Merge pull request 'fix: 15 November 2024 security fixes batch' (#5974) from earl-warren/forgejo:wip-security-15-11 into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5974 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Reviewed-by: Otto <otto@codeberg.org>
2024-11-15 11:19:50 +00:00 · 2024-11-15 11:19:50 +00:00 · 1e1b162cbe
commit 1e1b162cbe
parent 01ab0583f5 b1bc294955
40 changed files with 953 additions and 290 deletions
--- a/tests/integration/api_feed_user_test.go
+++ b/tests/integration/api_feed_user_test.go
@ -109,4 +109,24 @@ func TestFeed(t *testing.T) {
 			})
 		})
 	})
+
+	t.Run("View permission", func(t *testing.T) {
+		t.Run("Anomynous", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+		t.Run("No code permission", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user8")
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			session.MakeRequest(t, req, http.StatusNotFound)
+		})
+		t.Run("With code permission", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user9")
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			session.MakeRequest(t, req, http.StatusOK)
+		})
+	})
 }
--- a/tests/integration/api_fork_test.go
+++ b/tests/integration/api_fork_test.go
@ -17,6 +17,8 @@ import (
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/routers"
 	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
 )

 func TestAPIForkAsAdminIgnoringLimits(t *testing.T) {
@ -106,3 +108,44 @@ func TestAPIDisabledForkRepo(t *testing.T) {
 		session.MakeRequest(t, req, http.StatusNotFound)
 	})
 }
+
+func TestAPIForkListPrivateRepo(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	session := loginUser(t, "user5")
+	token := getTokenForLoggedInUser(t, session,
+		auth_model.AccessTokenScopeWriteRepository,
+		auth_model.AccessTokenScopeWriteOrganization)
+	org23 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23, Visibility: api.VisibleTypePrivate})
+
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/forks", &api.CreateForkOption{
+		Organization: &org23.Name,
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusAccepted)
+
+	t.Run("Anomynous", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks")
+		resp := MakeRequest(t, req, http.StatusOK)
+
+		var forks []*api.Repository
+		DecodeJSON(t, resp, &forks)
+
+		assert.Empty(t, forks)
+		assert.EqualValues(t, "0", resp.Header().Get("X-Total-Count"))
+	})
+
+	t.Run("Logged in", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/forks").AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusOK)
+
+		var forks []*api.Repository
+		DecodeJSON(t, resp, &forks)
+
+		assert.Len(t, forks, 1)
+		assert.EqualValues(t, "1", resp.Header().Get("X-Total-Count"))
+	})
+}
--- a/tests/integration/api_twofa_test.go
+++ b/tests/integration/api_twofa_test.go
@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/tests"

 	"github.com/pquerna/otp/totp"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@ -58,3 +59,24 @@ func TestAPITwoFactor(t *testing.T) {
 	req.Header.Set("X-Forgejo-OTP", passcode)
 	MakeRequest(t, req, http.StatusOK)
 }
+
+func TestAPIWebAuthn(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 32})
+	unittest.AssertExistsAndLoadBean(t, &auth_model.WebAuthnCredential{UserID: user.ID})
+
+	req := NewRequest(t, "GET", "/api/v1/user")
+	req.SetBasicAuth(user.Name, "notpassword")
+
+	resp := MakeRequest(t, req, http.StatusUnauthorized)
+
+	type userResponse struct {
+		Message string `json:"message"`
+	}
+	var userParsed userResponse
+
+	DecodeJSON(t, resp, &userParsed)
+
+	assert.EqualValues(t, "Basic authorization is not allowed while having security keys enrolled", userParsed.Message)
+}
--- a/tests/integration/auth_token_test.go
+++ b/tests/integration/auth_token_test.go
@ -84,7 +84,7 @@ func TestLTACookie(t *testing.T) {
 	assert.True(t, found)
 	rawValidator, err := hex.DecodeString(validator)
 	require.NoError(t, err)
-	unittest.AssertExistsAndLoadBean(t, &auth.AuthorizationToken{LookupKey: lookupKey, HashedValidator: auth.HashValidator(rawValidator), UID: user.ID})
+	unittest.AssertExistsAndLoadBean(t, &auth.AuthorizationToken{LookupKey: lookupKey, HashedValidator: auth.HashValidator(rawValidator), UID: user.ID, Purpose: auth.LongTermAuthorization})

