aboutsummaryrefslogtreecommitdiffstats
path: root/filters/simple-authentication.lua
Commit message (Collapse)AuthorAgeFilesLines
* auth-filters: use crypt() in simple-authenticationJason A. Donenfeld2018-07-151-13/+6
| | | | | | | There's no use in giving a silly example to folks who will just copy it, so instead try to do something slightly better. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* auth-filters: generate secret securelyJason A. Donenfeld2018-07-151-8/+42
| | | | | | This is much better than having the user generate it themselves. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* auth-filters: do not use HMAC-SHA1Jason A. Donenfeld2018-07-141-2/+2
| | | | | | | Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our luck; SHA256 is more sensible anyway. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* simple-authentication.lua: tie secure cookies to field namesJason A. Donenfeld2015-03-051-13/+21
|
* simple-authentication: styleJason A. Donenfeld2014-01-231-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* auth: document tweakables in lua scriptJason A. Donenfeld2014-01-171-0/+10
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* auth: have cgit calculate login addressJason A. Donenfeld2014-01-161-6/+1
| | | | | | | This way we're sure to use virtual root, or any other strangeness encountered. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* auth: lua string comparisons are time invariantJason A. Donenfeld2014-01-161-2/+2
| | | | | | By default, strings are compared by hash, so we can remove this comment. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* authentication: use hidden form instead of refererJason A. Donenfeld2014-01-161-79/+121
| | | | | | | This also gives us some CSRF protection. Note that we make use of the hmac to protect the redirect value. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* auth: add basic authentication filter frameworkJason A. Donenfeld2014-01-161-0/+225
This leverages the new lua support. See filters/simple-authentication.lua for explaination of how this works. There is also additional documentation in cgitrc.5.txt. Though this is a cookie-based approach, cgit's caching mechanism is preserved for authenticated pages. Very plugable and extendable depending on user needs. The sample script uses an HMAC-SHA1 based cookie to store the currently logged in user, with an expiration date. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>