Merge branch 'main' of https://github.com/go-gitea/gitea

* 'main' of https://github.com/go-gitea/gitea:
  show pull link for agit pull request also (go-gitea#18235)
  [skip ci] Updated translations via Crowdin
  Add some .ignore entries (go-gitea#18296)
  Remove unneeded debug messages to stdout. (go-gitea#18298)
  Handle missing default branch better in owner/repo/branches page (go-gitea#18290)
  Revert "Prevent possible XSS when using jQuery (go-gitea#18289)" (go-gitea#18293)
  not show double error response in git hook (go-gitea#18292)
  Remove accidental debugging in blob_excerpt.tmpl (go-gitea#18287)
  Prevent possible XSS when using jQuery (go-gitea#18289)
  Return nicer error if trying to pull from non-existent user (go-gitea#18288)
  [skip ci] Updated translations via Crowdin
  docs: mention client_max_body_size affects LFS (go-gitea#18291)
  Add lockfile-check (go-gitea#18285)
  Webauthn nits (go-gitea#18284)

Author: zjjhot

.ignore

@@ -1,5 +1,8 @@
-/vendor
-/public/vendor/plugins
+*.min.css
+*.min.js
 /modules/options/bindata.go
 /modules/public/bindata.go
 /modules/templates/bindata.go
+/public/vendor/plugins
+/vendor
+node_modules

Makefile

@@ -292,7 +292,7 @@ fmt-check:
 checks: checks-frontend checks-backend
 
 .PHONY: checks-frontend
-checks-frontend: svg-check
+checks-frontend: lockfile-check svg-check
 
 .PHONY: checks-backend
 checks-backend: swagger-check swagger-validate
@@ -700,6 +700,17 @@ svg-check: svg
 		exit 1; \
 	fi
 
+.PHONY: lockfile-check
+lockfile-check:
+	npm install --package-lock-only
+	@diff=$$(git diff package-lock.json); \
+	if [ -n "$$diff" ]; then \
+		echo "package-lock.json is inconsistent with package.json"; \
+		echo "Please run 'npm install --package-lock-only' and commit the result:"; \
+		echo "$${diff}"; \
+		exit 1; \
+	fi
+
 .PHONY: update-translations
 update-translations:
 	mkdir -p ./translations

cmd/serv.go

@@ -92,7 +92,7 @@ func fail(userMessage, logMessage string, args ...interface{}) error {
 	if len(logMessage) > 0 {
 		_ = private.SSHLog(ctx, true, fmt.Sprintf(logMessage+": ", args...))
 	}
-	return cli.NewExitError(fmt.Sprintf("Gitea: %s", userMessage), 1)
+	return cli.NewExitError("", 1)
 }
 
 func runServ(c *cli.Context) error {

docs/content/doc/usage/reverse-proxies.en-us.md

@@ -128,6 +128,7 @@ This error indicates nginx is configured to restrict the file upload size.
 
 In your nginx config file containing your Gitea proxy directive, find the `location { ... }` block for Gitea and add the line
 `client_max_body_size 16M;` to set this limit to 16 megabytes or any other number of choice.
+If you use Git LFS, this will also limit the size of the largest file you will be able to push.
 
 
 ## Apache HTTPD

models/auth/webauthn.go

@@ -6,7 +6,7 @@ package auth
 
 import (
 	"context"
-	"encoding/base64"
+	"encoding/base32"
 	"fmt"
 	"strings"
 
@@ -94,7 +94,7 @@ type WebAuthnCredentialList []*WebAuthnCredential
 func (list WebAuthnCredentialList) ToCredentials() []webauthn.Credential {
 	creds := make([]webauthn.Credential, 0, len(list))
 	for _, cred := range list {
-		credID, _ := base64.RawStdEncoding.DecodeString(cred.CredentialID)
+		credID, _ := base32.HexEncoding.DecodeString(cred.CredentialID)
 		creds = append(creds, webauthn.Credential{
 			ID:              credID,
 			PublicKey:       cred.PublicKey,
@@ -164,13 +164,13 @@ func HasWebAuthnRegistrationsByUID(uid int64) (bool, error) {
 }
 
