Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  Update minimum go version to 1.26.1, golangci-lint to 2.11.2, fix test style (go-gitea#36876)
  Add render cache for SVG icons (go-gitea#36863)
  Fix incorrect viewed files counter if reverted change was viewed (go-gitea#36819)
  [skip ci] Updated translations via Crowdin
  Clean up `refreshViewedFilesSummary` (go-gitea#36868)
  Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867)
  Optimize Docker build with dependency layer caching (go-gitea#36864)
  Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861)
  Fix CodeQL code scanning alerts (go-gitea#36858)
  Refactor auth middleware (go-gitea#36848)
  Update Nix flake (go-gitea#36857)
  Update JS deps (go-gitea#36850)
  Load `mentionValues` asynchronously (go-gitea#36739)
  [skip ci] Updated translations via Crowdin
  Fix dbfs error handling (go-gitea#36844)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)

Author: zjjhot

Dockerfile

@@ -3,14 +3,14 @@
 FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26-alpine3.23 AS frontend-build
 RUN apk --no-cache add build-base git nodejs pnpm
 WORKDIR /src
+COPY package.json pnpm-lock.yaml .npmrc ./
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store pnpm install --frozen-lockfile
 COPY --exclude=.git/ . .
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store make frontend
+RUN make frontend
 
 # Build backend for each target platform
 FROM docker.io/library/golang:1.26-alpine3.23 AS build-env
 
-ARG GOPROXY=direct
-
 ARG GITEA_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS="bindata timetzdata $TAGS"
@@ -22,14 +22,15 @@ RUN apk --no-cache add \
     git
 
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
+COPY go.mod go.sum ./
+RUN go mod download
 # Use COPY instead of bind mount as read-only one breaks makefile state tracking and read-write one needs binary to be moved as it's discarded.
 # ".git" directory is mounted separately later only for version data extraction.
 COPY --exclude=.git/ . .
 COPY --from=frontend-build /src/public/assets public/assets
 
 # Build gitea, .git mount is required for version data
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target="/root/.cache/go-build" \
+RUN --mount=type=cache,target="/root/.cache/go-build" \
     --mount=type=bind,source=".git/",target=".git/" \
     make backend
 

Dockerfile.rootless

@@ -3,14 +3,14 @@
 FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26-alpine3.23 AS frontend-build
 RUN apk --no-cache add build-base git nodejs pnpm
 WORKDIR /src
+COPY package.json pnpm-lock.yaml .npmrc ./
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store pnpm install --frozen-lockfile
 COPY --exclude=.git/ . .
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store make frontend
+RUN make frontend
 
 # Build backend for each target platform
 FROM docker.io/library/golang:1.26-alpine3.23 AS build-env
 
-ARG GOPROXY=direct
-
 ARG GITEA_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS="bindata timetzdata $TAGS"
@@ -22,13 +22,14 @@ RUN apk --no-cache add \
     git
 
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
+COPY go.mod go.sum ./
+RUN go mod download
 # See the comments in Dockerfile
 COPY --exclude=.git/ . .
 COPY --from=frontend-build /src/public/assets public/assets
 
 # Build gitea, .git mount is required for version data
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target="/root/.cache/go-build" \
+RUN --mount=type=cache,target="/root/.cache/go-build" \
     --mount=type=bind,source=".git/",target=".git/" \
     make backend
 

Makefile

@@ -15,7 +15,7 @@ XGO_VERSION := go-1.25.x
 AIR_PACKAGE ?= github.com/air-verse/air@v1
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.2
 GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15
 MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.8.0
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.1

eslint.config.ts

@@ -926,7 +926,7 @@ export default defineConfig([
     },
     extends: [
       vue.configs['flat/recommended'],
-      vueScopedCss.configs['flat/recommended'] as any,
+      vueScopedCss.configs.recommended as any,
     ],
     rules: {
       'vue/attributes-order': [0],

flake.lock

@@ -1,6 +1,6 @@
 module code.gitea.io/gitea
 
-go 1.26.0
+go 1.26.1
 
 // rfc5280 said: "The serial number is an integer assigned by the CA to each certificate."
 // But some CAs use negative serial number, just relax the check. related:

go.mod

@@ -14,6 +14,7 @@ import (
 	"net/url"
 	"slices"
 	"strings"
+	"time"
 
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/container"
@@ -27,6 +28,11 @@ import (
 	"xorm.io/xorm"
 )
 
+// Authorization codes should expire within 10 minutes per https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
+const oauth2AuthorizationCodeValidity = 10 * time.Minute
+
+var ErrOAuth2AuthorizationCodeInvalidated = errors.New("oauth2 authorization code already invalidated")
+
 // OAuth2Application represents an OAuth2 client (RFC 6749)
 type OAuth2Application struct {
 	ID           int64 `xorm:"pk autoincr"`
@@ -386,6 +392,14 @@ func (code *OAuth2AuthorizationCode) TableName() string {
 	return "oauth2_authorization_code"
 }
 
+// IsExpired reports whether the authorization code is expired.
+func (code *OAuth2AuthorizationCode) IsExpired() bool {
+	if code.ValidUntil.IsZero() {
+		return true
+	}
+	return code.ValidUntil <= timeutil.TimeStampNow()
+}
+
 // GenerateRedirectURI generates a redirect URI for a successful authorization request. State will be used if not empty.
 func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL, error) {
 	redirect, err := url.Parse(code.RedirectURI)
@@ -403,8 +417,14 @@ func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL
 
 // Invalidate deletes the auth code from the database to invalidate this code
 func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error {
-	_, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
-	return err
+	affected, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrOAuth2AuthorizationCodeInvalidated
+	}
+	return nil
 }
 
 // ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.
@@ -472,13 +492,15 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redi
 	// for code scanners to grab sensitive tokens.
 	codeSecret := "gta_" + base32Lower.EncodeToString(rBytes)
 
+	validUntil := time.Now().Add(oauth2AuthorizationCodeValidity)
 	code = &OAuth2AuthorizationCode{
 		Grant:               grant,
 		GrantID:             grant.ID,
 		RedirectURI:         redirectURI,
 		Code:                codeSecret,
 		CodeChallenge:       codeChallenge,
 		CodeChallengeMethod: codeChallengeMethod,
+		ValidUntil:          timeutil.TimeStamp(validUntil.Unix()),
 	}
 	if err := db.Insert(ctx, code); err != nil {
 		return nil, err

models/auth/oauth2.go

@@ -5,13 +5,45 @@ package auth_test
 
 import (
 	"testing"
+	"time"
 
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/timeutil"
 
 	"github.com/stretchr/testify/assert"
 )
 
+func TestOAuth2AuthorizationCodeValidity(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("GenerateSetsValidUntil", func(t *testing.T) {
+		grant := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1})
+		expectedValidUntil := timeutil.TimeStamp(time.Now().Unix() + 600)
+		code, err := grant.GenerateNewAuthorizationCode(t.Context(), "http://127.0.0.1/", "", "")
+		assert.NoError(t, err)
+		assert.Equal(t, expectedValidUntil, code.ValidUntil)
+		assert.False(t, code.IsExpired())
+		assert.NoError(t, code.Invalidate(t.Context()))
+	})
+
+	t.Run("Expired", func(t *testing.T) {
+		defer timeutil.MockSet(time.Unix(2, 0).UTC())()
+
+		code := &auth_model.OAuth2AuthorizationCode{ValidUntil: timeutil.TimeStamp(1)}
+		assert.True(t, code.IsExpired())
+	})
+
+	t.Run("InvalidateTwice", func(t *testing.T) {
+		code, err := auth_model.GetOAuth2AuthorizationByCode(t.Context(), "authcode")
+		assert.NoError(t, err)
+		if assert.NotNil(t, code) {
+			assert.NoError(t, code.Invalidate(t.Context()))
+			assert.ErrorIs(t, code.Invalidate(t.Context()), auth_model.ErrOAuth2AuthorizationCodeInvalidated)
+		}
+	})
+}
+
 func TestOAuth2Application_GenerateClientSecret(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	app := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: 1})

models/auth/oauth2_test.go

@@ -75,7 +75,7 @@ func (f *file) readAt(fileMeta *dbfsMeta, offset int64, p []byte) (n int, err er
 }
 
 func (f *file) Read(p []byte) (n int, err error) {
-	if f.metaID == 0 || !f.allowRead {
+	if !f.allowRead {
 		return 0, os.ErrInvalid
 	}
 
@@ -89,7 +89,7 @@ func (f *file) Read(p []byte) (n int, err error) {
 }
 
 func (f *file) Write(p []byte) (n int, err error) {
-	if f.metaID == 0 || !f.allowWrite {
+	if !f.allowWrite {
 		return 0, os.ErrInvalid
 	}
 
@@ -184,10 +184,6 @@ func (f *file) Close() error {
 }
 
 func (f *file) Stat() (os.FileInfo, error) {
-	if f.metaID == 0 {
-		return nil, os.ErrInvalid
-	}
-
 	fileMeta, err := findFileMetaByID(f.ctx, f.metaID)
 	if err != nil {
 		return nil, err
@@ -232,15 +228,17 @@ func (f *file) open(flag int) (err error) {
 				if f.metaID != 0 {
 					return os.ErrExist
 				}
-			} else {
-				// create a new file if none exists.
-				if f.metaID == 0 {
-					if err = f.createEmpty(); err != nil {
-						return err
-					}
+			}
+			// create a new file if not exists.
+			if f.metaID == 0 {
+				if err = f.createEmpty(); err != nil {
+					return err
 				}
 			}
 		}
+		if f.metaID == 0 {
+			return os.ErrNotExist
+		}
 		if flag&os.O_TRUNC != 0 {
 			if err = f.truncate(); err != nil {
 				return err
@@ -252,7 +250,7 @@ func (f *file) open(flag int) (err error) {
 			}
 		}
 		return nil
-	}
+	} // end if: allowWrite
 
 	// read only mode
 	if f.metaID == 0 {
@@ -322,9 +320,6 @@ func (f *file) delete() error {
 }
 
 func (f *file) size() (int64, error) {
-	if f.metaID == 0 {
-		return 0, os.ErrNotExist
-	}
 	fileMeta, err := findFileMetaByID(f.ctx, f.metaID)
 	if err != nil {
 		return 0, err
@@ -339,7 +334,7 @@ func findFileMetaByID(ctx context.Context, metaID int64) (*dbfsMeta, error) {
 	} else if ok {
 		return &fileMeta, nil
 	}
-	return nil, nil //nolint:nilnil // return nil to indicate that the object does not exist
+	return nil, os.ErrNotExist
 }
 
 func buildPath(path string) string {

models/dbfs/dbfile.go

@@ -40,6 +40,9 @@ The DBFS solution:
 * In the future, when Gitea action needs to limit the log size (other CI/CD services also do so), it's easier to calculate the log file size.
 * Even sometimes the UI needs to render the tailing lines, the tailing lines can be found be counting the "\n" from the end of the file by seek.
   The seeking and finding is not the fastest way, but it's still acceptable and won't affect the performance too much.
+
+Limitations of the DBFS solution:
+* Not fully POSIX-compliant, some behaviors may be different from the real filesystem, especially for concurrent read/write
 */
 
 type dbfsMeta struct {