Commit Graph

11 Commits

Author SHA1 Message Date
Jason A. Donenfeld
7d87cd3a21 filters: migrate from luacrypto to luaossl
luaossl has no upstream anymore and doesn't support OpenSSL 1.1,
whereas luaossl is quite active.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-03 02:12:16 +01:00
Jason A. Donenfeld
82856923bf auth-filters: use crypt() in simple-authentication
There's no use in giving a silly example to folks who will just copy it,
so instead try to do something slightly better.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-15 04:18:03 +02:00
Jason A. Donenfeld
b73df8098f auth-filters: generate secret securely
This is much better than having the user generate it themselves.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-15 03:30:57 +02:00
Jason A. Donenfeld
c3b5b5f648 auth-filters: do not use HMAC-SHA1
Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our
luck; SHA256 is more sensible anyway.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-14 03:33:56 +02:00
Jason A. Donenfeld
ecd6b7230c simple-authentication.lua: tie secure cookies to field names 2015-03-05 15:51:22 +01:00
Jason A. Donenfeld
aa6d5b105d simple-authentication: style
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-23 00:58:07 +01:00
Jason A. Donenfeld
9dde6d38e9 auth: document tweakables in lua script
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-17 15:34:44 +01:00
Jason A. Donenfeld
a431326e8f auth: have cgit calculate login address
This way we're sure to use virtual root, or any other strangeness
encountered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 23:21:54 +01:00
Jason A. Donenfeld
df00ab1096 auth: lua string comparisons are time invariant
By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 19:47:35 +01:00
Jason A. Donenfeld
b826537cb4 authentication: use hidden form instead of referer
This also gives us some CSRF protection. Note that we make use of the
hmac to protect the redirect value.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 12:13:39 +01:00
Jason A. Donenfeld
d6e9200cc3 auth: add basic authentication filter framework
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.

Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.

Very plugable and extendable depending on user needs.

The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 02:28:12 +01:00