 	// Check if the LTA cookie it provides authentication.
 	// If LTA cookie provides authentication /user/login shouldn't return status 200.
@ -143,7 +143,7 @@ func TestLTAExpiry(t *testing.T) {
 	assert.True(t, found)

 	// Ensure it's not expired.
-	lta := unittest.AssertExistsAndLoadBean(t, &auth.AuthorizationToken{UID: user.ID, LookupKey: lookupKey})
+	lta := unittest.AssertExistsAndLoadBean(t, &auth.AuthorizationToken{UID: user.ID, LookupKey: lookupKey, Purpose: auth.LongTermAuthorization})
 	assert.False(t, lta.IsExpired())

 	// Manually stub LTA's expiry.
@ -151,7 +151,7 @@ func TestLTAExpiry(t *testing.T) {
 	require.NoError(t, err)

 	// Ensure it's expired.
-	lta = unittest.AssertExistsAndLoadBean(t, &auth.AuthorizationToken{UID: user.ID, LookupKey: lookupKey})
+	lta = unittest.AssertExistsAndLoadBean(t, &auth.AuthorizationToken{UID: user.ID, LookupKey: lookupKey, Purpose: auth.LongTermAuthorization})
 	assert.True(t, lta.IsExpired())

 	// Should return 200 OK, because LTA doesn't provide authorization anymore.
@ -160,5 +160,5 @@ func TestLTAExpiry(t *testing.T) {
 	session.MakeRequest(t, req, http.StatusOK)

 	// Ensure it's deleted.
-	unittest.AssertNotExistsBean(t, &auth.AuthorizationToken{UID: user.ID, LookupKey: lookupKey})
+	unittest.AssertNotExistsBean(t, &auth.AuthorizationToken{UID: user.ID, LookupKey: lookupKey, Purpose: auth.LongTermAuthorization})
 }
--- a/tests/integration/fixtures/TestFeed/team.yml
+++ b/tests/integration/fixtures/TestFeed/team.yml
@ -0,0 +1,21 @@
+-
+  id: 1001
+  org_id: 3
+  lower_name: no_code
+  name: no_code
+  authorize: 1 # read
+  num_repos: 1
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: false
+
+-
+  id: 1002
+  org_id: 3
+  lower_name: read_code
+  name: no_code
+  authorize: 1 # read
+  num_repos: 1
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: false
--- a/tests/integration/fixtures/TestFeed/team_repo.yml
+++ b/tests/integration/fixtures/TestFeed/team_repo.yml
@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  repo_id: 3
+
+-
+  id: 1002
+  org_id: 3
+  team_id: 1002
+  repo_id: 3
--- a/tests/integration/fixtures/TestFeed/team_unit.yml
+++ b/tests/integration/fixtures/TestFeed/team_unit.yml
@ -0,0 +1,83 @@
+-
+  id: 1001
+  team_id: 1001
+  type: 1
+  access_mode: 0
+
+-
+  id: 1002
+  team_id: 1001
+  type: 2
+  access_mode: 1
+
+-
+  id: 1003
+  team_id: 1001
+  type: 3
+  access_mode: 1
+
+-
+  id: 1004
+  team_id: 1001
+  type: 4
+  access_mode: 1
+
+-
+  id: 1005
+  team_id: 1001
+  type: 5
+  access_mode: 1
+
+-
+  id: 1006
+  team_id: 1001
+  type: 6
+  access_mode: 1
+
+-
+  id: 1007
+  team_id: 1001
+  type: 7
+  access_mode: 1
+
+-
+  id: 1008
+  team_id: 1002
+  type: 1
+  access_mode: 1
+
+-
+  id: 1009
+  team_id: 1002
+  type: 2
+  access_mode: 1
+
+-
+  id: 1010
+  team_id: 1002
+  type: 3
+  access_mode: 1
+
+-
+  id: 1011
+  team_id: 1002
+  type: 4
+  access_mode: 1
+
+-
+  id: 1012
+  team_id: 1002
+  type: 5
+  access_mode: 1
+
+-
+  id: 1013
+  team_id: 1002
+  type: 6
+  access_mode: 1
+
+-
+  id: 1014
+  team_id: 1002
+  type: 7
+  access_mode: 1
--- a/tests/integration/fixtures/TestFeed/team_user.yml
+++ b/tests/integration/fixtures/TestFeed/team_user.yml
@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  uid: 8
+
+-
+  id: 1002
+  org_id: 3
+  team_id: 1002
+  uid: 9
--- a/tests/integration/incoming_email_test.go
+++ b/tests/integration/incoming_email_test.go
@ -4,6 +4,7 @@
 package integration

 import (
+	"encoding/base32"
 	"io"
 	"net"
 	"net/smtp"
@ -75,6 +76,51 @@ func TestIncomingEmail(t *testing.T) {
 		assert.Equal(t, payload, p)
 	})

+	tokenEncoding := base32.StdEncoding.WithPadding(base32.NoPadding)
+	t.Run("Deprecated token version", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		payload := []byte{1, 2, 3, 4, 5}
+
+		token, err := token_service.CreateToken(token_service.ReplyHandlerType, user, payload)
+		require.NoError(t, err)
+		assert.NotEmpty(t, token)
+
+		// Set the token to version 1.
+		unencodedToken, err := tokenEncoding.DecodeString(token)
+		require.NoError(t, err)
+		unencodedToken[0] = 1
+		token = tokenEncoding.EncodeToString(unencodedToken)
+
+		ht, u, p, err := token_service.ExtractToken(db.DefaultContext, token)
+		require.ErrorContains(t, err, "unsupported token version: 1")
+		assert.Equal(t, token_service.UnknownHandlerType, ht)
+		assert.Nil(t, u)
+		assert.Nil(t, p)
+	})
+
+	t.Run("MAC check", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		payload := []byte{1, 2, 3, 4, 5}
+
+		token, err := token_service.CreateToken(token_service.ReplyHandlerType, user, payload)
+		require.NoError(t, err)
+		assert.NotEmpty(t, token)
+
+		// Modify the MAC.
+		unencodedToken, err := tokenEncoding.DecodeString(token)
+		require.NoError(t, err)
+		unencodedToken[len(unencodedToken)-1] ^= 0x01
+		token = tokenEncoding.EncodeToString(unencodedToken)
+
+		ht, u, p, err := token_service.ExtractToken(db.DefaultContext, token)
+		require.ErrorContains(t, err, "verification failed")
+		assert.Equal(t, token_service.UnknownHandlerType, ht)
+		assert.Nil(t, u)
+		assert.Nil(t, p)
+	})
+
 	t.Run("Handler", func(t *testing.T) {
 		t.Run("Reply", func(t *testing.T) {
 			checkReply := func(t *testing.T, payload []byte, issue *issues_model.Issue, commentType issues_model.CommentType) {
--- a/tests/integration/mirror_push_test.go
+++ b/tests/integration/mirror_push_test.go
@ -323,3 +323,82 @@ func TestSSHPushMirror(t *testing.T) {
 		})
 	})
 }
+
+func TestPushMirrorSettings(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)()
+		defer test.MockVariableValue(&setting.Mirror.Enabled, true)()
+		require.NoError(t, migrations.Init())
+
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		srcRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
+		srcRepo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
+		assert.False(t, srcRepo.HasWiki())
+		sess := loginUser(t, user.Name)
+		pushToRepo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
+			Name:         optional.Some("push-mirror-test"),
+			AutoInit:     optional.Some(false),
+			EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}),
+		})
+		defer f()
+
+		t.Run("Adding", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo2.FullName()), map[string]string{
+				"_csrf":                GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo2.FullName())),
+				"action":               "push-mirror-add",
+				"push_mirror_address":  u.String() + pushToRepo.FullName(),
+				"push_mirror_interval": "0",
+			})
+			sess.MakeRequest(t, req, http.StatusSeeOther)
+
+			req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{
+				"_csrf":                GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())),
+				"action":               "push-mirror-add",
+				"push_mirror_address":  u.String() + pushToRepo.FullName(),
+				"push_mirror_interval": "0",
+			})
+			sess.MakeRequest(t, req, http.StatusSeeOther)
+
+			flashCookie := sess.GetCookie(gitea_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.Contains(t, flashCookie.Value, "success")
+		})
+
+		mirrors, _, err := repo_model.GetPushMirrorsByRepoID(db.DefaultContext, srcRepo.ID, db.ListOptions{})
+		require.NoError(t, err)
+		assert.Len(t, mirrors, 1)
+		mirrorID := mirrors[0].ID
+
+		mirrors, _, err = repo_model.GetPushMirrorsByRepoID(db.DefaultContext, srcRepo2.ID, db.ListOptions{})
+		require.NoError(t, err)
+		assert.Len(t, mirrors, 1)
+
+		t.Run("Interval", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			unittest.AssertExistsAndLoadBean(t, &repo_model.PushMirror{ID: mirrorID - 1})
+
+			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{
+				"_csrf":                GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())),
+				"action":               "push-mirror-update",
+				"push_mirror_id":       strconv.FormatInt(mirrorID-1, 10),
+				"push_mirror_interval": "10m0s",
+			})
+			sess.MakeRequest(t, req, http.StatusNotFound)
+
+			req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{
+				"_csrf":                GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())),
+				"action":               "push-mirror-update",
+				"push_mirror_id":       strconv.FormatInt(mirrorID, 10),
+				"push_mirror_interval": "10m0s",
+			})
+			sess.MakeRequest(t, req, http.StatusSeeOther)
+
+			flashCookie := sess.GetCookie(gitea_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.Contains(t, flashCookie.Value, "success")
+		})
+	})
+}
--- a/tests/integration/org_team_invite_test.go
+++ b/tests/integration/org_team_invite_test.go
@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"

+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/organization"
 	"code.gitea.io/gitea/models/unittest"
@ -293,8 +294,10 @@ func TestOrgTeamEmailInviteRedirectsNewUserWithActivation(t *testing.T) {
 	require.NoError(t, err)
 	session.jar.SetCookies(baseURL, cr.Cookies())

-	activateURL := fmt.Sprintf("/user/activate?code=%s", user.GenerateEmailActivateCode("doesnotexist@example.com"))
-	req = NewRequestWithValues(t, "POST", activateURL, map[string]string{
+	code, err := user.GenerateEmailAuthorizationCode(db.DefaultContext, auth.UserActivation)
+	require.NoError(t, err)
+
+	req = NewRequestWithValues(t, "POST", "/user/activate?code="+url.QueryEscape(code), map[string]string{
 		"password": "examplePassword!1",
 	})

