|
|
hasTwoFactor, err := auth_model.HasTwoFactorByUID(ctx, ctx.Doer.ID)
|
|
if err != nil {
|
|
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
|
log.Error("Error getting 2fa: %s", err)
|
|
ctx.Error(http.StatusInternalServerError, "HasTwoFactorByUID", err.Error())
|
|
return
|
|
}
|
|
if !hasTwoFactor {
|
|
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
|
|
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
|
|
return
|
|
}
|
|
}
|
|
|
|
user.Dashboard(ctx)
|
|
return
|
|
// Check non-logged users landing page.
|
|
} else if setting.LandingPageURL != setting.LandingPageHome {
|
|
ctx.Redirect(setting.AppSubURL + string(setting.LandingPageURL))
|
|
return
|
|
}
|
|
|
|
// Check auto-login.
|
|
if ctx.GetSiteCookie(setting.CookieRememberName) != "" {
|
|
ctx.Redirect(setting.AppSubURL + "/user/login")
|
|
return
|
|
}
|
|
|
|
ctx.Data["PageIsHome"] = true
|
|
ctx.Data["IsRepoIndexerEnabled"] = setting.Indexer.RepoIndexerEnabled
|
|
|
|
ctx.Data["OpenGraphDescription"] = setting.UI.Meta.Description
|
|
|
|
ctx.HTML(http.StatusOK, tplHome)
|
|
}
|
|
|
|
// HomeSitemap renders the main sitemap
|
|
func HomeSitemap(ctx *context.Context) {
|
|
m := sitemap.NewSitemapIndex()
|
|
if !setting.Service.Explore.DisableUsersPage {
|
|
_, cnt, err := user_model.SearchUsers(ctx, &user_model.SearchUserOptions{
|
|
Type: user_model.UserTypeIndividual,
|
|
ListOptions: db.ListOptions{PageSize: 1},
|
|
IsActive: optional.Some(true),
|
|
Visible: []structs.VisibleType{structs.VisibleTypePublic},
|
|
})
|
|
if err != nil {
|
|
ctx.ServerError("SearchUsers", err)
|
|
return
|
|
}
|
|
count := int(cnt)
|
|
idx := 1
|
|
for i := 0; i < count; i += setting.UI.SitemapPagingNum {
|
|
m.Add(sitemap.URL{URL: setting.AppURL + "explore/users/sitemap-" + strconv.Itoa(idx) + ".xml"})
|
|
idx++
|
|
}
|
|
}
|
|
|
|
_, cnt, err := repo_model.SearchRepository(ctx, &repo_model.SearchRepoOptions{
|
|
ListOptions: db.ListOptions{
|
|
PageSize: 1,
|
|
},
|
|
Actor: ctx.Doer,
|
|
AllPublic: true,
|
|
})
|
|
if err != nil {
|
|
ctx.ServerError("SearchRepository", err)
|
|
return
|
|
}
|
|
count := int(cnt)
|
|
idx := 1
|
|
for i := 0; i < count; i += setting.UI.SitemapPagingNum {
|
|
m.Add(sitemap.URL{URL: setting.AppURL + "explore/repos/sitemap-" + strconv.Itoa(idx) + ".xml"})
|
|
idx++
|
|
}
|
|
|
|
ctx.Resp.Header().Set("Content-Type", "text/xml")
|
|
if _, err := m.WriteTo(ctx.Resp); err != nil {
|
|
log.Error("Failed writing sitemap: %v", err)
|
|
}
|
|
}
|