 // GetWebAuthnCredentialByCredID returns WebAuthn credential by credential ID
-func GetWebAuthnCredentialByCredID(credID string) (*WebAuthnCredential, error) {
-	return getWebAuthnCredentialByCredID(db.DefaultContext, credID)
+func GetWebAuthnCredentialByCredID(userID int64, credID string) (*WebAuthnCredential, error) {
+	return getWebAuthnCredentialByCredID(db.DefaultContext, userID, credID)
 }
 
-func getWebAuthnCredentialByCredID(ctx context.Context, credID string) (*WebAuthnCredential, error) {
+func getWebAuthnCredentialByCredID(ctx context.Context, userID int64, credID string) (*WebAuthnCredential, error) {
 	cred := new(WebAuthnCredential)
-	if found, err := db.GetEngine(ctx).Where("credential_id = ?", credID).Get(cred); err != nil {
+	if found, err := db.GetEngine(ctx).Where("user_id = ? AND credential_id = ?", userID, credID).Get(cred); err != nil {
 		return nil, err
 	} else if !found {
 		return nil, ErrWebAuthnCredentialNotExist{CredentialID: credID}
@@ -187,7 +187,7 @@ func createCredential(ctx context.Context, userID int64, name string, cred *weba
 	c := &WebAuthnCredential{
 		UserID:          userID,
 		Name:            name,
-		CredentialID:    base64.RawStdEncoding.EncodeToString(cred.ID),
+		CredentialID:    base32.HexEncoding.EncodeToString(cred.ID),
 		PublicKey:       cred.PublicKey,
 		AttestationType: cred.AttestationType,
 		AAGUID:          cred.Authenticator.AAGUID,

models/auth/webauthn_test.go

@@ -5,7 +5,7 @@
 package auth
 
 import (
-	"encoding/base64"
+	"encoding/base32"
 	"testing"
 
 	"code.gitea.io/gitea/models/unittest"
@@ -61,7 +61,7 @@ func TestCreateCredential(t *testing.T) {
 	res, err := CreateCredential(1, "WebAuthn Created Credential", &webauthn.Credential{ID: []byte("Test")})
 	assert.NoError(t, err)
 	assert.Equal(t, "WebAuthn Created Credential", res.Name)
-	bs, err := base64.RawStdEncoding.DecodeString(res.CredentialID)
+	bs, err := base32.HexEncoding.DecodeString(res.CredentialID)
 	assert.NoError(t, err)
 	assert.Equal(t, []byte("Test"), bs)
 

models/migrations/migrations.go

@@ -368,6 +368,8 @@ var migrations = []Migration{
 	NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
 	// v207 -> v208
 	NewMigration("Add webauthn table and migrate u2f data to webauthn", addWebAuthnCred),
+	// v208 -> v209
+	NewMigration("Use base32.HexEncoding instead of base64 encoding for cred ID as it is case insensitive", useBase32HexForCredIDInWebAuthnCredential),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v208.go

@@ -0,0 +1,51 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"encoding/base32"
+	"encoding/base64"
+
+	"xorm.io/xorm"
+)
+
+func useBase32HexForCredIDInWebAuthnCredential(x *xorm.Engine) error {
+
+	// Create webauthnCredential table
+	type webauthnCredential struct {
+		ID           int64  `xorm:"pk autoincr"`
+		CredentialID string `xorm:"INDEX"`
+	}
+	if err := x.Sync2(&webauthnCredential{}); err != nil {
+		return err
+	}
+
+	var start int
+	regs := make([]*webauthnCredential, 0, 50)
+	for {
+		err := x.OrderBy("id").Limit(50, start).Find(&regs)
+		if err != nil {
+			return err
+		}
+
+		for _, reg := range regs {
+			credID, _ := base64.RawStdEncoding.DecodeString(reg.CredentialID)
+			reg.CredentialID = base32.HexEncoding.EncodeToString(credID)
+
+			_, err := x.Update(reg)
+			if err != nil {
+				return err
+			}
+		}
+
+		if len(regs) < 50 {
+			break
+		}
+		start += 50
+		regs = regs[:0]
+	}
+
+	return nil
+}

modules/markup/common/footnote.go

@@ -10,7 +10,6 @@ package common
 import (
 	"bytes"
 	"fmt"
-	"os"
 	"strconv"
 	"unicode"
 
@@ -415,7 +414,6 @@ func (r *FootnoteHTMLRenderer) RegisterFuncs(reg renderer.NodeRendererFuncRegist
 func (r *FootnoteHTMLRenderer) renderFootnoteLink(w util.BufWriter, source []byte, node ast.Node, entering bool) (ast.WalkStatus, error) {
 	if entering {
 		n := node.(*FootnoteLink)
-		n.Dump(source, 0)
 		is := strconv.Itoa(n.Index)
 		_, _ = w.WriteString(`<sup id="fnref:`)
 		_, _ = w.Write(n.Name)
@@ -431,7 +429,6 @@ func (r *FootnoteHTMLRenderer) renderFootnoteLink(w util.BufWriter, source []byt
 func (r *FootnoteHTMLRenderer) renderFootnoteBackLink(w util.BufWriter, source []byte, node ast.Node, entering bool) (ast.WalkStatus, error) {
 	if entering {
 		n := node.(*FootnoteBackLink)
-		fmt.Fprintf(os.Stdout, "source:\n%s\n", string(n.Text(source)))
 		_, _ = w.WriteString(` <a href="#fnref:`)
 		_, _ = w.Write(n.Name)
 		_, _ = w.WriteString(`" class="footnote-backref" role="doc-backlink">`)
@@ -444,7 +441,6 @@ func (r *FootnoteHTMLRenderer) renderFootnoteBackLink(w util.BufWriter, source [
 func (r *FootnoteHTMLRenderer) renderFootnote(w util.BufWriter, source []byte, node ast.Node, entering bool) (ast.WalkStatus, error) {
 	n := node.(*Footnote)
 	if entering {
-		fmt.Fprintf(os.Stdout, "source:\n%s\n", string(n.Text(source)))
 		_, _ = w.WriteString(`<li id="fn:`)
 		_, _ = w.Write(n.Name)
 		_, _ = w.WriteString(`" role="doc-endnote"`)

options/locale/locale_bg-BG.ini

@@ -29,18 +29,6 @@ twofa=Двуфакторно удостоверяване
 twofa_scratch=Двуфакторен скреч код
 passcode=Секретен код
 
-u2f_insert_key=Въведете защитен ключ
-u2f_sign_in=Натиснете бутона на вашия ключ за сигурност. Ако вашият ключ няма бутон, го изключете и включете отново.
-u2f_press_button=Моля, натиснете бутона на вашия ключ…
-u2f_use_twofa=Използвате двуфакторен код от телефона си
-u2f_error=Вашият ключ за сигурност не може да бъде разпознат.
-u2f_unsupported_browser=Вашият браузър не поддържа U2F ключове за сигурност.
-u2f_error_1=Възникна грешка. Моля опитайте отново.
-u2f_error_2=Моля, уверете се че използвате правилен, шифрован (https://) URL.
-u2f_error_3=Сървърът не може да обработи заявката ви.
-u2f_error_4=Ключът за сигурност не е одобрен за тази заявка. Моля, уверете се, че ключът не е вече регистриран.
-u2f_error_5=Изтекло е вречето за разпознаване на ключа. Презаредете страницата и опитайте отново.
-u2f_reload=Презареди
 
 repository=Хранилище
 organization=Организация
@@ -376,7 +364,6 @@ twofa=Двуфакторно удостоверяване
 account_link=Свързани акаунти
 organization=Организации
 uid=UID
-u2f=Ключове за сигурност
 
 public_profile=Публичен профил
 profile_desc=Вашият имейл адрес ще се използва за изпращане на уведомления и други операции.
@@ -477,8 +464,6 @@ or_enter_secret=Или въведете този ключ: %s
 then_enter_passcode=И въведете кодът, показан в приложението:
 passcode_invalid=Този код е невалиден. Опитайте отново.
 
-u2f_register_key=Добавяне на ключ за сигурност
-u2f_nickname=Псевдоним