--- a/tests/integration/repo_fork_test.go
+++ b/tests/integration/repo_fork_test.go
@ -17,6 +17,7 @@ import (
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/routers"
 	repo_service "code.gitea.io/gitea/services/repository"
@ -238,3 +239,34 @@ func TestRepoForkToOrg(t *testing.T) {
 		})
 	})
 }
+
+func TestForkListPrivateRepo(t *testing.T) {
+	forkItemSelector := ".tw-flex.tw-items-center.tw-py-2"
+
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		session := loginUser(t, "user5")
+		org23 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23, Visibility: structs.VisibleTypePrivate})
+
+		testRepoFork(t, session, "user2", "repo1", org23.Name, "repo1")
+
+		t.Run("Anomynous", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/user2/repo1/forks")
+			resp := MakeRequest(t, req, http.StatusOK)
+			htmlDoc := NewHTMLParser(t, resp.Body)
+
+			htmlDoc.AssertElement(t, forkItemSelector, false)
+		})
+
+		t.Run("Logged in", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/user2/repo1/forks")
+			resp := session.MakeRequest(t, req, http.StatusOK)
+			htmlDoc := NewHTMLParser(t, resp.Body)
+
+			htmlDoc.AssertElement(t, forkItemSelector, true)
+		})
+	})
+}
--- a/tests/integration/user_test.go
+++ b/tests/integration/user_test.go
@ -5,14 +5,18 @@
 package integration

 import (
+	"bytes"
+	"encoding/hex"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 	"testing"
 	"time"

 	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	repo_model "code.gitea.io/gitea/models/repo"
 	unit_model "code.gitea.io/gitea/models/unit"
@ -836,3 +840,171 @@ func TestUserRepos(t *testing.T) {
 		}
 	}
 }
+
+func TestUserActivate(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.Service.RegisterEmailConfirm, true)()
+
+	called := false
+	code := ""
+	defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+		called = true
+		assert.Len(t, msgs, 1)
+		assert.Equal(t, `"doesnotexist" <doesnotexist@example.com>`, msgs[0].To)
+		assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.activate_account"), msgs[0].Subject)
+
+		messageDoc := NewHTMLParser(t, bytes.NewBuffer([]byte(msgs[0].Body)))
+		link, ok := messageDoc.Find("a").Attr("href")
+		assert.True(t, ok)
+		u, err := url.Parse(link)
+		require.NoError(t, err)
+		code = u.Query()["code"][0]
+	})()
+
+	session := emptyTestSession(t)
+	req := NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{
+		"_csrf":     GetCSRF(t, session, "/user/sign_up"),
+		"user_name": "doesnotexist",
+		"email":     "doesnotexist@example.com",
+		"password":  "examplePassword!1",
+		"retype":    "examplePassword!1",
+	})
+	session.MakeRequest(t, req, http.StatusOK)
+	assert.True(t, called)
+
+	queryCode, err := url.QueryUnescape(code)
+	require.NoError(t, err)
+
+	lookupKey, validator, ok := strings.Cut(queryCode, ":")
+	assert.True(t, ok)
+
+	rawValidator, err := hex.DecodeString(validator)
+	require.NoError(t, err)
+
+	authToken, err := auth_model.FindAuthToken(db.DefaultContext, lookupKey, auth_model.UserActivation)
+	require.NoError(t, err)
+	assert.False(t, authToken.IsExpired())
+	assert.EqualValues(t, authToken.HashedValidator, auth_model.HashValidator(rawValidator))
+
+	req = NewRequest(t, "POST", "/user/activate?code="+code)
+	session.MakeRequest(t, req, http.StatusOK)
+
+	unittest.AssertNotExistsBean(t, &auth_model.AuthorizationToken{ID: authToken.ID})
+	unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "doesnotexist", IsActive: true})
+}
+
+func TestUserPasswordReset(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	called := false
+	code := ""
+	defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+		if called {
+			return
+		}
+		called = true
+
+		assert.Len(t, msgs, 1)
+		assert.Equal(t, user2.EmailTo(), msgs[0].To)
+		assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.reset_password"), msgs[0].Subject)
+
+		messageDoc := NewHTMLParser(t, bytes.NewBuffer([]byte(msgs[0].Body)))
+		link, ok := messageDoc.Find("a").Attr("href")
+		assert.True(t, ok)
+		u, err := url.Parse(link)
+		require.NoError(t, err)
+		code = u.Query()["code"][0]
+	})()
+
+	session := emptyTestSession(t)
+	req := NewRequestWithValues(t, "POST", "/user/forgot_password", map[string]string{
+		"_csrf": GetCSRF(t, session, "/user/forgot_password"),
+		"email": user2.Email,
+	})
+	session.MakeRequest(t, req, http.StatusOK)
+	assert.True(t, called)
+
+	queryCode, err := url.QueryUnescape(code)
+	require.NoError(t, err)
+
+	lookupKey, validator, ok := strings.Cut(queryCode, ":")
+	assert.True(t, ok)
+
+	rawValidator, err := hex.DecodeString(validator)
+	require.NoError(t, err)
+
+	authToken, err := auth_model.FindAuthToken(db.DefaultContext, lookupKey, auth_model.PasswordReset)
+	require.NoError(t, err)
+	assert.False(t, authToken.IsExpired())
+	assert.EqualValues(t, authToken.HashedValidator, auth_model.HashValidator(rawValidator))
+
+	req = NewRequestWithValues(t, "POST", "/user/recover_account", map[string]string{
+		"_csrf":    GetCSRF(t, session, "/user/recover_account"),
+		"code":     code,
+		"password": "new_password",
+	})
+	session.MakeRequest(t, req, http.StatusSeeOther)
+
+	unittest.AssertNotExistsBean(t, &auth_model.AuthorizationToken{ID: authToken.ID})
+	assert.True(t, unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).ValidatePassword("new_password"))
+}
+
+func TestActivateEmailAddress(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.Service.RegisterEmailConfirm, true)()
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	called := false
+	code := ""
+	defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+		if called {
+			return
+		}
+		called = true
+
+		assert.Len(t, msgs, 1)
+		assert.Equal(t, "newemail@example.org", msgs[0].To)
+		assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.activate_email"), msgs[0].Subject)
+
+		messageDoc := NewHTMLParser(t, bytes.NewBuffer([]byte(msgs[0].Body)))
+		link, ok := messageDoc.Find("a").Attr("href")
+		assert.True(t, ok)
+		u, err := url.Parse(link)
+		require.NoError(t, err)
+		code = u.Query()["code"][0]
+	})()
+
+	session := loginUser(t, user2.Name)
+	req := NewRequestWithValues(t, "POST", "/user/settings/account/email", map[string]string{
+		"_csrf": GetCSRF(t, session, "/user/settings"),
+		"email": "newemail@example.org",
+	})
+	session.MakeRequest(t, req, http.StatusSeeOther)
+	assert.True(t, called)
+
+	queryCode, err := url.QueryUnescape(code)
+	require.NoError(t, err)
+
+	lookupKey, validator, ok := strings.Cut(queryCode, ":")
+	assert.True(t, ok)
+
+	rawValidator, err := hex.DecodeString(validator)
+	require.NoError(t, err)
+
+	authToken, err := auth_model.FindAuthToken(db.DefaultContext, lookupKey, auth_model.EmailActivation("newemail@example.org"))
+	require.NoError(t, err)
+	assert.False(t, authToken.IsExpired())
+	assert.EqualValues(t, authToken.HashedValidator, auth_model.HashValidator(rawValidator))
+
+	req = NewRequestWithValues(t, "POST", "/user/activate_email", map[string]string{
+		"code":  code,
+		"email": "newemail@example.org",
+	})
+	session.MakeRequest(t, req, http.StatusSeeOther)
+
+	unittest.AssertNotExistsBean(t, &auth_model.AuthorizationToken{ID: authToken.ID})
+	unittest.AssertExistsAndLoadBean(t, &user_model.EmailAddress{UID: user2.ID, IsActivated: true, Email: "newemail@example.org"})
+}