Disable Oauth check if oauth disabled (#32368)

Fix #32367

---------

Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

diff --git a/routers/web/web.go b/routers/web/web.go
index e0915e6a6efdf83852d3d891471bff03c62680ec..c56906c10de8ccc20e2e442e1c4fc96405a99c17 100644 (file)
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -324,6 +324,13 @@ func registerRoutes(m *web.Router) {
                }
        }
 
+       oauth2Enabled := func(ctx *context.Context) {
+               if !setting.OAuth2.Enabled {
+                       ctx.Error(http.StatusForbidden)
+                       return
+               }
+       }
+
        reqMilestonesDashboardPageEnabled := func(ctx *context.Context) {
                if !setting.Service.ShowMilestonesDashboardPage {
                        ctx.Error(http.StatusForbidden)
@@ -546,16 +553,18 @@ func registerRoutes(m *web.Router) {
        m.Any("/user/events", routing.MarkLongPolling, events.Events)
 
        m.Group("/login/oauth", func() {
-               m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
-               m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
-               // TODO manage redirection
-               m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
-       }, ignSignInAndCsrf, reqSignIn)
-
-       m.Methods("GET, OPTIONS", "/login/oauth/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
-       m.Methods("POST, OPTIONS", "/login/oauth/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
-       m.Methods("GET, OPTIONS", "/login/oauth/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
-       m.Methods("POST, OPTIONS", "/login/oauth/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
+               m.Group("", func() {
+                       m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
+                       m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
+                       // TODO manage redirection
+                       m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
+               }, ignSignInAndCsrf, reqSignIn)
+
+               m.Methods("GET, OPTIONS", "/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
+               m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
+               m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
+               m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
+       }, oauth2Enabled)
 
        m.Group("/user/settings", func() {
                m.Get("", user_setting.Profile)
@@ -596,17 +605,24 @@ func registerRoutes(m *web.Router) {
                        }, openIDSignInEnabled)
                        m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink)
                })
-               m.Group("/applications/oauth2", func() {
-                       m.Get("/{id}", user_setting.OAuth2ApplicationShow)
-                       m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
-                       m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
-                       m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
-                       m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
-                       m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
+
+               m.Group("/applications", func() {
+                       // oauth2 applications
+                       m.Group("/oauth2", func() {
+                               m.Get("/{id}", user_setting.OAuth2ApplicationShow)
+                               m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
+                               m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
+                               m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
+                               m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
+                               m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
+                       }, oauth2Enabled)
+
+                       // access token applications
+                       m.Combo("").Get(user_setting.Applications).
+                               Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
+                       m.Post("/delete", user_setting.DeleteApplication)
                })
-               m.Combo("/applications").Get(user_setting.Applications).
-                       Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
-               m.Post("/applications/delete", user_setting.DeleteApplication)
+
                m.Combo("/keys").Get(user_setting.Keys).
                        Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost)
                m.Post("/keys/delete", user_setting.DeleteKey)
@@ -780,12 +796,7 @@ func registerRoutes(m *web.Router) {
                                m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
                                m.Post("/delete", admin.DeleteApplication)
                        })
-               }, func(ctx *context.Context) {
-                       if !setting.OAuth2.Enabled {
-                               ctx.Error(http.StatusForbidden)
-                               return
-                       }
-               })
+               }, oauth2Enabled)
 
                m.Group("/actions", func() {
                        m.Get("", admin.RedirectToDefaultSetting)
@@ -909,12 +920,7 @@ func registerRoutes(m *web.Router) {
                                                m.Post("/regenerate_secret", org.OAuthApplicationsRegenerateSecret)
                                                m.Post("/delete", org.DeleteOAuth2Application)
                                        })
-                               }, func(ctx *context.Context) {
-                                       if !setting.OAuth2.Enabled {
-                                               ctx.Error(http.StatusForbidden)
-                                               return
-                                       }
-                               })
+                               }, oauth2Enabled)
 
                                m.Group("/hooks", func() {
                                        m.Get("", org.Webhooks)

diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index 523998a6345226c92bebf82e3210d9b047502307..d0aec085b107d8a8ee9c8cd388c01b38ab5649d9 100644 (file)
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -27,10 +27,15 @@ var (
 
 // CheckOAuthAccessToken returns uid of user from oauth token
 func CheckOAuthAccessToken(ctx context.Context, accessToken string) int64 {
-       // JWT tokens require a "."
+       if !setting.OAuth2.Enabled {
+               return 0
+       }
+
+       // JWT tokens require a ".", if the token isn't like that, return early
        if !strings.Contains(accessToken, ".") {
                return 0
        }
+
        token, err := oauth2_provider.ParseToken(accessToken, oauth2_provider.DefaultSigningKey)
        if err != nil {
                log.Trace("oauth2.ParseToken: %v", err)