Lunny Xiao c9920b7bd0 fix(oauth): restrict introspection to the token's client (#38042) ...

Bind OAuth token introspection responses to the authenticated client.
Return an inactive response when the token grant belongs to a different
OAuth application to avoid leaking token metadata across clients.

Add integration coverage for cross-client introspection attempts against
both access tokens and refresh tokens.

Assisted-by: GPT-5.4

2026-06-28 08:06:33 +00:00

..

2fa.go

fix: Various security fixes (#38103)

2026-06-17 16:06:51 +00:00

auth_test.go

chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)

2026-05-26 15:49:31 -07:00

auth.go

refactor: Use db.Get[] instead of db.GetEngine(ctx).Get(bean) to avoid zero value fetching wrong database record (#37977)

2026-06-27 10:24:02 -07:00

linkaccount.go

chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)

2026-05-26 15:49:31 -07:00

main_test.go

chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)

2026-05-26 15:49:31 -07:00

oauth2_provider.go

fix(oauth): restrict introspection to the token's client (#38042)

2026-06-28 08:06:33 +00:00

oauth_signin_sync.go

fix(oauth2): not respecting claims before second login (#37874)

2026-06-03 16:50:47 +00:00

oauth_test.go

chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)

2026-05-26 15:49:31 -07:00

oauth.go

refactor: Use db.Get[] instead of db.GetEngine(ctx).Get(bean) to avoid zero value fetching wrong database record (#37977)

2026-06-27 10:24:02 -07:00

openid.go

chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)

2026-05-26 15:49:31 -07:00

password.go

fix: Various security fixes (#38103)

2026-06-17 16:06:51 +00:00

webauthn.go

chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)

2026-05-26 15:49:31 -07:00