forked from forgejo/forgejo
Prevent double-login for Git HTTP and LFS and simplify login (#15303)
* Prevent double-login for Git HTTP and LFS and simplify login There are a number of inconsistencies with our current methods for logging in for git and lfs. The first is that there is a double login process. This is particularly evident in 1.13 where there are no less than 4 hash checks for basic authentication due to the previous IsPasswordSet behaviour. This duplicated code had individual inconsistencies that were not helpful and caused confusion. This PR does the following: * Remove the specific login code from the git and lfs handlers except for the lfs special bearer token * Simplify the meaning of DisableBasicAuthentication to allow Token and Oauth2 sign-in. * The removal of the specific code from git and lfs means that these both now have the same login semantics and can - if not DisableBasicAuthentication - login from external services. Further it allows Oauth2 token authentication as per our standard mechanisms. * The change in the recovery handler prevents the service from re-attempting to login - primarily because this could easily cause a further panic and it is wasteful. * add test Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath
GitHub
parent
ba526ceffe
commit
17c5c654a5
10 changed files with 292 additions and 221 deletions
|
|
@ -14,6 +14,7 @@ import (
|
|||
"code.gitea.io/gitea/modules/log"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
"code.gitea.io/gitea/modules/timeutil"
|
||||
"code.gitea.io/gitea/modules/web/middleware"
|
||||
)
|
||||
|
||||
// Ensure the struct implements the interface.
|
||||
|
|
@ -40,7 +41,7 @@ func (b *Basic) Free() error {
|
|||
// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
|
||||
// it from settings.
|
||||
func (b *Basic) IsEnabled() bool {
|
||||
return setting.Service.EnableBasicAuth
|
||||
return true
|
||||
}
|
||||
|
||||
// VerifyAuthData extracts and validates Basic data (username and password/token) from the
|
||||
|
|
@ -48,17 +49,22 @@ func (b *Basic) IsEnabled() bool {
|
|||
// name/token on successful validation.
|
||||
// Returns nil if header is empty or validation fails.
|
||||
func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
|
||||
|
||||
// Basic authentication should only fire on API, Download or on Git or LFSPaths
|
||||
if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
|
||||
return nil
|
||||
}
|
||||
|
||||
baHead := req.Header.Get("Authorization")
|
||||
if len(baHead) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
auths := strings.Fields(baHead)
|
||||
auths := strings.SplitN(baHead, " ", 2)
|
||||
if len(auths) != 2 || (auths[0] != "Basic" && auths[0] != "basic") {
|
||||
return nil
|
||||
}
|
||||
|
||||
var u *models.User
|
||||
uname, passwd, _ := base.BasicAuthDecode(auths[1])
|
||||
|
||||
// Check if username or password is a token
|
||||
|
|
@ -76,20 +82,21 @@ func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store D
|
|||
uid := CheckOAuthAccessToken(authToken)
|
||||
if uid != 0 {
|
||||
log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)
|
||||
var err error
|
||||
store.GetData()["IsApiToken"] = true
|
||||
|
||||
u, err = models.GetUserByID(uid)
|
||||
u, err := models.GetUserByID(uid)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
}
|
||||
|
||||
store.GetData()["IsApiToken"] = true
|
||||
return u
|
||||
}
|
||||
|
||||
token, err := models.GetAccessTokenBySHA(authToken)
|
||||
if err == nil {
|
||||
log.Trace("Basic Authorization: Valid AccessToken for user[%d]", uid)
|
||||
|
||||
u, err = models.GetUserByID(token.UID)
|
||||
u, err := models.GetUserByID(token.UID)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
|
|
@ -99,22 +106,24 @@ func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store D
|
|||
if err = models.UpdateAccessToken(token); err != nil {
|
||||
log.Error("UpdateAccessToken: %v", err)
|
||||
}
|
||||
|
||||
store.GetData()["IsApiToken"] = true
|
||||
return u
|
||||
} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
|
||||
log.Error("GetAccessTokenBySha: %v", err)
|
||||
}
|
||||
|
||||
if u == nil {
|
||||
log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
|
||||
if !setting.Service.EnableBasicAuth {
|
||||
return nil
|
||||
}
|
||||
|
||||
u, err = models.UserSignIn(uname, passwd)
|
||||
if err != nil {
|
||||
if !models.IsErrUserNotExist(err) {
|
||||
log.Error("UserSignIn: %v", err)
|
||||
}
|
||||
return nil
|
||||
log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
|
||||
u, err := models.UserSignIn(uname, passwd)
|
||||
if err != nil {
|
||||
if !models.IsErrUserNotExist(err) {
|
||||
log.Error("UserSignIn: %v", err)
|
||||
}
|
||||
} else {
|
||||
store.GetData()["IsApiToken"] = true
|
||||
return nil
|
||||
}
|
||||
|
||||
log.Trace("Basic Authorization: Logged in user %-v", u)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue