g-node / gin-dex Goto Github PK
View Code? Open in Web Editor NEWIndexing service for GIN
License: BSD 3-Clause "New" or "Revised" License
Indexing service for GIN
License: BSD 3-Clause "New" or "Revised" License
Due to GitHub handle change (to lowercase) for long term purpose, go get
may fail fetching github.com/Unknwon/com
.
Please consider take some time to update it to github.com/unknwon/com
in the go.mod
file.
I truly apology for the inconvenience and unintended troubles caused.
Upstream fixes on GOGS for CSRF vulnerabilities require auth tokens for API calls (gogs/gogs#5399). gin-dex uses the user's browser cookie to make API calls, which doesn't work anymore. Getting a token for a user on behalf of gin-dex is probably not possible (and is probably a bad idea anyway).
API calls from gin-dex to GIN-GOGS are made to list user repositories for limiting search results. In general, for our peripheral services (DOI, valid), we prefer to keep them decoupled from GOGS, so the external services are designed to query the GOGS API when needed. In this case, the coupling is necessarily tighter (menu items and search forms are added to the GOGS explore pages). I suggest we redesign queries so that they only depend on information flowing from GOGS to gin-dex and the inverse only for responses.
gin-dex security is important because lax security can leak private repository data. One issue with the proposed method is that if gin-dex API is exposed to public queries, an attacker can use it to retrieve private data simply by submitting a general query with a wide range of repository IDs. We shouldn't base our security on gin-dex always being inaccessible to the public internet. To clarify, it may be necessary (or desirable) in the future to run gin-dex on a separate (virtual) machine, in which case GOGS will need to query a publicly available endpoint.
We could add a shared key (like we do with gin-doi) to encrypt queries from GOGS to gin-dex. The proposed method will then be adapted as follows:
The last step of the proposed methods is probably redundant if the security is designed properly, but I'd rather keep it.
I initially considered adding a nonce to the query to avoid replay attacks but then I realised encrypting the response should be enough.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.