forked from forgejo/forgejo
Prevent double-login for Git HTTP and LFS and simplify login (#15303)
* Prevent double-login for Git HTTP and LFS and simplify login There are a number of inconsistencies with our current methods for logging in for git and lfs. The first is that there is a double login process. This is particularly evident in 1.13 where there are no less than 4 hash checks for basic authentication due to the previous IsPasswordSet behaviour. This duplicated code had individual inconsistencies that were not helpful and caused confusion. This PR does the following: * Remove the specific login code from the git and lfs handlers except for the lfs special bearer token * Simplify the meaning of DisableBasicAuthentication to allow Token and Oauth2 sign-in. * The removal of the specific code from git and lfs means that these both now have the same login semantics and can - if not DisableBasicAuthentication - login from external services. Further it allows Oauth2 token authentication as per our standard mechanisms. * The change in the recovery handler prevents the service from re-attempting to login - primarily because this could easily cause a further panic and it is wasteful. * add test Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath
GitHub
parent
ba526ceffe
commit
17c5c654a5
10 changed files with 292 additions and 221 deletions
|
|
@ -9,10 +9,12 @@ import (
|
|||
"fmt"
|
||||
"net/http"
|
||||
"reflect"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"code.gitea.io/gitea/models"
|
||||
"code.gitea.io/gitea/modules/log"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
"code.gitea.io/gitea/modules/web/middleware"
|
||||
)
|
||||
|
||||
|
|
@ -27,9 +29,9 @@ import (
|
|||
// for users that have already signed in.
|
||||
var ssoMethods = []SingleSignOn{
|
||||
&OAuth2{},
|
||||
&Basic{},
|
||||
&Session{},
|
||||
&ReverseProxy{},
|
||||
&Basic{},
|
||||
}
|
||||
|
||||
// The purpose of the following three function variables is to let the linter know that
|
||||
|
|
@ -102,6 +104,19 @@ func isAttachmentDownload(req *http.Request) bool {
|
|||
return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
|
||||
}
|
||||
|
||||
var gitPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/))`)
|
||||
var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
|
||||
|
||||
func isGitOrLFSPath(req *http.Request) bool {
|
||||
if gitPathRe.MatchString(req.URL.Path) {
|
||||
return true
|
||||
}
|
||||
if setting.LFS.StartServer {
|
||||
return lfsPathRe.MatchString(req.URL.Path)
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// handleSignIn clears existing session variables and stores new ones for the specified user object
|
||||
func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore, user *models.User) {
|
||||
_ = sess.Delete("openid_verified_uri")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue