diff options
| author | Giteabot <teabot@gitea.io> | 2023-11-02 23:34:55 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-02 16:34:55 +0100 |
| commit | 9ca1853495768b0aafba9c477d20e0452a8c5bd6 (patch) | |
| tree | a7d1eb56e1b77349f1c177e4274573d39c89ca5a | |
| parent | d6f7c49b8b93245c1640b5226a1fc00738386321 (diff) | |
| download | gitea-9ca1853495768b0aafba9c477d20e0452a8c5bd6.tar.gz gitea-9ca1853495768b0aafba9c477d20e0452a8c5bd6.zip | |
Fix http protocol auth (#27875) (#27876)
Backport #27875 by @lunny
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
| -rw-r--r-- | routers/web/githttp.go | 43 | ||||
| -rw-r--r-- | routers/web/repo/githttp.go (renamed from routers/web/repo/http.go) | 0 | ||||
| -rw-r--r-- | routers/web/repo/githttp_test.go (renamed from routers/web/repo/http_test.go) | 0 | ||||
| -rw-r--r-- | routers/web/web.go | 18 |
4 files changed, 47 insertions, 14 deletions
diff --git a/routers/web/githttp.go b/routers/web/githttp.go new file mode 100644 index 0000000000..b2fb5b472f --- /dev/null +++ b/routers/web/githttp.go @@ -0,0 +1,43 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package web + +import ( + "net/http" + + "code.gitea.io/gitea/modules/context" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/web" + "code.gitea.io/gitea/routers/web/repo" + context_service "code.gitea.io/gitea/services/context" +) + +func requireSignIn(ctx *context.Context) { + if !setting.Service.RequireSignInView { + return + } + + // rely on the results of Contexter + if !ctx.IsSigned { + // TODO: support digit auth - which would be Authorization header with digit + ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea"`) + ctx.Error(http.StatusUnauthorized) + } +} + +func gitHTTPRouters(m *web.Route) { + m.Group("", func() { + m.PostOptions("/git-upload-pack", repo.ServiceUploadPack) + m.PostOptions("/git-receive-pack", repo.ServiceReceivePack) + m.GetOptions("/info/refs", repo.GetInfoRefs) + m.GetOptions("/HEAD", repo.GetTextFile("HEAD")) + m.GetOptions("/objects/info/alternates", repo.GetTextFile("objects/info/alternates")) + m.GetOptions("/objects/info/http-alternates", repo.GetTextFile("objects/info/http-alternates")) + m.GetOptions("/objects/info/packs", repo.GetInfoPacks) + m.GetOptions("/objects/info/{file:[^/]*}", repo.GetTextFile("")) + m.GetOptions("/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38}}", repo.GetLooseObject) + m.GetOptions("/objects/pack/pack-{file:[0-9a-f]{40}}.pack", repo.GetPackFile) + m.GetOptions("/objects/pack/pack-{file:[0-9a-f]{40}}.idx", repo.GetIdxFile) + }, ignSignInAndCsrf, requireSignIn, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context_service.UserAssignmentWeb()) +} diff --git a/routers/web/repo/http.go b/routers/web/repo/githttp.go index 1fd784a40a..1fd784a40a 100644 --- a/routers/web/repo/http.go +++ b/routers/web/repo/githttp.go diff --git a/routers/web/repo/http_test.go b/routers/web/repo/githttp_test.go index 5ba8de3d63..5ba8de3d63 100644 --- a/routers/web/repo/http_test.go +++ b/routers/web/repo/githttp_test.go diff --git a/routers/web/web.go b/routers/web/web.go index 2154838726..a1be5cbbc2 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -275,6 +275,8 @@ func Routes() *web.Route { return routes } +var ignSignInAndCsrf = verifyAuthWithOptions(&common.VerifyOptions{DisableCSRF: true}) + // registerRoutes register routes func registerRoutes(m *web.Route) { reqSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: true}) @@ -282,7 +284,7 @@ func registerRoutes(m *web.Route) { // TODO: rename them to "optSignIn", which means that the "sign-in" could be optional, depends on the VerifyOptions (RequireSignInView) ignSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInView}) ignExploreSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInView || setting.Service.Explore.RequireSigninView}) - ignSignInAndCsrf := verifyAuthWithOptions(&common.VerifyOptions{DisableCSRF: true}) + validation.AddBindingRules() linkAccountEnabled := func(ctx *context.Context) { @@ -1511,19 +1513,7 @@ func registerRoutes(m *web.Route) { }) }, ignSignInAndCsrf, lfsServerEnabled) - m.Group("", func() { - m.PostOptions("/git-upload-pack", repo.ServiceUploadPack) - m.PostOptions("/git-receive-pack", repo.ServiceReceivePack) - m.GetOptions("/info/refs", repo.GetInfoRefs) - m.GetOptions("/HEAD", repo.GetTextFile("HEAD")) - m.GetOptions("/objects/info/alternates", repo.GetTextFile("objects/info/alternates")) - m.GetOptions("/objects/info/http-alternates", repo.GetTextFile("objects/info/http-alternates")) - m.GetOptions("/objects/info/packs", repo.GetInfoPacks) - m.GetOptions("/objects/info/{file:[^/]*}", repo.GetTextFile("")) - m.GetOptions("/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38}}", repo.GetLooseObject) - m.GetOptions("/objects/pack/pack-{file:[0-9a-f]{40}}.pack", repo.GetPackFile) - m.GetOptions("/objects/pack/pack-{file:[0-9a-f]{40}}.idx", repo.GetIdxFile) - }, ignSignInAndCsrf, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context_service.UserAssignmentWeb()) + gitHTTPRouters(m) }) }) // ***** END: Repository ***** |