.devcontainer
.gitea
.github
assets
build
cmd
contrib
custom
docker
models
actions
activities
admin
asymkey
auth
avatars
db
dbfs
fixtures
git
issues
migrations
organization
packages
perm
access
access_mode.go
access_mode_test.go
project
pull
renderhelper
repo
secret
shared
system
unit
unittest
user
webhook
main_test.go
repo.go
repo_test.go
modules
options
public
routers
services
snap
templates
tests
tools
web_src
.air.toml
.changelog.yml
.dockerignore
.editorconfig
.envrc
.eslintrc.cjs
.gitattributes
.gitignore
.gitpod.yml
.golangci.yml
.ignore
.mailmap
.markdownlint.yaml
.npmrc
.spectral.yaml
.yamllint.yaml
BSDmakefile
CHANGELOG-archived.md
CHANGELOG.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
DCO
Dockerfile
Dockerfile.rootless
LICENSE
MAINTAINERS
Makefile
README.md
README.zh-cn.md
README.zh-tw.md
SECURITY.md
build.go
crowdin.yml
flake.lock
flake.nix
go.mod
go.sum
main.go
main_timezones.go
package-lock.json
package.json
playwright.config.ts
poetry.lock
poetry.toml
pyproject.toml
stylelint.config.js
tailwind.config.js
tsconfig.json
updates.config.js
vitest.config.ts
webpack.config.js

Fix #880 Design: 1. A global setting `security.TWO_FACTOR_AUTH`. * To support org-level config, we need to introduce a better "owner setting" system first (in the future) 2. A user without 2FA can login and may explore, but can NOT read or write to any repositories via API/web. 3. Keep things as simple as possible. * This option only aggressively suggest users to enable their 2FA at the moment, it does NOT guarantee that users must have 2FA before all other operations, it should be good enough for real world use cases. * Some details and tests could be improved in the future since this change only adds a check and seems won't affect too much. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>