New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF token on login #2385
Comments
Anyone against a CSRF token on login? |
@daviian maybe because drone depends on that? |
@lunny Any reason why the drone should depend on that? |
@daviian since Gitea didn't implement OAuth2 provider. But drone need login with gitea user & password. |
@lunny When does the drone need direct login to gitea, except when running integration tests? And integration tests already send csrf token on login, although the token is not validated. |
Gitea has implemented OAuth2 provider |
[x]
):Description
After discussion in #2363 (review) I checked if login is validating CSRF token. And it does not.
As opinions differ I want to start a discussion about the necessity of a token validation for login request.
A research lead me to https://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks/15350123#15350123, the guy describes a scenario in which not validating the csrf token on login page is used for an attack on data privacy.
What's your opinion on this guys? IMO I would add token validation for login.
The text was updated successfully, but these errors were encountered: