Move reverproxyauth before session so the header will not be ignored even if user...

Backport #27821 by @lunny

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

diff --git a/routers/web/web.go b/routers/web/web.go
index f3b9969059bdaf6afc9ed52833616b58edd2031e..194a67bf03da1a8631ad5cd099b326b4c190e6a0 100644 (file)
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -98,14 +98,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
 // The Session plugin is expected to be executed second, in order to skip authentication
 // for users that have already signed in.
 func buildAuthGroup() *auth_service.Group {
-       group := auth_service.NewGroup(
-               &auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers
-               &auth_service.Basic{},  // FIXME: this should be removed and only applied in download and git/lfs routers
-               &auth_service.Session{},
-       )
+       group := auth_service.NewGroup()
+       group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
+       group.Add(&auth_service.Basic{})  // FIXME: this should be removed and only applied in download and git/lfs routers
+
        if setting.Service.EnableReverseProxyAuth {
-               group.Add(&auth_service.ReverseProxy{})
+               group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
        }
+       group.Add(&auth_service.Session{})
 
        if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) {
                group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI