summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLunny Xiao <xiaolunwen@gmail.com>2022-01-02 21:12:35 +0800
committerGitHub <noreply@github.com>2022-01-02 21:12:35 +0800
commitde8e3948a5e38f7eaf82d3c0cfd10e995bf68e92 (patch)
treebbcb011d264e0d614d49c734856b446360c5a4a3
parente61b390d545919244141b699b28e3fbc42adc66f (diff)
downloadgitea-de8e3948a5e38f7eaf82d3c0cfd10e995bf68e92.tar.gz
gitea-de8e3948a5e38f7eaf82d3c0cfd10e995bf68e92.zip
Refactor auth package (#17962)
-rw-r--r--cmd/admin.go18
-rw-r--r--cmd/admin_auth_ldap.go76
-rw-r--r--cmd/admin_auth_ldap_test.go298
-rw-r--r--integrations/api_oauth2_apps_test.go28
-rw-r--r--models/asymkey/ssh_key.go32
-rw-r--r--models/asymkey/ssh_key_principals.go4
-rw-r--r--models/auth/main_test.go (renamed from models/login/main_test.go)2
-rw-r--r--models/auth/oauth2.go (renamed from models/login/oauth2_application.go)54
-rw-r--r--models/auth/oauth2_test.go (renamed from models/login/oauth2_application_test.go)2
-rw-r--r--models/auth/session.go (renamed from models/login/session.go)2
-rw-r--r--models/auth/source.go (renamed from models/login/source.go)44
-rw-r--r--models/auth/source_test.go (renamed from models/login/source_test.go)8
-rw-r--r--models/auth/twofactor.go (renamed from models/login/twofactor.go)2
-rw-r--r--models/auth/u2f.go (renamed from models/login/u2f.go)2
-rw-r--r--models/auth/u2f_test.go (renamed from models/login/u2f_test.go)2
-rw-r--r--models/db/convert.go16
-rw-r--r--models/login/oauth2.go70
-rw-r--r--models/repo/repo_unit.go3
-rw-r--r--models/statistic.go6
-rw-r--r--models/token.go6
-rw-r--r--models/user/list.go6
-rw-r--r--models/user/user.go10
-rw-r--r--models/user/user_test.go4
-rw-r--r--modules/context/api.go14
-rw-r--r--modules/context/auth.go6
-rw-r--r--modules/convert/convert.go6
-rwxr-xr-xmodules/metrics/collector.go2
-rw-r--r--modules/session/db.go16
-rw-r--r--routers/api/v1/admin/user.go16
-rw-r--r--routers/api/v1/user/app.go18
-rw-r--r--routers/web/admin/auths.go88
-rw-r--r--routers/web/admin/users.go44
-rw-r--r--routers/web/auth/2fa.go166
-rw-r--r--routers/web/auth/auth.go795
-rw-r--r--routers/web/auth/linkaccount.go300
-rw-r--r--routers/web/auth/main_test.go16
-rw-r--r--routers/web/auth/oauth.go (renamed from routers/web/user/oauth.go)400
-rw-r--r--routers/web/auth/oauth_test.go (renamed from routers/web/user/oauth_test.go)10
-rw-r--r--routers/web/auth/openid.go (renamed from routers/web/user/auth_openid.go)2
-rw-r--r--routers/web/auth/password.go346
-rw-r--r--routers/web/auth/u2f.go136
-rw-r--r--routers/web/events/events.go4
-rw-r--r--routers/web/home.go3
-rw-r--r--routers/web/repo/http.go6
-rw-r--r--routers/web/user/auth.go2006
-rw-r--r--routers/web/user/setting/applications.go6
-rw-r--r--routers/web/user/setting/keys.go1
-rw-r--r--routers/web/user/setting/oauth2.go18
-rw-r--r--routers/web/user/setting/security/2fa.go (renamed from routers/web/user/setting/security_twofa.go)30
-rw-r--r--routers/web/user/setting/security/openid.go (renamed from routers/web/user/setting/security_openid.go)2
-rw-r--r--routers/web/user/setting/security/security.go (renamed from routers/web/user/setting/security.go)26
-rw-r--r--routers/web/user/setting/security/u2f.go (renamed from routers/web/user/setting/security_u2f.go)14
-rw-r--r--routers/web/web.go164
-rw-r--r--services/asymkey/sign.go18
-rw-r--r--services/asymkey/ssh_key_test.go4
-rw-r--r--services/auth/oauth2.go6
-rw-r--r--services/auth/signin.go10
-rw-r--r--services/auth/source.go (renamed from services/auth/login_source.go)14
-rw-r--r--services/auth/source/db/assert_interface_test.go4
-rw-r--r--services/auth/source/db/source.go6
-rw-r--r--services/auth/source/ldap/assert_interface_test.go14
-rw-r--r--services/auth/source/ldap/source.go16
-rw-r--r--services/auth/source/ldap/source_authenticate.go12
-rw-r--r--services/auth/source/ldap/source_sync.go40
-rw-r--r--services/auth/source/oauth2/assert_interface_test.go8
-rw-r--r--services/auth/source/oauth2/init.go14
-rw-r--r--services/auth/source/oauth2/providers.go14
-rw-r--r--services/auth/source/oauth2/source.go14
-rw-r--r--services/auth/source/oauth2/source_callout.go4
-rw-r--r--services/auth/source/oauth2/source_register.go6
-rw-r--r--services/auth/source/pam/assert_interface_test.go6
-rw-r--r--services/auth/source/pam/source.go14
-rw-r--r--services/auth/source/pam/source_authenticate.go6
-rw-r--r--services/auth/source/smtp/assert_interface_test.go12
-rw-r--r--services/auth/source/smtp/source.go14
-rw-r--r--services/auth/source/smtp/source_authenticate.go6
-rw-r--r--services/auth/source/sspi/assert_interface_test.go4
-rw-r--r--services/auth/source/sspi/source.go4
-rw-r--r--services/auth/sspi_windows.go6
-rw-r--r--services/auth/sync.go4
-rw-r--r--services/externalaccount/user.go6
-rw-r--r--templates/user/settings/security/accountlinks.tmpl (renamed from templates/user/settings/security_accountlinks.tmpl)0
-rw-r--r--templates/user/settings/security/openid.tmpl (renamed from templates/user/settings/security_openid.tmpl)0
-rw-r--r--templates/user/settings/security/security.tmpl (renamed from templates/user/settings/security.tmpl)8
-rw-r--r--templates/user/settings/security/twofa.tmpl (renamed from templates/user/settings/security_twofa.tmpl)0
-rw-r--r--templates/user/settings/security/twofa_enroll.tmpl (renamed from templates/user/settings/twofa_enroll.tmpl)0
-rw-r--r--templates/user/settings/security/u2f.tmpl (renamed from templates/user/settings/security_u2f.tmpl)0
87 files changed, 2880 insertions, 2770 deletions
diff --git a/cmd/admin.go b/cmd/admin.go
index 099803fbf5..ed2aa5de23 100644
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -15,8 +15,8 @@ import (
"code.gitea.io/gitea/models"
asymkey_model "code.gitea.io/gitea/models/asymkey"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/graceful"
@@ -700,8 +700,8 @@ func runAddOauth(c *cli.Context) error {
return err
}
- return login.CreateSource(&login.Source{
- Type: login.OAuth2,
+ return auth.CreateSource(&auth.Source{
+ Type: auth.OAuth2,
Name: c.String("name"),
IsActive: true,
Cfg: parseOAuth2Config(c),
@@ -720,7 +720,7 @@ func runUpdateOauth(c *cli.Context) error {
return err
}
- source, err := login.GetSourceByID(c.Int64("id"))
+ source, err := auth.GetSourceByID(c.Int64("id"))
if err != nil {
return err
}
@@ -801,7 +801,7 @@ func runUpdateOauth(c *cli.Context) error {
oAuth2Config.CustomURLMapping = customURLMapping
source.Cfg = oAuth2Config
- return login.UpdateSource(source)
+ return auth.UpdateSource(source)
}
func runListAuth(c *cli.Context) error {
@@ -812,7 +812,7 @@ func runListAuth(c *cli.Context) error {
return err
}
- loginSources, err := login.Sources()
+ authSources, err := auth.Sources()
if err != nil {
return err
@@ -831,7 +831,7 @@ func runListAuth(c *cli.Context) error {
// loop through each source and print
w := tabwriter.NewWriter(os.Stdout, c.Int("min-width"), c.Int("tab-width"), c.Int("padding"), padChar, flags)
fmt.Fprintf(w, "ID\tName\tType\tEnabled\n")
- for _, source := range loginSources {
+ for _, source := range authSources {
fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, source.Type.String(), source.IsActive)
}
w.Flush()
@@ -851,10 +851,10 @@ func runDeleteAuth(c *cli.Context) error {
return err
}
- source, err := login.GetSourceByID(c.Int64("id"))
+ source, err := auth.GetSourceByID(c.Int64("id"))
if err != nil {
return err
}
- return auth_service.DeleteLoginSource(source)
+ return auth_service.DeleteSource(source)
}
diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index 950d515e39..06f9244d50 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -9,7 +9,7 @@ import (
"fmt"
"strings"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth/source/ldap"
"github.com/urfave/cli"
@@ -17,10 +17,10 @@ import (
type (
authService struct {
- initDB func(ctx context.Context) error
- createLoginSource func(loginSource *login.Source) error
- updateLoginSource func(loginSource *login.Source) error
- getLoginSourceByID func(id int64) (*login.Source, error)
+ initDB func(ctx context.Context) error
+ createAuthSource func(*auth.Source) error
+ updateAuthSource func(*auth.Source) error
+ getAuthSourceByID func(id int64) (*auth.Source, error)
}
)
@@ -168,23 +168,23 @@ var (
// newAuthService creates a service with default functions.
func newAuthService() *authService {
return &authService{
- initDB: initDB,
- createLoginSource: login.CreateSource,
- updateLoginSource: login.UpdateSource,
- getLoginSourceByID: login.GetSourceByID,
+ initDB: initDB,
+ createAuthSource: auth.CreateSource,
+ updateAuthSource: auth.UpdateSource,
+ getAuthSourceByID: auth.GetSourceByID,
}
}
-// parseLoginSource assigns values on loginSource according to command line flags.
-func parseLoginSource(c *cli.Context, loginSource *login.Source) {
+// parseAuthSource assigns values on authSource according to command line flags.
+func parseAuthSource(c *cli.Context, authSource *auth.Source) {
if c.IsSet("name") {
- loginSource.Name = c.String("name")
+ authSource.Name = c.String("name")
}
if c.IsSet("not-active") {
- loginSource.IsActive = !c.Bool("not-active")
+ authSource.IsActive = !c.Bool("not-active")
}
if c.IsSet("synchronize-users") {
- loginSource.IsSyncEnabled = c.Bool("synchronize-users")
+ authSource.IsSyncEnabled = c.Bool("synchronize-users")
}
}
@@ -275,23 +275,23 @@ func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {
return 0, false
}
-// getLoginSource gets the login source by its id defined in the command line flags.
+// getAuthSource gets the login source by its id defined in the command line flags.
// It returns an error if the id is not set, does not match any source or if the source is not of expected type.
-func (a *authService) getLoginSource(c *cli.Context, loginType login.Type) (*login.Source, error) {
+func (a *authService) getAuthSource(c *cli.Context, authType auth.Type) (*auth.Source, error) {
if err := argsSet(c, "id"); err != nil {
return nil, err
}
- loginSource, err := a.getLoginSourceByID(c.Int64("id"))
+ authSource, err := a.getAuthSourceByID(c.Int64("id"))
if err != nil {
return nil, err
}
- if loginSource.Type != loginType {
- return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", loginType.String(), loginSource.Type.String())
+ if authSource.Type != authType {
+ return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", authType.String(), authSource.Type.String())
}
- return loginSource, nil
+ return authSource, nil
}
// addLdapBindDn adds a new LDAP via Bind DN authentication source.
@@ -307,20 +307,20 @@ func (a *authService) addLdapBindDn(c *cli.Context) error {
return err
}
- loginSource := &login.Source{
- Type: login.LDAP,
+ authSource := &auth.Source{
+ Type: auth.LDAP,
IsActive: true, // active by default
Cfg: &ldap.Source{
Enabled: true, // always true
},
}
- parseLoginSource(c, loginSource)
- if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
+ parseAuthSource(c, authSource)
+ if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
return err
}
- return a.createLoginSource(loginSource)
+ return a.createAuthSource(authSource)
}
// updateLdapBindDn updates a new LDAP via Bind DN authentication source.
@@ -332,17 +332,17 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error {
return err
}
- loginSource, err := a.getLoginSource(c, login.LDAP)
+ authSource, err := a.getAuthSource(c, auth.LDAP)
if err != nil {
return err
}
- parseLoginSource(c, loginSource)
- if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
+ parseAuthSource(c, authSource)
+ if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
return err
}
- return a.updateLoginSource(loginSource)
+ return a.updateAuthSource(authSource)
}
// addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.
@@ -358,20 +358,20 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
return err
}
- loginSource := &login.Source{
- Type: login.DLDAP,
+ authSource := &auth.Source{
+ Type: auth.DLDAP,
IsActive: true, // active by default
Cfg: &ldap.Source{
Enabled: true, // always true
},
}
- parseLoginSource(c, loginSource)
- if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
+ parseAuthSource(c, authSource)
+ if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
return err
}
- return a.createLoginSource(loginSource)
+ return a.createAuthSource(authSource)
}
// updateLdapBindDn updates a new LDAP (simple auth) authentication source.
@@ -383,15 +383,15 @@ func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
return err
}
- loginSource, err := a.getLoginSource(c, login.DLDAP)
+ authSource, err := a.getAuthSource(c, auth.DLDAP)
if err != nil {
return err
}
- parseLoginSource(c, loginSource)
- if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
+ parseAuthSource(c, authSource)
+ if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {
return err
}
- return a.updateLoginSource(loginSource)
+ return a.updateAuthSource(authSource)
}
diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go
index 15880639d6..e1cd1c3244 100644
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@@ -8,7 +8,7 @@ import (
"context"
"testing"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth/source/ldap"
"github.com/stretchr/testify/assert"
@@ -23,9 +23,9 @@ func TestAddLdapBindDn(t *testing.T) {
// Test cases
var cases = []struct {
- args []string
- loginSource *login.Source
- errMsg string
+ args []string
+ source *auth.Source
+ errMsg string
}{
// case 0
{
@@ -53,8 +53,8 @@ func TestAddLdapBindDn(t *testing.T) {
"--synchronize-users",
"--page-size", "99",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ source: &auth.Source{
+ Type: auth.LDAP,
Name: "ldap (via Bind DN) source full",
IsActive: false,
IsSyncEnabled: true,
@@ -94,8 +94,8 @@ func TestAddLdapBindDn(t *testing.T) {
"--user-filter", "(memberOf=cn=user-group,ou=example,dc=min-domain-bind,dc=org)",
"--email-attribute", "mail-bind min",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ source: &auth.Source{
+ Type: auth.LDAP,
Name: "ldap (via Bind DN) source min",
IsActive: true,
Cfg: &ldap.Source{
@@ -206,21 +206,21 @@ func TestAddLdapBindDn(t *testing.T) {
for n, c := range cases {
// Mock functions.
- var createdLoginSource *login.Source
+ var createdAuthSource *auth.Source
service := &authService{
initDB: func(context.Context) error {
return nil
},
- createLoginSource: func(loginSource *login.Source) error {
- createdLoginSource = loginSource
+ createAuthSource: func(authSource *auth.Source) error {
+ createdAuthSource = authSource
return nil
},
- updateLoginSource: func(loginSource *login.Source) error {
- assert.FailNow(t, "case %d: should not call updateLoginSource", n)
+ updateAuthSource: func(authSource *auth.Source) error {
+ assert.FailNow(t, "case %d: should not call updateAuthSource", n)
return nil
},
- getLoginSourceByID: func(id int64) (*login.Source, error) {
- assert.FailNow(t, "case %d: should not call getLoginSourceByID", n)
+ getAuthSourceByID: func(id int64) (*auth.Source, error) {
+ assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
return nil, nil
},
}
@@ -236,7 +236,7 @@ func TestAddLdapBindDn(t *testing.T) {
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
} else {
assert.NoError(t, err, "case %d: should have no errors", n)
- assert.Equal(t, c.loginSource, createdLoginSource, "case %d: wrong loginSource", n)
+ assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n)
}
}
}
@@ -249,9 +249,9 @@ func TestAddLdapSimpleAuth(t *testing.T) {
// Test cases
var cases = []struct {
- args []string
- loginSource *login.Source
- errMsg string
+ args []string
+ authSource *auth.Source
+ errMsg string
}{
// case 0
{
@@ -275,8 +275,8 @@ func TestAddLdapSimpleAuth(t *testing.T) {
"--avatar-attribute", "avatar-simple full",
"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Name: "ldap (simple auth) source full",
IsActive: false,
Cfg: &ldap.Source{
@@ -312,8 +312,8 @@ func TestAddLdapSimpleAuth(t *testing.T) {
"--email-attribute", "mail-simple min",
"--user-dn", "cn=%s,ou=Users,dc=min-domain-simple,dc=org",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Name: "ldap (simple auth) source min",
IsActive: true,
Cfg: &ldap.Source{
@@ -437,21 +437,21 @@ func TestAddLdapSimpleAuth(t *testing.T) {
for n, c := range cases {
// Mock functions.
- var createdLoginSource *login.Source
+ var createdAuthSource *auth.Source
service := &authService{
initDB: func(context.Context) error {
return nil
},
- createLoginSource: func(loginSource *login.Source) error {
- createdLoginSource = loginSource
+ createAuthSource: func(authSource *auth.Source) error {
+ createdAuthSource = authSource
return nil
},
- updateLoginSource: func(loginSource *login.Source) error {
- assert.FailNow(t, "case %d: should not call updateLoginSource", n)
+ updateAuthSource: func(authSource *auth.Source) error {
+ assert.FailNow(t, "case %d: should not call updateAuthSource", n)
return nil
},
- getLoginSourceByID: func(id int64) (*login.Source, error) {
- assert.FailNow(t, "case %d: should not call getLoginSourceByID", n)
+ getAuthSourceByID: func(id int64) (*auth.Source, error) {
+ assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
return nil, nil
},
}
@@ -467,7 +467,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
} else {
assert.NoError(t, err, "case %d: should have no errors", n)
- assert.Equal(t, c.loginSource, createdLoginSource, "case %d: wrong loginSource", n)
+ assert.Equal(t, c.authSource, createdAuthSource, "case %d: wrong authSource", n)
}
}
}
@@ -480,11 +480,11 @@ func TestUpdateLdapBindDn(t *testing.T) {
// Test cases
var cases = []struct {
- args []string
- id int64
- existingLoginSource *login.Source
- loginSource *login.Source
- errMsg string
+ args []string
+ id int64
+ existingAuthSource *auth.Source
+ authSource *auth.Source
+ errMsg string
}{
// case 0
{
@@ -513,15 +513,15 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--page-size", "99",
},
id: 23,
- existingLoginSource: &login.Source{
- Type: login.LDAP,
+ existingAuthSource: &auth.Source{
+ Type: auth.LDAP,
IsActive: true,
Cfg: &ldap.Source{
Enabled: true,
},
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Name: "ldap (via Bind DN) source full",
IsActive: false,
IsSyncEnabled: true,
@@ -555,8 +555,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"ldap-test",
"--id", "1",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{},
},
},
@@ -567,8 +567,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--name", "ldap (via Bind DN) source",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Name: "ldap (via Bind DN) source",
Cfg: &ldap.Source{
Name: "ldap (via Bind DN) source",
@@ -582,13 +582,13 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--not-active",
},
- existingLoginSource: &login.Source{
- Type: login.LDAP,
+ existingAuthSource: &auth.Source{
+ Type: auth.LDAP,
IsActive: true,
Cfg: &ldap.Source{},
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
IsActive: false,
Cfg: &ldap.Source{},
},
@@ -600,8 +600,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--security-protocol", "LDAPS",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
SecurityProtocol: ldap.SecurityProtocol(1),
},
@@ -614,8 +614,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--skip-tls-verify",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
SkipVerify: true,
},
@@ -628,8 +628,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--host", "ldap-server",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
Host: "ldap-server",
},
@@ -642,8 +642,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--port", "389",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
Port: 389,
},
@@ -656,8 +656,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--user-search-base", "ou=Users,dc=domain,dc=org",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
UserBase: "ou=Users,dc=domain,dc=org",
},
@@ -670,8 +670,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
Filter: "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
},
@@ -684,8 +684,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",
},
@@ -698,8 +698,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--username-attribute", "uid",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
AttributeUsername: "uid",
},
@@ -712,8 +712,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--firstname-attribute", "givenName",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
AttributeName: "givenName",
},
@@ -726,8 +726,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--surname-attribute", "sn",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
AttributeSurname: "sn",
},
@@ -740,8 +740,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--email-attribute", "mail",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
AttributeMail: "mail",
},
@@ -754,8 +754,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--attributes-in-bind",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
AttributesInBind: true,
},
@@ -768,8 +768,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--public-ssh-key-attribute", "publickey",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
AttributeSSHPublicKey: "publickey",
},
@@ -782,8 +782,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--bind-dn", "cn=readonly,dc=domain,dc=org",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
BindDN: "cn=readonly,dc=domain,dc=org",
},
@@ -796,8 +796,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--bind-password", "secret",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
BindPassword: "secret",
},
@@ -810,8 +810,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--synchronize-users",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
IsSyncEnabled: true,
Cfg: &ldap.Source{},
},
@@ -823,8 +823,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"--id", "1",
"--page-size", "12",
},
- loginSource: &login.Source{
- Type: login.LDAP,
+ authSource: &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{
SearchPageSize: 12,
},
@@ -852,8 +852,8 @@ func TestUpdateLdapBindDn(t *testing.T) {
"ldap-test",
"--id", "1",
},
- existingLoginSource: &login.Source{
- Type: login.OAuth2,
+ existingAuthSource: &auth.Source{
+ Type: auth.OAuth2,
Cfg: &ldap.Source{},
},
errMsg: "Invalid authentication type. expected: LDAP (via BindDN), actual: OAuth2",
@@ -862,28 +862,28 @@ func TestUpdateLdapBindDn(t *testing.T) {
for n, c := range cases {
// Mock functions.
- var updatedLoginSource *login.Source
+ var updatedAuthSource *auth.Source
service := &authService{
initDB: func(context.Context) error {
return nil
},
- createLoginSource: func(loginSource *login.Source) error {
- assert.FailNow(t, "case %d: should not call createLoginSource", n)
+ createAuthSource: func(authSource *auth.Source) error {
+ assert.FailNow(t, "case %d: should not call createAuthSource", n)
return nil
},
- updateLoginSource: func(loginSource *login.Source) error {
- updatedLoginSource = loginSource
+ updateAuthSource: func(authSource *auth.Source) error {
+ updatedAuthSource = authSource
return nil
},
- getLoginSourceByID: func(id int64) (*login.Source, error) {
+ getAuthSourceByID: func(id int64) (*auth.Source, error) {
if c.id != 0 {
assert.Equal(t, c.id, id, "case %d: wrong id", n)
}
- if c.existingLoginSource != nil {
- return c.existingLoginSource, nil
+ if c.existingAuthSource != nil {
+ return c.existingAuthSource, nil
}
- return &login.Source{
- Type: login.LDAP,
+ return &auth.Source{
+ Type: auth.LDAP,
Cfg: &ldap.Source{},
}, nil
},
@@ -900,7 +900,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
} else {
assert.NoError(t, err, "case %d: should have no errors", n)
- assert.Equal(t, c.loginSource, updatedLoginSource, "case %d: wrong loginSource", n)
+ assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
}
}
}
@@ -913,11 +913,11 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
// Test cases
var cases = []struct {
- args []string
- id int64
- existingLoginSource *login.Source
- loginSource *login.Source
- errMsg string
+ args []string
+ id int64
+ existingAuthSource *auth.Source
+ authSource *auth.Source
+ errMsg string
}{
// case 0
{
@@ -943,8 +943,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",
},
id: 7,
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Name: "ldap (simple auth) source full",
IsActive: false,
Cfg: &ldap.Source{
@@ -973,8 +973,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"ldap-test",
"--id", "1",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{},
},
},
@@ -985,8 +985,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--name", "ldap (simple auth) source",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Name: "ldap (simple auth) source",
Cfg: &ldap.Source{
Name: "ldap (simple auth) source",
@@ -1000,13 +1000,13 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--not-active",
},
- existingLoginSource: &login.Source{
- Type: login.DLDAP,
+ existingAuthSource: &auth.Source{
+ Type: auth.DLDAP,
IsActive: true,
Cfg: &ldap.Source{},
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
IsActive: false,
Cfg: &ldap.Source{},
},
@@ -1018,8 +1018,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--security-protocol", "starttls",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
SecurityProtocol: ldap.SecurityProtocol(2),
},
@@ -1032,8 +1032,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--skip-tls-verify",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
SkipVerify: true,
},
@@ -1046,8 +1046,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--host", "ldap-server",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
Host: "ldap-server",
},
@@ -1060,8 +1060,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--port", "987",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
Port: 987,
},
@@ -1074,8 +1074,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--user-search-base", "ou=Users,dc=domain,dc=org",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
UserBase: "ou=Users,dc=domain,dc=org",
},
@@ -1088,8 +1088,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
Filter: "(&(objectClass=posixAccount)(cn=%s))",
},
@@ -1102,8 +1102,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",
},
@@ -1116,8 +1116,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--username-attribute", "uid",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
AttributeUsername: "uid",
},
@@ -1130,8 +1130,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--firstname-attribute", "givenName",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
AttributeName: "givenName",
},
@@ -1144,8 +1144,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--surname-attribute", "sn",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
AttributeSurname: "sn",
},
@@ -1158,8 +1158,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--email-attribute", "mail",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
AttributeMail: "mail",
@@ -1173,8 +1173,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--public-ssh-key-attribute", "publickey",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
AttributeSSHPublicKey: "publickey",
},
@@ -1187,8 +1187,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"--id", "1",
"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",
},
- loginSource: &login.Source{
- Type: login.DLDAP,
+ authSource: &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{
UserDN: "cn=%s,ou=Users,dc=domain,dc=org",
},
@@ -1216,8 +1216,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
"ldap-test",
"--id", "1",
},
- existingLoginSource: &login.Source{
- Type: login.PAM,
+ existingAuthSource: &auth.Source{
+ Type: auth.PAM,
Cfg: &ldap.Source{},
},
errMsg: "Invalid authentication type. expected: LDAP (simple auth), actual: PAM",
@@ -1226,28 +1226,28 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
for n, c := range cases {
// Mock functions.
- var updatedLoginSource *login.Source
+ var updatedAuthSource *auth.Source
service := &authService{
initDB: func(context.Context) error {
return nil
},
- createLoginSource: func(loginSource *login.Source) error {
- assert.FailNow(t, "case %d: should not call createLoginSource", n)
+ createAuthSource: func(authSource *auth.Source) error {
+ assert.FailNow(t, "case %d: should not call createAuthSource", n)
return nil
},
- updateLoginSource: func(loginSource *login.Source) error {
- updatedLoginSource = loginSource
+ updateAuthSource: func(authSource *auth.Source) error {
+ updatedAuthSource = authSource
return nil
},
- getLoginSourceByID: func(id int64) (*login.Source, error) {
+ getAuthSourceByID: func(id int64) (*auth.Source, error) {
if c.id != 0 {
assert.Equal(t, c.id, id, "case %d: wrong id", n)
}
- if c.existingLoginSource != nil {
- return c.existingLoginSource, nil
+ if c.existingAuthSource != nil {
+ return c.existingAuthSource, nil
}
- return &login.Source{
- Type: login.DLDAP,
+ return &auth.Source{
+ Type: auth.DLDAP,
Cfg: &ldap.Source{},
}, nil
},
@@ -1264,7 +1264,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
} else {
assert.NoError(t, err, "case %d: should have no errors", n)
- assert.Equal(t, c.loginSource, updatedLoginSource, "case %d: wrong loginSource", n)
+ assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
}
}
}
diff --git a/integrations/api_oauth2_apps_test.go b/integrations/api_oauth2_apps_test.go
index 52922b9848..e51549568a 100644
--- a/integrations/api_oauth2_apps_test.go
+++ b/integrations/api_oauth2_apps_test.go
@@ -9,7 +9,7 @@ import (
"net/http"
"testing"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
api "code.gitea.io/gitea/modules/structs"
@@ -47,7 +47,7 @@ func testAPICreateOAuth2Application(t *testing.T) {
assert.Len(t, createdApp.ClientID, 36)
assert.NotEmpty(t, createdApp.Created)
assert.EqualValues(t, appBody.RedirectURIs[0], createdApp.RedirectURIs[0])
- unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{UID: user.ID, Name: createdApp.Name})
+ unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{UID: user.ID, Name: createdApp.Name})
}
func testAPIListOAuth2Applications(t *testing.T) {
@@ -55,13 +55,13 @@ func testAPIListOAuth2Applications(t *testing.T) {
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
- existApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{
+ existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
- }).(*login.OAuth2Application)
+ }).(*auth.OAuth2Application)
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2?token=%s", token)
req := NewRequest(t, "GET", urlStr)
@@ -76,7 +76,7 @@ func testAPIListOAuth2Applications(t *testing.T) {
assert.Len(t, expectedApp.ClientID, 36)
assert.Empty(t, expectedApp.ClientSecret)
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0])
- unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
+ unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
}
func testAPIDeleteOAuth2Application(t *testing.T) {
@@ -84,16 +84,16 @@ func testAPIDeleteOAuth2Application(t *testing.T) {
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
- oldApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{
+ oldApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
UID: user.ID,
Name: "test-app-1",
- }).(*login.OAuth2Application)
+ }).(*auth.OAuth2Application)
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", oldApp.ID, token)
req := NewRequest(t, "DELETE", urlStr)
session.MakeRequest(t, req, http.StatusNoContent)
- unittest.AssertNotExistsBean(t, &login.OAuth2Application{UID: oldApp.UID, Name: oldApp.Name})
+ unittest.AssertNotExistsBean(t, &auth.OAuth2Application{UID: oldApp.UID, Name: oldApp.Name})
// Delete again will return not found
req = NewRequest(t, "DELETE", urlStr)
@@ -105,13 +105,13 @@ func testAPIGetOAuth2Application(t *testing.T) {
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
- existApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{
+ existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
- }).(*login.OAuth2Application)
+ }).(*auth.OAuth2Application)
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", existApp.ID, token)
req := NewRequest(t, "GET", urlStr)
@@ -127,19 +127,19 @@ func testAPIGetOAuth2Application(t *testing.T) {
assert.Empty(t, expectedApp.ClientSecret)
assert.Len(t, expectedApp.RedirectURIs, 1)
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0])
- unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
+ unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
}
func testAPIUpdateOAuth2Application(t *testing.T) {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
- existApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{
+ existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
- }).(*login.OAuth2Application)
+ }).(*auth.OAuth2Application)
appBody := api.CreateOAuth2ApplicationOptions{
Name: "test-app-1",
@@ -161,5 +161,5 @@ func testAPIUpdateOAuth2Application(t *testing.T) {
assert.Len(t, expectedApp.RedirectURIs, 2)
assert.EqualValues(t, expectedApp.RedirectURIs[0], appBody.RedirectURIs[0])
assert.EqualValues(t, expectedApp.RedirectURIs[1], appBody.RedirectURIs[1])
- unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
+ unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
}
diff --git a/models/asymkey/ssh_key.go b/models/asymkey/ssh_key.go
index 12ed611bc0..74d2411dd9 100644
--- a/models/asymkey/ssh_key.go
+++ b/models/asymkey/ssh_key.go
@@ -11,8 +11,8 @@ import (
"strings"
"time"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
"code.gitea.io/gitea/models/perm"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/log"
@@ -92,7 +92,7 @@ func addKey(e db.Engine, key *PublicKey) (err error) {
}
// AddPublicKey adds new public key to database and authorized_keys file.
-func AddPublicKey(ownerID int64, name, content string, loginSourceID int64) (*PublicKey, error) {
+func AddPublicKey(ownerID int64, name, content string, authSourceID int64) (*PublicKey, error) {
log.Trace(content)
fingerprint, err := calcFingerprint(content)
@@ -128,7 +128,7 @@ func AddPublicKey(ownerID int64, name, content string, loginSourceID int64) (*Pu
Content: content,
Mode: perm.AccessModeWrite,
Type: KeyTypeUser,
- LoginSourceID: loginSourceID,
+ LoginSourceID: authSourceID,
}
if err = addKey(sess, key); err != nil {
return nil, fmt.Errorf("addKey: %v", err)
@@ -223,10 +223,10 @@ func CountPublicKeys(userID int64) (int64, error) {
}
// ListPublicKeysBySource returns a list of synchronized public keys for a given user and login source.
-func ListPublicKeysBySource(uid, loginSourceID int64) ([]*PublicKey, error) {
+func ListPublicKeysBySource(uid, authSourceID int64) ([]*PublicKey, error) {
keys := make([]*PublicKey, 0, 5)
return keys, db.GetEngine(db.DefaultContext).
- Where("owner_id = ? AND login_source_id = ?", uid, loginSourceID).
+ Where("owner_id = ? AND login_source_id = ?", uid, authSourceID).
Find(&keys)
}
@@ -261,7 +261,7 @@ func DeletePublicKeys(ctx context.Context, keyIDs ...int64) error {
// PublicKeysAreExternallyManaged returns whether the provided KeyID represents an externally managed Key
func PublicKeysAreExternallyManaged(keys []*PublicKey) ([]bool, error) {
- sources := make([]*login.Source, 0, 5)
+ sources := make([]*auth.Source, 0, 5)
externals := make([]bool, len(keys))
keyloop:
for i, key := range keys {
@@ -270,7 +270,7 @@ keyloop:
continue keyloop
}
- var source *login.Source
+ var source *auth.Source
sourceloop:
for _, s := range sources {
@@ -282,11 +282,11 @@ keyloop:
if source == nil {
var err error
- source, err = login.GetSourceByID(key.LoginSourceID)
+ source, err = auth.GetSourceByID(key.LoginSourceID)
if err != nil {
- if login.IsErrSourceNotExist(err) {
+ if auth.IsErrSourceNotExist(err) {
externals[i] = false
- sources[i] = &login.Source{
+ sources[i] = &auth.Source{
ID: key.LoginSourceID,
}
continue keyloop
@@ -295,7 +295,7 @@ keyloop:
}
}
- if sshKeyProvider, ok := source.Cfg.(login.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() {
+ if sshKeyProvider, ok := source.Cfg.(auth.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() {
// Disable setting SSH keys for this user
externals[i] = true
}
@@ -313,14 +313,14 @@ func PublicKeyIsExternallyManaged(id int64) (bool, error) {
if key.LoginSourceID == 0 {
return false, nil
}
- source, err := login.GetSourceByID(key.LoginSourceID)
+ source, err := auth.GetSourceByID(key.LoginSourceID)
if err != nil {
- if login.IsErrSourceNotExist(err) {
+ if auth.IsErrSourceNotExist(err) {
return false, nil
}
return false, err
}
- if sshKeyProvider, ok := source.Cfg.(login.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() {
+ if sshKeyProvider, ok := source.Cfg.(auth.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() {
// Disable setting SSH keys for this user
return true, nil
}
@@ -360,7 +360,7 @@ func deleteKeysMarkedForDeletion(keys []string) (bool, error) {
}
// AddPublicKeysBySource add a users public keys. Returns true if there are changes.
-func AddPublicKeysBySource(usr *user_model.User, s *login.Source, sshPublicKeys []string) bool {
+func AddPublicKeysBySource(usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
var sshKeysNeedUpdate bool
for _, sshKey := range sshPublicKeys {
var err error
@@ -398,7 +398,7 @@ func AddPublicKeysBySource(usr *user_model.User, s *login.Source, sshPublicKeys
}
// SynchronizePublicKeys updates a users public keys. Returns true if there are changes.
-func SynchronizePublicKeys(usr *user_model.User, s *login.Source, sshPublicKeys []string) bool {
+func SynchronizePublicKeys(usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
var sshKeysNeedUpdate bool
log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
diff --git a/models/asymkey/ssh_key_principals.go b/models/asymkey/ssh_key_principals.go
index 19fc6644cb..5f18fd04d1 100644
--- a/models/asymkey/ssh_key_principals.go
+++ b/models/asymkey/ssh_key_principals.go
@@ -25,7 +25,7 @@ import (
// This file contains functions related to principals
// AddPrincipalKey adds new principal to database and authorized_principals file.
-func AddPrincipalKey(ownerID int64, content string, loginSourceID int64) (*PublicKey, error) {
+func AddPrincipalKey(ownerID int64, content string, authSourceID int64) (*PublicKey, error) {
ctx, committer, err := db.TxContext()
if err != nil {
return nil, err
@@ -49,7 +49,7 @@ func AddPrincipalKey(ownerID int64, content string, loginSourceID int64) (*Publi
Content: content,
Mode: perm.AccessModeWrite,
Type: KeyTypePrincipal,
- LoginSourceID: loginSourceID,
+ LoginSourceID: authSourceID,
}
if err = addPrincipalKey(sess, key); err != nil {
return nil, fmt.Errorf("addKey: %v", err)
diff --git a/models/login/main_test.go b/models/auth/main_test.go
index 0666eeaad0..94a1f405d9 100644
--- a/models/login/main_test.go
+++ b/models/auth/main_test.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"path/filepath"
diff --git a/models/login/oauth2_application.go b/models/auth/oauth2.go
index 4cd73cf3a2..e7030fce28 100644
--- a/models/login/oauth2_application.go
+++ b/models/auth/oauth2.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"crypto/sha256"
@@ -510,3 +510,55 @@ func revokeOAuth2Grant(e db.Engine, grantID, userID int64) error {
_, err := e.Delete(&OAuth2Grant{ID: grantID, UserID: userID})
return err
}
+
+// ErrOAuthClientIDInvalid will be thrown if client id cannot be found
+type ErrOAuthClientIDInvalid struct {
+ ClientID string
+}
+
+// IsErrOauthClientIDInvalid checks if an error is a ErrReviewNotExist.
+func IsErrOauthClientIDInvalid(err error) bool {
+ _, ok := err.(ErrOAuthClientIDInvalid)
+ return ok
+}
+
+// Error returns the error message
+func (err ErrOAuthClientIDInvalid) Error() string {
+ return fmt.Sprintf("Client ID invalid [Client ID: %s]", err.ClientID)
+}
+
+// ErrOAuthApplicationNotFound will be thrown if id cannot be found
+type ErrOAuthApplicationNotFound struct {
+ ID int64
+}
+
+// IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist.
+func IsErrOAuthApplicationNotFound(err error) bool {
+ _, ok := err.(ErrOAuthApplicationNotFound)
+ return ok
+}
+
+// Error returns the error message
+func (err ErrOAuthApplicationNotFound) Error() string {
+ return fmt.Sprintf("OAuth application not found [ID: %d]", err.ID)
+}
+
+// GetActiveOAuth2ProviderSources returns all actived LoginOAuth2 sources
+func GetActiveOAuth2ProviderSources() ([]*Source, error) {
+ sources := make([]*Source, 0, 1)
+ if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, OAuth2).Find(&sources); err != nil {
+ return nil, err
+ }
+ return sources, nil
+}
+
+// GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name
+func GetActiveOAuth2SourceByName(name string) (*Source, error) {
+ authSource := new(Source)
+ has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)
+ if !has || err != nil {
+ return nil, err
+ }
+
+ return authSource, nil
+}
diff --git a/models/login/oauth2_application_test.go b/models/auth/oauth2_test.go
index 47e6a27ce9..b712fc285f 100644
--- a/models/login/oauth2_application_test.go
+++ b/models/auth/oauth2_test.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"testing"
diff --git a/models/login/session.go b/models/auth/session.go
index 805606600a..5b130c64b6 100644
--- a/models/login/session.go
+++ b/models/auth/session.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"fmt"
diff --git a/models/login/source.go b/models/auth/source.go
index 1001d49b51..6f4f5addcb 100644
--- a/models/login/source.go
+++ b/models/auth/source.go
@@ -3,12 +3,11 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"fmt"
"reflect"
- "strconv"
"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/modules/log"
@@ -84,10 +83,7 @@ type RegisterableSource interface {
UnregisterSource() error
}
-// SourceSettable configurations can have their loginSource set on them
-type SourceSettable interface {
- SetLoginSource(*Source)
-}
+var registeredConfigs = map[Type]func() Config{}
// RegisterTypeConfig register a config for a provided type
func RegisterTypeConfig(typ Type, exemplar Config) {
@@ -105,7 +101,10 @@ func RegisterTypeConfig(typ Type, exemplar Config) {
}
}
-var registeredConfigs = map[Type]func() Config{}
+// SourceSettable configurations can have their authSource set on them
+type SourceSettable interface {
+ SetAuthSource(*Source)
+}
// Source represents an external way for authorizing users.
type Source struct {
@@ -129,30 +128,17 @@ func init() {
db.RegisterModel(new(Source))
}
-// Cell2Int64 converts a xorm.Cell type to int64,
-// and handles possible irregular cases.
-func Cell2Int64(val xorm.Cell) int64 {
- switch (*val).(type) {
- case []uint8:
- log.Trace("Cell2Int64 ([]uint8): %v", *val)
-
- v, _ := strconv.ParseInt(string((*val).([]uint8)), 10, 64)
- return v
- }
- return (*val).(int64)
-}
-
// BeforeSet is invoked from XORM before setting the value of a field of this object.
func (source *Source) BeforeSet(colName string, val xorm.Cell) {
if colName == "type" {
- typ := Type(Cell2Int64(val))
+ typ := Type(db.Cell2Int64(val))
constructor, ok := registeredConfigs[typ]
if !ok {
return
}
source.Cfg = constructor()
if settable, ok := source.Cfg.(SourceSettable); ok {
- settable.SetLoginSource(source)
+ settable.SetAuthSource(source)
}
}
}
@@ -211,7 +197,7 @@ func (source *Source) SkipVerify() bool {
return ok && skipVerifiable.IsSkipVerify()
}
-// CreateSource inserts a LoginSource in the DB if not already
+// CreateSource inserts a AuthSource in the DB if not already
// existing with the given name.
func CreateSource(source *Source) error {
has, err := db.GetEngine(db.DefaultContext).Where("name=?", source.Name).Exist(new(Source))
@@ -235,7 +221,7 @@ func CreateSource(source *Source) error {
}
if settable, ok := source.Cfg.(SourceSettable); ok {
- settable.SetLoginSource(source)
+ settable.SetAuthSource(source)
}
registerableSource, ok := source.Cfg.(RegisterableSource)
@@ -245,7 +231,7 @@ func CreateSource(source *Source) error {
err = registerableSource.RegisterSource()
if err != nil {
- // remove the LoginSource in case of errors while registering configuration
+ // remove the AuthSource in case of errors while registering configuration
if _, err := db.GetEngine(db.DefaultContext).Delete(source); err != nil {
log.Error("CreateSource: Error while wrapOpenIDConnectInitializeError: %v", err)
}
@@ -322,11 +308,11 @@ func GetSourceByID(id int64) (*Source, error) {
// UpdateSource updates a Source record in DB.
func UpdateSource(source *Source) error {
- var originalLoginSource *Source
+ var originalSource *Source
if source.IsOAuth2() {
// keep track of the original values so we can restore in case of errors while registering OAuth2 providers
var err error
- if originalLoginSource, err = GetSourceByID(source.ID); err != nil {
+ if originalSource, err = GetSourceByID(source.ID); err != nil {
return err
}
}
@@ -341,7 +327,7 @@ func UpdateSource(source *Source) error {
}
if settable, ok := source.Cfg.(SourceSettable); ok {
- settable.SetLoginSource(source)
+ settable.SetAuthSource(source)
}
registerableSource, ok := source.Cfg.(RegisterableSource)
@@ -352,7 +338,7 @@ func UpdateSource(source *Source) error {
err = registerableSource.RegisterSource()
if err != nil {
// restore original values since we cannot update the provider it self
- if _, err := db.GetEngine(db.DefaultContext).ID(source.ID).AllCols().Update(originalLoginSource); err != nil {
+ if _, err := db.GetEngine(db.DefaultContext).ID(source.ID).AllCols().Update(originalSource); err != nil {
log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err)
}
}
diff --git a/models/login/source_test.go b/models/auth/source_test.go
index e7ef7c7048..6a8e286910 100644
--- a/models/login/source_test.go
+++ b/models/auth/source_test.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"strings"
@@ -34,10 +34,10 @@ func (source *TestSource) ToDB() ([]byte, error) {
return json.Marshal(source)
}
-func TestDumpLoginSource(t *testing.T) {
+func TestDumpAuthSource(t *testing.T) {
assert.NoError(t, unittest.PrepareTestDatabase())
- loginSourceSchema, err := db.TableInfo(new(Source))
+ authSourceSchema, err := db.TableInfo(new(Source))
assert.NoError(t, err)
RegisterTypeConfig(OAuth2, new(TestSource))
@@ -54,7 +54,7 @@ func TestDumpLoginSource(t *testing.T) {
sb := new(strings.Builder)
- db.DumpTables([]*schemas.Table{loginSourceSchema}, sb)
+ db.DumpTables([]*schemas.Table{authSourceSchema}, sb)
assert.Contains(t, sb.String(), `"Provider":"ConvertibleSourceName"`)
}
diff --git a/models/login/twofactor.go b/models/auth/twofactor.go
index acb5e1b2d5..883e6ce01c 100644
--- a/models/login/twofactor.go
+++ b/models/auth/twofactor.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"crypto/md5"
diff --git a/models/login/u2f.go b/models/auth/u2f.go
index 8cea98463f..71943b237c 100644
--- a/models/login/u2f.go
+++ b/models/auth/u2f.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"fmt"
diff --git a/models/login/u2f_test.go b/models/auth/u2f_test.go
index 06a37f8132..32ad17839c 100644
--- a/models/login/u2f_test.go
+++ b/models/auth/u2f_test.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package login
+package auth
import (
"encoding/hex"
diff --git a/models/db/convert.go b/models/db/convert.go
index bf9a74a9a4..039a681040 100644
--- a/models/db/convert.go
+++ b/models/db/convert.go
@@ -6,9 +6,12 @@ package db
import (
"fmt"
+ "strconv"
+ "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
+ "xorm.io/xorm"
"xorm.io/xorm/schemas"
)
@@ -39,3 +42,16 @@ func ConvertUtf8ToUtf8mb4() error {
return nil
}
+
+// Cell2Int64 converts a xorm.Cell type to int64,
+// and handles possible irregular cases.
+func Cell2Int64(val xorm.Cell) int64 {
+ switch (*val).(type) {
+ case []uint8:
+ log.Trace("Cell2Int64 ([]uint8): %v", *val)
+
+ v, _ := strconv.ParseInt(string((*val).([]uint8)), 10, 64)
+ return v
+ }
+ return (*val).(int64)
+}
diff --git a/models/login/oauth2.go b/models/login/oauth2.go
deleted file mode 100644
index 45ab59dd78..0000000000
--- a/models/login/oauth2.go
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright 2017 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package login
-
-import (
- "fmt"
-
- "code.gitea.io/gitea/models/db"
-)
-
-// ________ _____ __ .__
-// \_____ \ / _ \ __ ___/ |_| |__
-// / | \ / /_\ \| | \ __\ | \
-// / | \/ | \ | /| | | Y \
-// \_______ /\____|__ /____/ |__| |___| /
-// \/ \/ \/
-
-// ErrOAuthClientIDInvalid will be thrown if client id cannot be found
-type ErrOAuthClientIDInvalid struct {
- ClientID string
-}
-
-// IsErrOauthClientIDInvalid checks if an error is a ErrReviewNotExist.
-func IsErrOauthClientIDInvalid(err error) bool {
- _, ok := err.(ErrOAuthClientIDInvalid)
- return ok
-}
-
-// Error returns the error message
-func (err ErrOAuthClientIDInvalid) Error() string {
- return fmt.Sprintf("Client ID invalid [Client ID: %s]", err.ClientID)
-}
-
-// ErrOAuthApplicationNotFound will be thrown if id cannot be found
-type ErrOAuthApplicationNotFound struct {
- ID int64
-}
-
-// IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist.
-func IsErrOAuthApplicationNotFound(err error) bool {
- _, ok := err.(ErrOAuthApplicationNotFound)
- return ok
-}
-
-// Error returns the error message
-func (err ErrOAuthApplicationNotFound) Error() string {
- return fmt.Sprintf("OAuth application not found [ID: %d]", err.ID)
-}
-
-// GetActiveOAuth2ProviderLoginSources returns all actived LoginOAuth2 sources
-func GetActiveOAuth2ProviderLoginSources() ([]*Source, error) {
- sources := make([]*Source, 0, 1)
- if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, OAuth2).Find(&sources); err != nil {
- return nil, err
- }
- return sources, nil
-}
-
-// GetActiveOAuth2LoginSourceByName returns a OAuth2 LoginSource based on the given name
-func GetActiveOAuth2LoginSourceByName(name string) (*Source, error) {
- loginSource := new(Source)
- has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(loginSource)
- if !has || err != nil {
- return nil, err
- }
-
- return loginSource, nil
-}
diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go
index 1957f88ff3..f526cbdf8b 100644
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@@ -8,7 +8,6 @@ import (
"fmt"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
"code.gitea.io/gitea/models/unit"
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/timeutil"
@@ -170,7 +169,7 @@ func (cfg *PullRequestsConfig) AllowedMergeStyleCount() int {
func (r *RepoUnit) BeforeSet(colName string, val xorm.Cell) {
switch colName {
case "type":
- switch unit.Type(login.Cell2Int64(val)) {
+ switch unit.Type(db.Cell2Int64(val)) {
case unit.TypeCode, unit.TypeReleases, unit.TypeWiki, unit.TypeProjects:
r.Config = new(UnitConfig)
case unit.TypeExternalWiki:
diff --git a/models/statistic.go b/models/statistic.go
index f39cdd5eb7..dfe543d063 100644
--- a/models/statistic.go
+++ b/models/statistic.go
@@ -6,8 +6,8 @@ package models
import (
asymkey_model "code.gitea.io/gitea/models/asymkey"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
repo_model "code.gitea.io/gitea/models/repo"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/models/webhook"
@@ -21,7 +21,7 @@ type Statistic struct {
Repo, Watch, Star, Action, Access,
Issue, IssueClosed, IssueOpen,
Comment, Oauth, Follow,
- Mirror, Release, LoginSource, Webhook,
+ Mirror, Release, AuthSource, Webhook,
Milestone, Label, HookTask,
Team, UpdateTask, Project,
ProjectBoard, Attachment int64
@@ -98,7 +98,7 @@ func GetStatistic() (stats Statistic) {
stats.Counter.Follow, _ = e.Count(new(user_model.Follow))
stats.Counter.Mirror, _ = e.Count(new(repo_model.Mirror))
stats.Counter.Release, _ = e.Count(new(Release))
- stats.Counter.LoginSource = login.CountSources()
+ stats.Counter.AuthSource = auth.CountSources()
stats.Counter.Webhook, _ = e.Count(new(webhook.Webhook))
stats.Counter.Milestone, _ = e.Count(new(Milestone))
stats.Counter.Label, _ = e.Count(new(Label))
diff --git a/models/token.go b/models/token.go
index b3712fce5e..44428a0809 100644
--- a/models/token.go
+++ b/models/token.go
@@ -10,8 +10,8 @@ import (
"fmt"
"time"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil"
@@ -68,7 +68,7 @@ func NewAccessToken(t *AccessToken) error {
}
t.TokenSalt = salt
t.Token = base.EncodeSha1(gouuid.New().String())
- t.TokenHash = login.HashToken(t.Token, t.TokenSalt)
+ t.TokenHash = auth.HashToken(t.Token, t.TokenSalt)
t.TokenLastEight = t.Token[len(t.Token)-8:]
_, err = db.GetEngine(db.DefaultContext).Insert(t)
return err
@@ -130,7 +130,7 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) {
}
for _, t := range tokens {
- tempHash := login.HashToken(token, t.TokenSalt)
+ tempHash := auth.HashToken(token, t.TokenSalt)
if subtle.ConstantTimeCompare([]byte(t.TokenHash), []byte(tempHash)) == 1 {
if successfulAccessTokenCache != nil {
successfulAccessTokenCache.Add(token, t.ID)
diff --git a/models/user/list.go b/models/user/list.go
index 6ca4613aa7..13138b3e50 100644
--- a/models/user/list.go
+++ b/models/user/list.go
@@ -7,8 +7,8 @@ package user
import (
"fmt"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
)
// UserList is a list of user.
@@ -40,13 +40,13 @@ func (users UserList) GetTwoFaStatus() map[int64]bool {
return results
}
-func (users UserList) loadTwoFactorStatus(e db.Engine) (map[int64]*login.TwoFactor, error) {
+func (users UserList) loadTwoFactorStatus(e db.Engine) (map[int64]*auth.TwoFactor, error) {
if len(users) == 0 {
return nil, nil
}
userIDs := users.GetUserIDs()
- tokenMaps := make(map[int64]*login.TwoFactor, len(userIDs))
+ tokenMaps := make(map[int64]*auth.TwoFactor, len(userIDs))
err := e.
In("uid", userIDs).
Find(&tokenMaps)
diff --git a/models/user/user.go b/models/user/user.go
index d56a225d5f..06cacd85fe 100644
--- a/models/user/user.go
+++ b/models/user/user.go
@@ -19,8 +19,8 @@ import (
_ "image/jpeg" // Needed for jpeg support
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
"code.gitea.io/gitea/modules/auth/openid"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/git"
@@ -89,7 +89,7 @@ type User struct {
// is to change his/her password after registration.
MustChangePassword bool `xorm:"NOT NULL DEFAULT false"`
- LoginType login.Type
+ LoginType auth.Type
LoginSource int64 `xorm:"NOT NULL DEFAULT 0"`
LoginName string
Type UserType
@@ -232,12 +232,12 @@ func GetAllUsers() ([]*User, error) {
// IsLocal returns true if user login type is LoginPlain.
func (u *User) IsLocal() bool {
- return u.LoginType <= login.Plain
+ return u.LoginType <= auth.Plain
}
// IsOAuth2 returns true if user login type is LoginOAuth2.
func (u *User) IsOAuth2() bool {
- return u.LoginType == login.OAuth2
+ return u.LoginType == auth.OAuth2
}
// MaxCreationLimit returns the number of repositories a user is allowed to create
@@ -1012,7 +1012,7 @@ func GetUserIDsByNames(names []string, ignoreNonExistent bool) ([]int64, error)
}
// GetUsersBySource returns a list of Users for a login source
-func GetUsersBySource(s *login.Source) ([]*User, error) {
+func GetUsersBySource(s *auth.Source) ([]*User, error) {
var users []*User
err := db.GetEngine(db.DefaultContext).Where("login_type = ? AND login_source = ?", s.Type, s.ID).Find(&users)
return users, err
diff --git a/models/user/user_test.go b/models/user/user_test.go
index f4acb92378..70591c8c12 100644
--- a/models/user/user_test.go
+++ b/models/user/user_test.go
@@ -9,8 +9,8 @@ import (
"strings"
"testing"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
"code.gitea.io/gitea/models/unittest"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs"
@@ -21,7 +21,7 @@ import (
func TestOAuth2Application_LoadUser(t *testing.T) {
assert.NoError(t, unittest.PrepareTestDatabase())
- app := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: 1}).(*login.OAuth2Application)
+ app := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: 1}).(*auth.OAuth2Application)
user, err := GetUserByID(app.UID)
assert.NoError(t, err)
assert.NotNil(t, user)
diff --git a/modules/context/api.go b/modules/context/api.go
index 635a54c7ef..b079385aff 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -13,13 +13,13 @@ import (
"net/url"
"strings"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
- "code.gitea.io/gitea/services/auth"
+ auth_service "code.gitea.io/gitea/services/auth"
"gitea.com/go-chi/session"
)
@@ -225,9 +225,9 @@ func (ctx *APIContext) CheckForOTP() {
}
otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
- twofa, err := login.GetTwoFactorByUID(ctx.Context.User.ID)
+ twofa, err := auth.GetTwoFactorByUID(ctx.Context.User.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
return // No 2FA enrollment for this user
}
ctx.Context.Error(http.StatusInternalServerError)
@@ -244,8 +244,8 @@ func (ctx *APIContext) CheckForOTP() {
}
}
-// APIAuth converts auth.Auth as a middleware
-func APIAuth(authMethod auth.Method) func(*APIContext) {
+// APIAuth converts auth_service.Auth as a middleware
+func APIAuth(authMethod auth_service.Method) func(*APIContext) {
return func(ctx *APIContext) {
// Get user from session if logged in.
ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
@@ -253,7 +253,7 @@ func APIAuth(authMethod auth.Method) func(*APIContext) {
if ctx.Locale.Language() != ctx.User.Language {
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
}
- ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == auth.BasicMethodName
+ ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == auth_service.BasicMethodName
ctx.IsSigned = true
ctx.Data["IsSigned"] = ctx.IsSigned
ctx.Data["SignedUser"] = ctx.User
diff --git a/modules/context/auth.go b/modules/context/auth.go
index 7faa93d78b..7e7e8ab961 100644
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -8,7 +8,7 @@ package context
import (
"net/http"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
@@ -154,9 +154,9 @@ func ToggleAPI(options *ToggleOptions) func(ctx *APIContext) {
if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
return // Skip 2FA
}
- twofa, err := login.GetTwoFactorByUID(ctx.User.ID)
+ twofa, err := auth.GetTwoFactorByUID(ctx.User.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
return // No 2FA enrollment for this user
}
ctx.InternalServerError(err)
diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index 86e1c69d36..f2b62a74bf 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -13,7 +13,7 @@ import (
"code.gitea.io/gitea/models"
asymkey_model "code.gitea.io/gitea/models/asymkey"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/perm"
repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/unit"
@@ -344,8 +344,8 @@ func ToTopicResponse(topic *repo_model.Topic) *api.TopicResponse {
}
}
-// ToOAuth2Application convert from login.OAuth2Application to api.OAuth2Application
-func ToOAuth2Application(app *login.OAuth2Application) *api.OAuth2Application {
+// ToOAuth2Application convert from auth.OAuth2Application to api.OAuth2Application
+func ToOAuth2Application(app *auth.OAuth2Application) *api.OAuth2Application {
return &api.OAuth2Application{
ID: app.ID,
Name: app.Name,
diff --git a/modules/metrics/collector.go b/modules/metrics/collector.go
index 527202e0a6..6463118581 100755
--- a/modules/metrics/collector.go
+++ b/modules/metrics/collector.go
@@ -297,7 +297,7 @@ func (c Collector) Collect(ch chan<- prometheus.Metric) {
ch <- prometheus.MustNewConstMetric(
c.LoginSources,
prometheus.GaugeValue,
- float64(stats.Counter.LoginSource),
+ float64(stats.Counter.AuthSource),
)
ch <- prometheus.MustNewConstMetric(
c.Milestones,
diff --git a/modules/session/db.go b/modules/session/db.go
index bc4aeb08cd..7ba27cba23 100644
--- a/modules/session/db.go
+++ b/modules/session/db.go
@@ -8,7 +8,7 @@ import (
"log"
"sync"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/timeutil"
"gitea.com/go-chi/session"
@@ -72,7 +72,7 @@ func (s *DBStore) Release() error {
return err
}
- return login.UpdateSession(s.sid, data)
+ return auth.UpdateSession(s.sid, data)
}
// Flush deletes all session data.
@@ -98,7 +98,7 @@ func (p *DBProvider) Init(maxLifetime int64, connStr string) error {
// Read returns raw session store by session ID.
func (p *DBProvider) Read(sid string) (session.RawStore, error) {
- s, err := login.ReadSession(sid)
+ s, err := auth.ReadSession(sid)
if err != nil {
return nil, err
}
@@ -118,7 +118,7 @@ func (p *DBProvider) Read(sid string) (session.RawStore, error) {
// Exist returns true if session with given ID exists.
func (p *DBProvider) Exist(sid string) bool {
- has, err := login.ExistSession(sid)
+ has, err := auth.ExistSession(sid)
if err != nil {
panic("session/DB: error checking existence: " + err.Error())
}
@@ -127,12 +127,12 @@ func (p *DBProvider) Exist(sid string) bool {
// Destroy deletes a session by session ID.
func (p *DBProvider) Destroy(sid string) error {
- return login.DestroySession(sid)
+ return auth.DestroySession(sid)
}
// Regenerate regenerates a session store from old session ID to new one.
func (p *DBProvider) Regenerate(oldsid, sid string) (_ session.RawStore, err error) {
- s, err := login.RegenerateSession(oldsid, sid)
+ s, err := auth.RegenerateSession(oldsid, sid)
if err != nil {
return nil, err
@@ -153,7 +153,7 @@ func (p *DBProvider) Regenerate(oldsid, sid string) (_ session.RawStore, err err
// Count counts and returns number of sessions.
func (p *DBProvider) Count() int {
- total, err := login.CountSessions()
+ total, err := auth.CountSessions()
if err != nil {
panic("session/DB: error counting records: " + err.Error())
}
@@ -162,7 +162,7 @@ func (p *DBProvider) Count() int {
// GC calls GC to clean expired sessions.
func (p *DBProvider) GC() {
- if err := login.CleanupSessions(p.maxLifetime); err != nil {
+ if err := auth.CleanupSessions(p.maxLifetime); err != nil {
log.Printf("session/DB: error garbage collecting: %v", err)
}
}
diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 5d2bbdea2f..e95ab33d77 100644
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -13,8 +13,8 @@ import (
"code.gitea.io/gitea/models"
asymkey_model "code.gitea.io/gitea/models/asymkey"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/convert"
@@ -30,17 +30,17 @@ import (
user_service "code.gitea.io/gitea/services/user"
)
-func parseLoginSource(ctx *context.APIContext, u *user_model.User, sourceID int64, loginName string) {
+func parseAuthSource(ctx *context.APIContext, u *user_model.User, sourceID int64, loginName string) {
if sourceID == 0 {
return
}
- source, err := login.GetSourceByID(sourceID)
+ source, err := auth.GetSourceByID(sourceID)
if err != nil {
- if login.IsErrSourceNotExist(err) {
+ if auth.IsErrSourceNotExist(err) {
ctx.Error(http.StatusUnprocessableEntity, "", err)
} else {
- ctx.Error(http.StatusInternalServerError, "login.GetSourceByID", err)
+ ctx.Error(http.StatusInternalServerError, "auth.GetSourceByID", err)
}
return
}
@@ -82,13 +82,13 @@ func CreateUser(ctx *context.APIContext) {
Passwd: form.Password,
MustChangePassword: true,
IsActive: true,
- LoginType: login.Plain,
+ LoginType: auth.Plain,
}
if form.MustChangePassword != nil {
u.MustChangePassword = *form.MustChangePassword
}
- parseLoginSource(ctx, u, form.SourceID, form.LoginName)
+ parseAuthSource(ctx, u, form.SourceID, form.LoginName)
if ctx.Written() {
return
}
@@ -168,7 +168,7 @@ func EditUser(ctx *context.APIContext) {
return
}
- parseLoginSource(ctx, u, form.SourceID, form.LoginName)
+ parseAuthSource(ctx, u, form.SourceID, form.LoginName)
if ctx.Written() {
return
}
diff --git a/routers/api/v1/user/app.go b/routers/api/v1/user/app.go
index bf45bf4dd5..94cfab45bd 100644
--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@@ -12,7 +12,7 @@ import (
"strconv"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/convert"
api "code.gitea.io/gitea/modules/structs"
@@ -213,7 +213,7 @@ func CreateOauth2Application(ctx *context.APIContext) {
data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
- app, err := login.CreateOAuth2Application(login.CreateOAuth2ApplicationOptions{
+ app, err := auth.CreateOAuth2Application(auth.CreateOAuth2ApplicationOptions{
Name: data.Name,
UserID: ctx.User.ID,
RedirectURIs: data.RedirectURIs,
@@ -252,7 +252,7 @@ func ListOauth2Applications(ctx *context.APIContext) {
// "200":
// "$ref": "#/responses/OAuth2ApplicationList"
- apps, total, err := login.ListOAuth2Applications(ctx.User.ID, utils.GetListOptions(ctx))
+ apps, total, err := auth.ListOAuth2Applications(ctx.User.ID, utils.GetListOptions(ctx))
if err != nil {
ctx.Error(http.StatusInternalServerError, "ListOAuth2Applications", err)
return
@@ -288,8 +288,8 @@ func DeleteOauth2Application(ctx *context.APIContext) {
// "404":
// "$ref": "#/responses/notFound"
appID := ctx.ParamsInt64(":id")
- if err := login.DeleteOAuth2Application(appID, ctx.User.ID); err != nil {
- if login.IsErrOAuthApplicationNotFound(err) {
+ if err := auth.DeleteOAuth2Application(appID, ctx.User.ID); err != nil {
+ if auth.IsErrOAuthApplicationNotFound(err) {
ctx.NotFound()
} else {
ctx.Error(http.StatusInternalServerError, "DeleteOauth2ApplicationByID", err)
@@ -320,9 +320,9 @@ func GetOauth2Application(ctx *context.APIContext) {
// "404":
// "$ref": "#/responses/notFound"
appID := ctx.ParamsInt64(":id")
- app, err := login.GetOAuth2ApplicationByID(appID)
+ app, err := auth.GetOAuth2ApplicationByID(appID)
if err != nil {
- if login.IsErrOauthClientIDInvalid(err) || login.IsErrOAuthApplicationNotFound(err) {
+ if auth.IsErrOauthClientIDInvalid(err) || auth.IsErrOAuthApplicationNotFound(err) {
ctx.NotFound()
} else {
ctx.Error(http.StatusInternalServerError, "GetOauth2ApplicationByID", err)
@@ -363,14 +363,14 @@ func UpdateOauth2Application(ctx *context.APIContext) {
data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
- app, err := login.UpdateOAuth2Application(login.UpdateOAuth2ApplicationOptions{
+ app, err := auth.UpdateOAuth2Application(auth.UpdateOAuth2ApplicationOptions{
Name: data.Name,
UserID: ctx.User.ID,
ID: appID,
RedirectURIs: data.RedirectURIs,
})
if err != nil {
- if login.IsErrOauthClientIDInvalid(err) || login.IsErrOAuthApplicationNotFound(err) {
+ if auth.IsErrOauthClientIDInvalid(err) || auth.IsErrOAuthApplicationNotFound(err) {
ctx.NotFound()
} else {
ctx.Error(http.StatusInternalServerError, "UpdateOauth2ApplicationByID", err)
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index b288273871..338a54c5dd 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -13,7 +13,7 @@ import (
"strconv"
"strings"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/auth/pam"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
@@ -24,7 +24,7 @@ import (
auth_service "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/ldap"
"code.gitea.io/gitea/services/auth/source/oauth2"
- pamService "code.gitea.io/gitea/services/auth/source/pam"
+ pam_service "code.gitea.io/gitea/services/auth/source/pam"
"code.gitea.io/gitea/services/auth/source/smtp"
"code.gitea.io/gitea/services/auth/source/sspi"
"code.gitea.io/gitea/services/forms"
@@ -50,13 +50,13 @@ func Authentications(ctx *context.Context) {
ctx.Data["PageIsAdminAuthentications"] = true
var err error
- ctx.Data["Sources"], err = login.Sources()
+ ctx.Data["Sources"], err = auth.Sources()
if err != nil {
- ctx.ServerError("login.Sources", err)
+ ctx.ServerError("auth.Sources", err)
return
}
- ctx.Data["Total"] = login.CountSources()
+ ctx.Data["Total"] = auth.CountSources()
ctx.HTML(http.StatusOK, tplAuths)
}
@@ -68,14 +68,14 @@ type dropdownItem struct {
var (
authSources = func() []dropdownItem {
items := []dropdownItem{
- {login.LDAP.String(), login.LDAP},
- {login.DLDAP.String(), login.DLDAP},
- {login.SMTP.String(), login.SMTP},
- {login.OAuth2.String(), login.OAuth2},
- {login.SSPI.String(), login.SSPI},
+ {auth.LDAP.String(), auth.LDAP},
+ {auth.DLDAP.String(), auth.DLDAP},
+ {auth.SMTP.String(), auth.SMTP},
+ {auth.OAuth2.String(), auth.OAuth2},
+ {auth.SSPI.String(), auth.SSPI},
}
if pam.Supported {
- items = append(items, dropdownItem{login.Names[login.PAM], login.PAM})
+ items = append(items, dropdownItem{auth.Names[auth.PAM], auth.PAM})
}
return items
}()
@@ -93,8 +93,8 @@ func NewAuthSource(ctx *context.Context) {
ctx.Data["PageIsAdmin"] = true
ctx.Data["PageIsAdminAuthentications"] = true
- ctx.Data["type"] = login.LDAP
- ctx.Data["CurrentTypeName"] = login.Names[login.LDAP]
+ ctx.Data["type"] = auth.LDAP
+ ctx.Data["CurrentTypeName"] = auth.Names[auth.LDAP]
ctx.Data["CurrentSecurityProtocol"] = ldap.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted]
ctx.Data["smtp_auth"] = "PLAIN"
ctx.Data["is_active"] = true
@@ -226,7 +226,7 @@ func NewAuthSourcePost(ctx *context.Context) {
ctx.Data["PageIsAdmin"] = true
ctx.Data["PageIsAdminAuthentications"] = true
- ctx.Data["CurrentTypeName"] = login.Type(form.Type).String()
+ ctx.Data["CurrentTypeName"] = auth.Type(form.Type).String()
ctx.Data["CurrentSecurityProtocol"] = ldap.SecurityProtocolNames[ldap.SecurityProtocol(form.SecurityProtocol)]
ctx.Data["AuthSources"] = authSources
ctx.Data["SecurityProtocols"] = securityProtocols
@@ -242,29 +242,29 @@ func NewAuthSourcePost(ctx *context.Context) {
hasTLS := false
var config convert.Conversion
- switch login.Type(form.Type) {
- case login.LDAP, login.DLDAP:
+ switch auth.Type(form.Type) {
+ case auth.LDAP, auth.DLDAP:
config = parseLDAPConfig(form)
hasTLS = ldap.SecurityProtocol(form.SecurityProtocol) > ldap.SecurityProtocolUnencrypted
- case login.SMTP:
+ case auth.SMTP:
config = parseSMTPConfig(form)
hasTLS = true
- case login.PAM:
- config = &pamService.Source{
+ case auth.PAM:
+ config = &pam_service.Source{
ServiceName: form.PAMServiceName,
EmailDomain: form.PAMEmailDomain,
SkipLocalTwoFA: form.SkipLocalTwoFA,
}
- case login.OAuth2:
+ case auth.OAuth2:
config = parseOAuth2Config(form)
- case login.SSPI:
+ case auth.SSPI:
var err error
config, err = parseSSPIConfig(ctx, form)
if err != nil {
ctx.RenderWithErr(err.Error(), tplAuthNew, form)
return
}
- existing, err := login.SourcesByType(login.SSPI)
+ existing, err := auth.SourcesByType(auth.SSPI)
if err != nil || len(existing) > 0 {
ctx.Data["Err_Type"] = true
ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_of_type_exist"), tplAuthNew, form)
@@ -281,18 +281,18 @@ func NewAuthSourcePost(ctx *context.Context) {
return
}
- if err := login.CreateSource(&login.Source{
- Type: login.Type(form.Type),
+ if err := auth.CreateSource(&auth.Source{
+ Type: auth.Type(form.Type),
Name: form.Name,
IsActive: form.IsActive,
IsSyncEnabled: form.IsSyncEnabled,
Cfg: config,
}); err != nil {
- if login.IsErrSourceAlreadyExist(err) {
+ if auth.IsErrSourceAlreadyExist(err) {
ctx.Data["Err_Name"] = true
- ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_exist", err.(login.ErrSourceAlreadyExist).Name), tplAuthNew, form)
+ ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_exist", err.(auth.ErrSourceAlreadyExist).Name), tplAuthNew, form)
} else {
- ctx.ServerError("login.CreateSource", err)
+ ctx.ServerError("auth.CreateSource", err)
}
return
}
@@ -314,9 +314,9 @@ func EditAuthSource(ctx *context.Context) {
oauth2providers := oauth2.GetOAuth2Providers()
ctx.Data["OAuth2Providers"] = oauth2providers
- source, err := login.GetSourceByID(ctx.ParamsInt64(":authid"))
+ source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid"))
if err != nil {
- ctx.ServerError("login.GetSourceByID", err)
+ ctx.ServerError("auth.GetSourceByID", err)
return
}
ctx.Data["Source"] = source
@@ -349,9 +349,9 @@ func EditAuthSourcePost(ctx *context.Context) {
oauth2providers := oauth2.GetOAuth2Providers()
ctx.Data["OAuth2Providers"] = oauth2providers
- source, err := login.GetSourceByID(ctx.ParamsInt64(":authid"))
+ source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid"))
if err != nil {
- ctx.ServerError("login.GetSourceByID", err)
+ ctx.ServerError("auth.GetSourceByID", err)
return
}
ctx.Data["Source"] = source
@@ -363,19 +363,19 @@ func EditAuthSourcePost(ctx *context.Context) {
}
var config convert.Conversion
- switch login.Type(form.Type) {
- case login.LDAP, login.DLDAP:
+ switch auth.Type(form.Type) {
+ case auth.LDAP, auth.DLDAP:
config = parseLDAPConfig(form)
- case login.SMTP:
+ case auth.SMTP:
config = parseSMTPConfig(form)
- case login.PAM:
- config = &pamService.Source{
+ case auth.PAM:
+ config = &pam_service.Source{
ServiceName: form.PAMServiceName,
EmailDomain: form.PAMEmailDomain,
}
- case login.OAuth2:
+ case auth.OAuth2:
config = parseOAuth2Config(form)
- case login.SSPI:
+ case auth.SSPI:
config, err = parseSSPIConfig(ctx, form)
if err != nil {
ctx.RenderWithErr(err.Error(), tplAuthEdit, form)
@@ -390,7 +390,7 @@ func EditAuthSourcePost(ctx *context.Context) {
source.IsActive = form.IsActive
source.IsSyncEnabled = form.IsSyncEnabled
source.Cfg = config
- if err := login.UpdateSource(source); err != nil {
+ if err := auth.UpdateSource(source); err != nil {
if oauth2.IsErrOpenIDConnectInitialize(err) {
ctx.Flash.Error(err.Error(), true)
ctx.HTML(http.StatusOK, tplAuthEdit)
@@ -407,17 +407,17 @@ func EditAuthSourcePost(ctx *context.Context) {
// DeleteAuthSource response for deleting an auth source
func DeleteAuthSource(ctx *context.Context) {
- source, err := login.GetSourceByID(ctx.ParamsInt64(":authid"))
+ source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid"))
if err != nil {
- ctx.ServerError("login.GetSourceByID", err)
+ ctx.ServerError("auth.GetSourceByID", err)
return
}
- if err = auth_service.DeleteLoginSource(source); err != nil {
- if login.IsErrSourceInUse(err) {
+ if err = auth_service.DeleteSource(source); err != nil {
+ if auth.IsErrSourceInUse(err) {
ctx.Flash.Error(ctx.Tr("admin.auths.still_in_used"))
} else {
- ctx.Flash.Error(fmt.Sprintf("DeleteLoginSource: %v", err))
+ ctx.Flash.Error(fmt.Sprintf("auth_service.DeleteSource: %v", err))
}
ctx.JSON(http.StatusOK, map[string]interface{}{
"redirect": setting.AppSubURL + "/admin/auths/" + url.PathEscape(ctx.Params(":authid")),
diff --git a/routers/web/admin/users.go b/routers/web/admin/users.go
index 044efa0099..5cb25d8672 100644
--- a/routers/web/admin/users.go
+++ b/routers/web/admin/users.go
@@ -12,8 +12,8 @@ import (
"strings"
"code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
@@ -81,9 +81,9 @@ func NewUser(ctx *context.Context) {
ctx.Data["login_type"] = "0-0"
- sources, err := login.Sources()
+ sources, err := auth.Sources()
if err != nil {
- ctx.ServerError("login.Sources", err)
+ ctx.ServerError("auth.Sources", err)
return
}
ctx.Data["Sources"] = sources
@@ -100,9 +100,9 @@ func NewUserPost(ctx *context.Context) {
ctx.Data["PageIsAdminUsers"] = true
ctx.Data["DefaultUserVisibilityMode"] = setting.Service.DefaultUserVisibilityMode
- sources, err := login.Sources()
+ sources, err := auth.Sources()
if err != nil {
- ctx.ServerError("login.Sources", err)
+ ctx.ServerError("auth.Sources", err)
return
}
ctx.Data["Sources"] = sources
@@ -119,19 +119,19 @@ func NewUserPost(ctx *context.Context) {
Email: form.Email,
Passwd: form.Password,
IsActive: true,
- LoginType: login.Plain,
+ LoginType: auth.Plain,
}
if len(form.LoginType) > 0 {
fields := strings.Split(form.LoginType, "-")
if len(fields) == 2 {
lType, _ := strconv.ParseInt(fields[0], 10, 0)
- u.LoginType = login.Type(lType)
+ u.LoginType = auth.Type(lType)
u.LoginSource, _ = strconv.ParseInt(fields[1], 10, 64)
u.LoginName = form.LoginName
}
}
- if u.LoginType == login.NoType || u.LoginType == login.Plain {
+ if u.LoginType == auth.NoType || u.LoginType == auth.Plain {
if len(form.Password) < setting.MinPasswordLength {
ctx.Data["Err_Password"] = true
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplUserNew, &form)
@@ -201,26 +201,26 @@ func prepareUserInfo(ctx *context.Context) *user_model.User {
ctx.Data["User"] = u
if u.LoginSource > 0 {
- ctx.Data["LoginSource"], err = login.GetSourceByID(u.LoginSource)
+ ctx.Data["LoginSource"], err = auth.GetSourceByID(u.LoginSource)
if err != nil {
- ctx.ServerError("login.GetSourceByID", err)
+ ctx.ServerError("auth.GetSourceByID", err)
return nil
}
} else {
- ctx.Data["LoginSource"] = &login.Source{}
+ ctx.Data["LoginSource"] = &auth.Source{}
}
- sources, err := login.Sources()
+ sources, err := auth.Sources()
if err != nil {
- ctx.ServerError("login.Sources", err)
+ ctx.ServerError("auth.Sources", err)
return nil
}
ctx.Data["Sources"] = sources
ctx.Data["TwoFactorEnabled"] = true
- _, err = login.GetTwoFactorByUID(u.ID)
+ _, err = auth.GetTwoFactorByUID(u.ID)
if err != nil {
- if !login.IsErrTwoFactorNotEnrolled(err) {
+ if !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("IsErrTwoFactorNotEnrolled", err)
return nil
}
@@ -268,11 +268,11 @@ func EditUserPost(ctx *context.Context) {
fields := strings.Split(form.LoginType, "-")
if len(fields) == 2 {
loginType, _ := strconv.ParseInt(fields[0], 10, 0)
- loginSource, _ := strconv.ParseInt(fields[1], 10, 64)
+ authSource, _ := strconv.ParseInt(fields[1], 10, 64)
- if u.LoginSource != loginSource {
- u.LoginSource = loginSource
- u.LoginType = login.Type(loginType)
+ if u.LoginSource != authSource {
+ u.LoginSource = authSource
+ u.LoginType = auth.Type(loginType)
}
}
@@ -325,13 +325,13 @@ func EditUserPost(ctx *context.Context) {
}
if form.Reset2FA {
- tf, err := login.GetTwoFactorByUID(u.ID)
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ tf, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("GetTwoFactorByUID", err)
return
}
- if err = login.DeleteTwoFactorByID(tf.ID, u.ID); err != nil {
+ if err = auth.DeleteTwoFactorByID(tf.ID, u.ID); err != nil {
ctx.ServerError("DeleteTwoFactorByID", err)
return
}
diff --git a/routers/web/auth/2fa.go b/routers/web/auth/2fa.go
new file mode 100644
index 0000000000..c61922cd9d
--- /dev/null
+++ b/routers/web/auth/2fa.go
@@ -0,0 +1,166 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "errors"
+ "net/http"
+
+ "code.gitea.io/gitea/models/auth"
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/web"
+ "code.gitea.io/gitea/services/externalaccount"
+ "code.gitea.io/gitea/services/forms"
+)
+
+var (
+ tplTwofa base.TplName = "user/auth/twofa"
+ tplTwofaScratch base.TplName = "user/auth/twofa_scratch"
+)
+
+// TwoFactor shows the user a two-factor authentication page.
+func TwoFactor(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("twofa")
+
+ // Check auto-login.
+ if checkAutoLogin(ctx) {
+ return
+ }
+
+ // Ensure user is in a 2FA session.
+ if ctx.Session.Get("twofaUid") == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+ return
+ }
+
+ ctx.HTML(http.StatusOK, tplTwofa)
+}
+
+// TwoFactorPost validates a user's two-factor authentication token.
+func TwoFactorPost(ctx *context.Context) {
+ form := web.GetForm(ctx).(*forms.TwoFactorAuthForm)
+ ctx.Data["Title"] = ctx.Tr("twofa")
+
+ // Ensure user is in a 2FA session.
+ idSess := ctx.Session.Get("twofaUid")
+ if idSess == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+ return
+ }
+
+ id := idSess.(int64)
+ twofa, err := auth.GetTwoFactorByUID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ // Validate the passcode with the stored TOTP secret.
+ ok, err := twofa.ValidateTOTP(form.Passcode)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ if ok && twofa.LastUsedPasscode != form.Passcode {
+ remember := ctx.Session.Get("twofaRemember").(bool)
+ u, err := user_model.GetUserByID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ if ctx.Session.Get("linkAccount") != nil {
+ err = externalaccount.LinkAccountFromStore(ctx.Session, u)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ }
+
+ twofa.LastUsedPasscode = form.Passcode
+ if err = auth.UpdateTwoFactor(twofa); err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ handleSignIn(ctx, u, remember)
+ return
+ }
+
+ ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplTwofa, forms.TwoFactorAuthForm{})
+}
+
+// TwoFactorScratch shows the scratch code form for two-factor authentication.
+func TwoFactorScratch(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("twofa_scratch")
+
+ // Check auto-login.
+ if checkAutoLogin(ctx) {
+ return
+ }
+
+ // Ensure user is in a 2FA session.
+ if ctx.Session.Get("twofaUid") == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+ return
+ }
+
+ ctx.HTML(http.StatusOK, tplTwofaScratch)
+}
+
+// TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.
+func TwoFactorScratchPost(ctx *context.Context) {
+ form := web.GetForm(ctx).(*forms.TwoFactorScratchAuthForm)
+ ctx.Data["Title"] = ctx.Tr("twofa_scratch")
+
+ // Ensure user is in a 2FA session.
+ idSess := ctx.Session.Get("twofaUid")
+ if idSess == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+ return
+ }
+
+ id := idSess.(int64)
+ twofa, err := auth.GetTwoFactorByUID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ // Validate the passcode with the stored TOTP secret.
+ if twofa.VerifyScratchToken(form.Token) {
+ // Invalidate the scratch token.
+ _, err = twofa.GenerateScratchToken()
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ if err = auth.UpdateTwoFactor(twofa); err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ remember := ctx.Session.Get("twofaRemember").(bool)
+ u, err := user_model.GetUserByID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ handleSignInFull(ctx, u, remember, false)
+ if ctx.Written() {
+ return
+ }
+ ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
+ ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+ return
+ }
+
+ ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, forms.TwoFactorScratchAuthForm{})
+}
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
new file mode 100644
index 0000000000..b9765abfb5
--- /dev/null
+++ b/routers/web/auth/auth.go
@@ -0,0 +1,795 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "fmt"
+ "net/http"
+ "strings"
+
+ "code.gitea.io/gitea/models/auth"
+ "code.gitea.io/gitea/models/db"
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/eventsource"
+ "code.gitea.io/gitea/modules/hcaptcha"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/password"
+ "code.gitea.io/gitea/modules/recaptcha"
+ "code.gitea.io/gitea/modules/session"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/web"
+ "code.gitea.io/gitea/modules/web/middleware"
+ "code.gitea.io/gitea/routers/utils"
+ auth_service "code.gitea.io/gitea/services/auth"
+ "code.gitea.io/gitea/services/auth/source/oauth2"
+ "code.gitea.io/gitea/services/externalaccount"
+ "code.gitea.io/gitea/services/forms"
+ "code.gitea.io/gitea/services/mailer"
+
+ "github.com/markbates/goth"
+)
+
+const (
+ // tplSignIn template for sign in page
+ tplSignIn base.TplName = "user/auth/signin"
+ // tplSignUp template path for sign up page
+ tplSignUp base.TplName = "user/auth/signup"
+ // TplActivate template path for activate user
+ TplActivate base.TplName = "user/auth/activate"
+)
+
+// AutoSignIn reads cookie and try to auto-login.
+func AutoSignIn(ctx *context.Context) (bool, error) {
+ if !db.HasEngine {
+ return false, nil
+ }
+
+ uname := ctx.GetCookie(setting.CookieUserName)
+ if len(uname) == 0 {
+ return false, nil
+ }
+
+ isSucceed := false
+ defer func() {
+ if !isSucceed {
+ log.Trace("auto-login cookie cleared: %s", uname)
+ ctx.DeleteCookie(setting.CookieUserName)
+ ctx.DeleteCookie(setting.CookieRememberName)
+ }
+ }()
+
+ u, err := user_model.GetUserByName(uname)
+ if err != nil {
+ if !user_model.IsErrUserNotExist(err) {
+ return false, fmt.Errorf("GetUserByName: %v", err)
+ }
+ return false, nil
+ }
+
+ if val, ok := ctx.GetSuperSecureCookie(
+ base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
+ return false, nil
+ }
+
+ isSucceed = true
+
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ return false, fmt.Errorf("unable to RegenerateSession: Error: %w", err)
+ }
+
+ // Set session IDs
+ if err := ctx.Session.Set("uid", u.ID); err != nil {
+ return false, err
+ }
+ if err := ctx.Session.Set("uname", u.Name); err != nil {
+ return false, err
+ }
+ if err := ctx.Session.Release(); err != nil {
+ return false, err
+ }
+
+ if err := resetLocale(ctx, u); err != nil {
+ return false, err
+ }
+
+ middleware.DeleteCSRFCookie(ctx.Resp)
+ return true, nil
+}
+
+func resetLocale(ctx *context.Context, u *user_model.User) error {
+ // Language setting of the user overwrites the one previously set
+ // If the user does not have a locale set, we save the current one.
+ if len(u.Language) == 0 {
+ u.Language = ctx.Locale.Language()
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
+ return err
+ }
+ }
+
+ middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
+
+ if ctx.Locale.Language() != u.Language {
+ ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+ }
+
+ return nil
+}
+
+func checkAutoLogin(ctx *context.Context) bool {
+ // Check auto-login
+ isSucceed, err := AutoSignIn(ctx)
+ if err != nil {
+ ctx.ServerError("AutoSignIn", err)
+ return true
+ }
+
+ redirectTo := ctx.FormString("redirect_to")
+ if len(redirectTo) > 0 {
+ middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
+ } else {
+ redirectTo = ctx.GetCookie("redirect_to")
+ }
+
+ if isSucceed {
+ middleware.DeleteRedirectToCookie(ctx.Resp)
+ ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
+ return true
+ }
+
+ return false
+}
+
+// SignIn render sign in page
+func SignIn(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("sign_in")
+
+ // Check auto-login
+ if checkAutoLogin(ctx) {
+ return
+ }
+
+ orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
+ ctx.Data["OAuth2Providers"] = oauth2Providers
+ ctx.Data["Title"] = ctx.Tr("sign_in")
+ ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
+ ctx.Data["PageIsSignIn"] = true
+ ctx.Data["PageIsLogin"] = true
+ ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled()
+
+ ctx.HTML(http.StatusOK, tplSignIn)
+}
+
+// SignInPost response for sign in request
+func SignInPost(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("sign_in")
+
+ orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
+ ctx.Data["OAuth2Providers"] = oauth2Providers
+ ctx.Data["Title"] = ctx.Tr("sign_in")
+ ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
+ ctx.Data["PageIsSignIn"] = true
+ ctx.Data["PageIsLogin"] = true
+ ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled()
+
+ if ctx.HasError() {
+ ctx.HTML(http.StatusOK, tplSignIn)
+ return
+ }
+
+ form := web.GetForm(ctx).(*forms.SignInForm)
+ u, source, err := auth_service.UserSignIn(form.UserName, form.Password)
+ if err != nil {
+ if user_model.IsErrUserNotExist(err) {
+ ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
+ log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+ } else if user_model.IsErrEmailAlreadyUsed(err) {
+ ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)
+ log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+ } else if user_model.IsErrUserProhibitLogin(err) {
+ log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+ ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+ ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+ } else if user_model.IsErrUserInactive(err) {
+ if setting.Service.RegisterEmailConfirm {
+ ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+ ctx.HTML(http.StatusOK, TplActivate)
+ } else {
+ log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+ ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+ ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+ }
+ } else {
+ ctx.ServerError("UserSignIn", err)
+ }
+ return
+ }
+
+ // Now handle 2FA:
+
+ // First of all if the source can skip local two fa we're done
+ if skipper, ok := source.Cfg.(auth_service.LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
+ handleSignIn(ctx, u, form.Remember)
+ return
+ }
+
+ // If this user is enrolled in 2FA TOTP, we can't sign the user in just yet.
+ // Instead, redirect them to the 2FA authentication page.
+ hasTOTPtwofa, err := auth.HasTwoFactorByUID(u.ID)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ // Check if the user has u2f registration
+ hasU2Ftwofa, err := auth.HasU2FRegistrationsByUID(u.ID)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ if !hasTOTPtwofa && !hasU2Ftwofa {
+ // No two factor auth configured we can sign in the user
+ handleSignIn(ctx, u, form.Remember)
+ return
+ }
+
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ ctx.ServerError("UserSignIn: Unable to set regenerate session", err)
+ return
+ }
+
+ // User will need to use 2FA TOTP or U2F, save data
+ if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
+ ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
+ return
+ }
+
+ if err := ctx.Session.Set("twofaRemember", form.Remember); err != nil {
+ ctx.ServerError("UserSignIn: Unable to set twofaRemember in session", err)
+ return
+ }
+
+ if hasTOTPtwofa {
+ // User will need to use U2F, save data
+ if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
+ ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err)
+ return
+ }
+ }
+
+ if err := ctx.Session.Release(); err != nil {
+ ctx.ServerError("UserSignIn: Unable to save session", err)
+ return
+ }
+
+ // If we have U2F redirect there first
+ if hasU2Ftwofa {
+ ctx.Redirect(setting.AppSubURL + "/user/u2f")
+ return
+ }
+
+ // Fallback to 2FA
+ ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// This handles the final part of the sign-in process of the user.
+func handleSignIn(ctx *context.Context, u *user_model.User, remember bool) {
+ redirect := handleSignInFull(ctx, u, remember, true)
+ if ctx.Written() {
+ return
+ }
+ ctx.Redirect(redirect)
+}
+
+func handleSignInFull(ctx *context.Context, u *user_model.User, remember bool, obeyRedirect bool) string {
+ if remember {
+ days := 86400 * setting.LogInRememberDays
+ ctx.SetCookie(setting.CookieUserName, u.Name, days)
+ ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
+ setting.CookieRememberName, u.Name, days)
+ }
+
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ ctx.ServerError("RegenerateSession", err)
+ return setting.AppSubURL + "/"
+ }
+
+ // Delete the openid, 2fa and linkaccount data
+ _ = ctx.Session.Delete("openid_verified_uri")
+ _ = ctx.Session.Delete("openid_signin_remember")
+ _ = ctx.Session.Delete("openid_determined_email")
+ _ = ctx.Session.Delete("openid_determined_username")
+ _ = ctx.Session.Delete("twofaUid")
+ _ = ctx.Session.Delete("twofaRemember")
+ _ = ctx.Session.Delete("u2fChallenge")
+ _ = ctx.Session.Delete("linkAccount")
+ if err := ctx.Session.Set("uid", u.ID); err != nil {
+ log.Error("Error setting uid %d in session: %v", u.ID, err)
+ }
+ if err := ctx.Session.Set("uname", u.Name); err != nil {
+ log.Error("Error setting uname %s session: %v", u.Name, err)
+ }
+ if err := ctx.Session.Release(); err != nil {
+ log.Error("Unable to store session: %v", err)
+ }
+
+ // Language setting of the user overwrites the one previously set
+ // If the user does not have a locale set, we save the current one.
+ if len(u.Language) == 0 {
+ u.Language = ctx.Locale.Language()
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
+ ctx.ServerError("UpdateUserCols Language", fmt.Errorf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))
+ return setting.AppSubURL + "/"
+ }
+ }
+
+ middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
+
+ if ctx.Locale.Language() != u.Language {
+ ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+ }
+
+ // Clear whatever CSRF has right now, force to generate a new one
+ middleware.DeleteCSRFCookie(ctx.Resp)
+
+ // Register last login
+ u.SetLastLogin()
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, "last_login_unix"); err != nil {
+ ctx.ServerError("UpdateUserCols", err)
+ return setting.AppSubURL + "/"
+ }
+
+ if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
+ middleware.DeleteRedirectToCookie(ctx.Resp)
+ if obeyRedirect {
+ ctx.RedirectToFirst(redirectTo)
+ }
+ return redirectTo
+ }
+
+ if obeyRedirect {
+ ctx.Redirect(setting.AppSubURL + "/")
+ }
+ return setting.AppSubURL + "/"
+}
+
+func getUserName(gothUser *goth.User) string {
+ switch setting.OAuth2Client.Username {
+ case setting.OAuth2UsernameEmail:
+ return strings.Split(gothUser.Email, "@")[0]
+ case setting.OAuth2UsernameNickname:
+ return gothUser.NickName
+ default: // OAuth2UsernameUserid
+ return gothUser.UserID
+ }
+}
+
+// HandleSignOut resets the session and sets the cookies
+func HandleSignOut(ctx *context.Context) {
+ _ = ctx.Session.Flush()
+ _ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
+ ctx.DeleteCookie(setting.CookieUserName)
+ ctx.DeleteCookie(setting.CookieRememberName)
+ middleware.DeleteCSRFCookie(ctx.Resp)
+ middleware.DeleteLocaleCookie(ctx.Resp)
+ middleware.DeleteRedirectToCookie(ctx.Resp)
+}
+
+// SignOut sign out from login status
+func SignOut(ctx *context.Context) {
+ if ctx.User != nil {
+ eventsource.GetManager().SendMessageBlocking(ctx.User.ID, &eventsource.Event{
+ Name: "logout",
+ Data: ctx.Session.ID(),
+ })
+ }
+ HandleSignOut(ctx)
+ ctx.Redirect(setting.AppSubURL + "/")
+}
+
+// SignUp render the register page
+func SignUp(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("sign_up")
+
+ ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
+
+ ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+ ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+ ctx.Data["Captcha"] = context.GetImageCaptcha()
+ ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+ ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+ ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+ ctx.Data["PageIsSignUp"] = true
+
+ //Show Disabled Registration message if DisableRegistration or AllowOnlyExternalRegistration options are true
+ ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration
+
+ ctx.HTML(http.StatusOK, tplSignUp)
+}
+
+// SignUpPost response for sign up information submission
+func SignUpPost(ctx *context.Context) {
+ form := web.GetForm(ctx).(*forms.RegisterForm)
+ ctx.Data["Title"] = ctx.Tr("sign_up")
+
+ ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
+
+ ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+ ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+ ctx.Data["Captcha"] = context.GetImageCaptcha()
+ ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+ ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+ ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+ ctx.Data["PageIsSignUp"] = true
+
+ //Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
+ if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration {
+ ctx.Error(http.StatusForbidden)
+ return
+ }
+
+ if ctx.HasError() {
+ ctx.HTML(http.StatusOK, tplSignUp)
+ return
+ }
+
+ if setting.Service.EnableCaptcha {
+ var valid bool
+ var err error
+ switch setting.Service.CaptchaType {
+ case setting.ImageCaptcha:
+ valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
+ case setting.ReCaptcha:
+ valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
+ case setting.HCaptcha:
+ valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
+ default:
+ ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
+ return
+ }
+ if err != nil {
+ log.Debug("%s", err.Error())
+ }
+
+ if !valid {
+ ctx.Data["Err_Captcha"] = true
+ ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUp, &form)
+ return
+ }
+ }
+
+ if !form.IsEmailDomainAllowed() {
+ ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplSignUp, &form)
+ return
+ }
+
+ if form.Password != form.Retype {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplSignUp, &form)
+ return
+ }
+ if len(form.Password) < setting.MinPasswordLength {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplSignUp, &form)
+ return
+ }
+ if !password.IsComplexEnough(form.Password) {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(password.BuildComplexityError(ctx), tplSignUp, &form)
+ return
+ }
+ pwned, err := password.IsPwned(ctx, form.Password)
+ if pwned {
+ errMsg := ctx.Tr("auth.password_pwned")
+ if err != nil {
+ log.Error(err.Error())
+ errMsg = ctx.Tr("auth.password_pwned_err")
+ }
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(errMsg, tplSignUp, &form)
+ return
+ }
+
+ u := &user_model.User{
+ Name: form.UserName,
+ Email: form.Email,
+ Passwd: form.Password,
+ IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+ IsRestricted: setting.Service.DefaultUserIsRestricted,
+ }
+
+ if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {
+ // error already handled
+ return
+ }
+
+ ctx.Flash.Success(ctx.Tr("auth.sign_up_successful"))
+ handleSignIn(ctx, u, false)
+}
+
+// createAndHandleCreatedUser calls createUserInContext and
+// then handleUserCreated.
+func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) bool {
+ if !createUserInContext(ctx, tpl, form, u, gothUser, allowLink) {
+ return false
+ }
+ return handleUserCreated(ctx, u, gothUser)
+}
+
+// createUserInContext creates a user and handles errors within a given context.
+// Optionally a template can be specified.
+func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) (ok bool) {
+ if err := user_model.CreateUser(u); err != nil {
+ if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
+ if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto {
+ var user *user_model.User
+ user = &user_model.User{Name: u.Name}
+ hasUser, err := user_model.GetUser(user)
+ if !hasUser || err != nil {
+ user = &user_model.User{Email: u.Email}
+ hasUser, err = user_model.GetUser(user)
+ if !hasUser || err != nil {
+ ctx.ServerError("UserLinkAccount", err)
+ return
+ }
+ }
+
+ // TODO: probably we should respect 'remember' user's choice...
+ linkAccount(ctx, user, *gothUser, true)
+ return // user is already created here, all redirects are handled
+ } else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingLogin {
+ showLinkingLogin(ctx, *gothUser)
+ return // user will be created only after linking login
+ }
+ }
+
+ // handle error without template
+ if len(tpl) == 0 {
+ ctx.ServerError("CreateUser", err)
+ return
+ }
+
+ // handle error with template
+ switch {
+ case user_model.IsErrUserAlreadyExist(err):
+ ctx.Data["Err_UserName"] = true
+ ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tpl, form)
+ case user_model.IsErrEmailAlreadyUsed(err):
+ ctx.Data["Err_Email"] = true
+ ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tpl, form)
+ case user_model.IsErrEmailInvalid(err):
+ ctx.Data["Err_Email"] = true
+ ctx.RenderWithErr(ctx.Tr("form.email_invalid"), tpl, form)
+ case db.IsErrNameReserved(err):
+ ctx.Data["Err_UserName"] = true
+ ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(db.ErrNameReserved).Name), tpl, form)
+ case db.IsErrNamePatternNotAllowed(err):
+ ctx.Data["Err_UserName"] = true
+ ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(db.ErrNamePatternNotAllowed).Pattern), tpl, form)
+ case db.IsErrNameCharsNotAllowed(err):
+ ctx.Data["Err_UserName"] = true
+ ctx.RenderWithErr(ctx.Tr("user.form.name_chars_not_allowed", err.(db.ErrNameCharsNotAllowed).Name), tpl, form)
+ default:
+ ctx.ServerError("CreateUser", err)
+ }
+ return
+ }
+ log.Trace("Account created: %s", u.Name)
+ return true
+}
+
+// handleUserCreated does additional steps after a new user is created.
+// It auto-sets admin for the only user, updates the optional external user and
+// sends a confirmation email if required.
+func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) {
+ // Auto-set admin for the only user.
+ if user_model.CountUsers() == 1 {
+ u.IsAdmin = true
+ u.IsActive = true
+ u.SetLastLogin()
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_active", "last_login_unix"); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+ }
+
+ // update external user information
+ if gothUser != nil {
+ if err := externalaccount.UpdateExternalUser(u, *gothUser); err != nil {
+ log.Error("UpdateExternalUser failed: %v", err)
+ }
+ }
+
+ // Send confirmation email
+ if !u.IsActive && u.ID > 1 {
+ mailer.SendActivateAccountMail(ctx.Locale, u)
+
+ ctx.Data["IsSendRegisterMail"] = true
+ ctx.Data["Email"] = u.Email
+ ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
+ ctx.HTML(http.StatusOK, TplActivate)
+
+ if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
+ log.Error("Set cache(MailResendLimit) fail: %v", err)
+ }
+ return
+ }
+
+ return true
+}
+
+// Activate render activate user page
+func Activate(ctx *context.Context) {
+ code := ctx.FormString("code")
+
+ if len(code) == 0 {
+ ctx.Data["IsActivatePage"] = true
+ if ctx.User == nil || ctx.User.IsActive {
+ ctx.NotFound("invalid user", nil)
+ return
+ }
+ // Resend confirmation email.
+ if setting.Service.RegisterEmailConfirm {
+ if ctx.Cache.IsExist("MailResendLimit_" + ctx.User.LowerName) {
+ ctx.Data["ResendLimited"] = true
+ } else {
+ ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
+ mailer.SendActivateAccountMail(ctx.Locale, ctx.User)
+
+ if err := ctx.Cache.Put("MailResendLimit_"+ctx.User.LowerName, ctx.User.LowerName, 180); err != nil {
+ log.Error("Set cache(MailResendLimit) fail: %v", err)
+ }
+ }
+ } else {
+ ctx.Data["ServiceNotEnabled"] = true
+ }
+ ctx.HTML(http.StatusOK, TplActivate)
+ return
+ }
+
+ user := user_model.VerifyUserActiveCode(code)
+ // if code is wrong
+ if user == nil {
+ ctx.Data["IsActivateFailed"] = true
+ ctx.HTML(http.StatusOK, TplActivate)
+ return
+ }
+
+ // if account is local account, verify password
+ if user.LoginSource == 0 {
+ ctx.Data["Code"] = code
+ ctx.Data["NeedsPassword"] = true
+ ctx.HTML(http.StatusOK, TplActivate)
+ return
+ }
+
+ handleAccountActivation(ctx, user)
+}
+
+// ActivatePost handles account activation with password check
+func ActivatePost(ctx *context.Context) {
+ code := ctx.FormString("code")
+ if len(code) == 0 {
+ ctx.Redirect(setting.AppSubURL + "/user/activate")
+ return
+ }
+
+ user := user_model.VerifyUserActiveCode(code)
+ // if code is wrong
+ if user == nil {
+ ctx.Data["IsActivateFailed"] = true
+ ctx.HTML(http.StatusOK, TplActivate)
+ return
+ }
+
+ // if account is local account, verify password
+ if user.LoginSource == 0 {
+ password := ctx.FormString("password")
+ if len(password) == 0 {
+ ctx.Data["Code"] = code
+ ctx.Data["NeedsPassword"] = true
+ ctx.HTML(http.StatusOK, TplActivate)
+ return
+ }
+ if !user.ValidatePassword(password) {
+ ctx.Data["IsActivateFailed"] = true
+ ctx.HTML(http.StatusOK, TplActivate)
+ return
+ }
+ }
+
+ handleAccountActivation(ctx, user)
+}
+
+func handleAccountActivation(ctx *context.Context, user *user_model.User) {
+ user.IsActive = true
+ var err error
+ if user.Rands, err = user_model.GetUserSalt(); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+ if err := user_model.UpdateUserCols(db.DefaultContext, user, "is_active", "rands"); err != nil {
+ if user_model.IsErrUserNotExist(err) {
+ ctx.NotFound("UpdateUserCols", err)
+ } else {
+ ctx.ServerError("UpdateUser", err)
+ }
+ return
+ }
+
+ if err := user_model.ActivateUserEmail(user.ID, user.Email, true); err != nil {
+ log.Error("Unable to activate email for user: %-v with email: %s: %v", user, user.Email, err)
+ ctx.ServerError("ActivateUserEmail", err)
+ return
+ }
+
+ log.Trace("User activated: %s", user.Name)
+
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ log.Error("Unable to regenerate session for user: %-v with email: %s: %v", user, user.Email, err)
+ ctx.ServerError("ActivateUserEmail", err)
+ return
+ }
+
+ if err := ctx.Session.Set("uid", user.ID); err != nil {
+ log.Error("Error setting uid in session[%s]: %v", ctx.Session.ID(), err)
+ }
+ if err := ctx.Session.Set("uname", user.Name); err != nil {
+ log.Error("Error setting uname in session[%s]: %v", ctx.Session.ID(), err)
+ }
+ if err := ctx.Session.Release(); err != nil {
+ log.Error("Error storing session[%s]: %v", ctx.Session.ID(), err)
+ }
+
+ if err := resetLocale(ctx, user); err != nil {
+ ctx.ServerError("resetLocale", err)
+ return
+ }
+
+ ctx.Flash.Success(ctx.Tr("auth.account_activated"))
+ ctx.Redirect(setting.AppSubURL + "/")
+}
+
+// ActivateEmail render the activate email page
+func ActivateEmail(ctx *context.Context) {
+ code := ctx.FormString("code")
+ emailStr := ctx.FormString("email")
+
+ // Verify code.
+ if email := user_model.VerifyActiveEmailCode(code, emailStr); email != nil {
+ if err := user_model.ActivateEmail(email); err != nil {
+ ctx.ServerError("ActivateEmail", err)
+ }
+
+ log.Trace("Email activated: %s", email.Email)
+ ctx.Flash.Success(ctx.Tr("settings.add_email_success"))
+
+ if u, err := user_model.GetUserByID(email.UID); err != nil {
+ log.Warn("GetUserByID: %d", email.UID)
+ } else {
+ // Allow user to validate more emails
+ _ = ctx.Cache.Delete("MailResendLimit_" + u.LowerName)
+ }
+ }
+
+ // FIXME: e-mail verification does not require the user to be logged in,
+ // so this could be redirecting to the login page.
+ // Should users be logged in automatically here? (consider 2FA requirements, etc.)
+ ctx.Redirect(setting.AppSubURL + "/user/settings/account")
+}
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
new file mode 100644
index 0000000000..9d5a6eb3f8
--- /dev/null
+++ b/routers/web/auth/linkaccount.go
@@ -0,0 +1,300 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "errors"
+ "fmt"
+ "net/http"
+ "strings"
+
+ "code.gitea.io/gitea/models/auth"
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/hcaptcha"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/recaptcha"
+ "code.gitea.io/gitea/modules/session"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/web"
+ auth_service "code.gitea.io/gitea/services/auth"
+ "code.gitea.io/gitea/services/externalaccount"
+ "code.gitea.io/gitea/services/forms"
+
+ "github.com/markbates/goth"
+)
+
+var (
+ tplLinkAccount base.TplName = "user/auth/link_account"
+)
+
+// LinkAccount shows the page where the user can decide to login or create a new account
+func LinkAccount(ctx *context.Context) {
+ ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
+ ctx.Data["Title"] = ctx.Tr("link_account")
+ ctx.Data["LinkAccountMode"] = true
+ ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
+ ctx.Data["Captcha"] = context.GetImageCaptcha()
+ ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+ ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+ ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+ ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+ ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+ ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
+ ctx.Data["ShowRegistrationButton"] = false
+
+ // use this to set the right link into the signIn and signUp templates in the link_account template
+ ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+ ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+ gothUser := ctx.Session.Get("linkAccountGothUser")
+ if gothUser == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
+ return
+ }
+
+ gu, _ := gothUser.(goth.User)
+ uname := getUserName(&gu)
+ email := gu.Email
+ ctx.Data["user_name"] = uname
+ ctx.Data["email"] = email
+
+ if len(email) != 0 {
+ u, err := user_model.GetUserByEmail(email)
+ if err != nil && !user_model.IsErrUserNotExist(err) {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ if u != nil {
+ ctx.Data["user_exists"] = true
+ }
+ } else if len(uname) != 0 {
+ u, err := user_model.GetUserByName(uname)
+ if err != nil && !user_model.IsErrUserNotExist(err) {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ if u != nil {
+ ctx.Data["user_exists"] = true
+ }
+ }
+
+ ctx.HTML(http.StatusOK, tplLinkAccount)
+}
+
+// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
+func LinkAccountPostSignIn(ctx *context.Context) {
+ signInForm := web.GetForm(ctx).(*forms.SignInForm)
+ ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
+ ctx.Data["Title"] = ctx.Tr("link_account")
+ ctx.Data["LinkAccountMode"] = true
+ ctx.Data["LinkAccountModeSignIn"] = true
+ ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
+ ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+ ctx.Data["Captcha"] = context.GetImageCaptcha()
+ ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+ ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+ ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+ ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+ ctx.Data["ShowRegistrationButton"] = false
+
+ // use this to set the right link into the signIn and signUp templates in the link_account template
+ ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+ ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+ gothUser := ctx.Session.Get("linkAccountGothUser")
+ if gothUser == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
+ return
+ }
+
+ if ctx.HasError() {
+ ctx.HTML(http.StatusOK, tplLinkAccount)
+ return
+ }
+
+ u, _, err := auth_service.UserSignIn(signInForm.UserName, signInForm.Password)
+ if err != nil {
+ if user_model.IsErrUserNotExist(err) {
+ ctx.Data["user_exists"] = true
+ ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
+ } else {
+ ctx.ServerError("UserLinkAccount", err)
+ }
+ return
+ }
+
+ linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember)
+}
+
+func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) {
+ updateAvatarIfNeed(gothUser.AvatarURL, u)
+
+ // If this user is enrolled in 2FA, we can't sign the user in just yet.
+ // Instead, redirect them to the 2FA authentication page.
+ // We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here
+ _, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil {
+ if !auth.IsErrTwoFactorNotEnrolled(err) {
+ ctx.ServerError("UserLinkAccount", err)
+ return
+ }
+
+ err = externalaccount.LinkAccountToUser(u, gothUser)
+ if err != nil {
+ ctx.ServerError("UserLinkAccount", err)
+ return
+ }
+
+ handleSignIn(ctx, u, remember)
+ return
+ }
+
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ ctx.ServerError("RegenerateSession", err)
+ return
+ }
+
+ // User needs to use 2FA, save data and redirect to 2FA page.
+ if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
+ log.Error("Error setting twofaUid in session: %v", err)
+ }
+ if err := ctx.Session.Set("twofaRemember", remember); err != nil {
+ log.Error("Error setting twofaRemember in session: %v", err)
+ }
+ if err := ctx.Session.Set("linkAccount", true); err != nil {
+ log.Error("Error setting linkAccount in session: %v", err)
+ }
+ if err := ctx.Session.Release(); err != nil {
+ log.Error("Error storing session: %v", err)
+ }
+
+ // If U2F is enrolled -> Redirect to U2F instead
+ regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+ if err == nil && len(regs) > 0 {
+ ctx.Redirect(setting.AppSubURL + "/user/u2f")
+ return
+ }
+
+ ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// LinkAccountPostRegister handle the creation of a new account for an external account using signUp
+func LinkAccountPostRegister(ctx *context.Context) {
+ form := web.GetForm(ctx).(*forms.RegisterForm)
+ // TODO Make insecure passwords optional for local accounts also,
+ // once email-based Second-Factor Auth is available
+ ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
+ ctx.Data["Title"] = ctx.Tr("link_account")
+ ctx.Data["LinkAccountMode"] = true
+ ctx.Data["LinkAccountModeRegister"] = true
+ ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
+ ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+ ctx.Data["Captcha"] = context.GetImageCaptcha()
+ ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+ ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+ ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+ ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+ ctx.Data["ShowRegistrationButton"] = false
+
+ // use this to set the right link into the signIn and signUp templates in the link_account template
+ ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+ ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+ gothUserInterface := ctx.Session.Get("linkAccountGothUser")
+ if gothUserInterface == nil {
+ ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))
+ return
+ }
+ gothUser, ok := gothUserInterface.(goth.User)
+ if !ok {
+ ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface))
+ return
+ }
+
+ if ctx.HasError() {
+ ctx.HTML(http.StatusOK, tplLinkAccount)
+ return
+ }
+
+ if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
+ ctx.Error(http.StatusForbidden)
+ return
+ }
+
+ if setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha {
+ var valid bool
+ var err error
+ switch setting.Service.CaptchaType {
+ case setting.ImageCaptcha:
+ valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
+ case setting.ReCaptcha:
+ valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
+ case setting.HCaptcha:
+ valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
+ default:
+ ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
+ return
+ }
+ if err != nil {
+ log.Debug("%s", err.Error())
+ }
+
+ if !valid {
+ ctx.Data["Err_Captcha"] = true
+ ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)
+ return
+ }
+ }
+
+ if !form.IsEmailDomainAllowed() {
+ ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplLinkAccount, &form)
+ return
+ }
+
+ if setting.Service.AllowOnlyExternalRegistration || !setting.Service.RequireExternalRegistrationPassword {
+ // In user_model.User an empty password is classed as not set, so we set form.Password to empty.
+ // Eventually the database should be changed to indicate "Second Factor"-enabled accounts
+ // (accounts that do not introduce the security vulnerabilities of a password).
+ // If a user decides to circumvent second-factor security, and purposefully create a password,
+ // they can still do so using the "Recover Account" option.
+ form.Password = ""
+ } else {
+ if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form)
+ return
+ }
+ if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form)
+ return
+ }
+ }
+
+ authSource, err := auth.GetActiveOAuth2SourceByName(gothUser.Provider)
+ if err != nil {
+ ctx.ServerError("CreateUser", err)
+ return
+ }
+
+ u := &user_model.User{
+ Name: form.UserName,
+ Email: form.Email,
+ Passwd: form.Password,
+ IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+ LoginType: auth.OAuth2,
+ LoginSource: authSource.ID,
+ LoginName: gothUser.UserID,
+ }
+
+ if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, &gothUser, false) {
+ // error already handled
+ return
+ }
+
+ handleSignIn(ctx, u, false)
+}
diff --git a/routers/web/auth/main_test.go b/routers/web/auth/main_test.go
new file mode 100644
index 0000000000..2b16f3c405
--- /dev/null
+++ b/routers/web/auth/main_test.go
@@ -0,0 +1,16 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "path/filepath"
+ "testing"
+
+ "code.gitea.io/gitea/models/unittest"
+)
+
+func TestMain(m *testing.M) {
+ unittest.MainTest(m, filepath.Join("..", "..", ".."))
+}
diff --git a/routers/web/user/oauth.go b/routers/web/auth/oauth.go
index 166420221d..9b22773d2f 100644
--- a/routers/web/user/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -2,32 +2,40 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package user
+package auth
import (
"encoding/base64"
+ "errors"
"fmt"
"html"
+ "io"
"net/http"
"net/url"
"strings"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
+ "code.gitea.io/gitea/models/db"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/session"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/web"
- "code.gitea.io/gitea/services/auth"
+ "code.gitea.io/gitea/modules/web/middleware"
+ auth_service "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/oauth2"
+ "code.gitea.io/gitea/services/externalaccount"
"code.gitea.io/gitea/services/forms"
+ user_service "code.gitea.io/gitea/services/user"
"gitea.com/go-chi/binding"
"github.com/golang-jwt/jwt"
+ "github.com/markbates/goth"
)
const (
@@ -117,7 +125,7 @@ type AccessTokenResponse struct {
IDToken string `json:"id_token,omitempty"`
}
-func newAccessTokenResponse(grant *login.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
+func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
if setting.OAuth2.InvalidateRefreshTokens {
if err := grant.IncreaseCounter(); err != nil {
return nil, &AccessTokenError{
@@ -164,7 +172,7 @@ func newAccessTokenResponse(grant *login.OAuth2Grant, serverKey, clientKey oauth
// generate OpenID Connect id_token
signedIDToken := ""
if grant.ScopeContains("openid") {
- app, err := login.GetOAuth2ApplicationByID(grant.ApplicationID)
+ app, err := auth.GetOAuth2ApplicationByID(grant.ApplicationID)
if err != nil {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
@@ -249,7 +257,7 @@ type userInfoResponse struct {
// InfoOAuth manages request for userinfo endpoint
func InfoOAuth(ctx *context.Context) {
- if ctx.User == nil || ctx.Data["AuthedMethod"] != (&auth.OAuth2{}).Name() {
+ if ctx.User == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() {
ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
return
@@ -315,9 +323,9 @@ func IntrospectOAuth(ctx *context.Context) {
token, err := oauth2.ParseToken(form.Token, oauth2.DefaultSigningKey)
if err == nil {
if token.Valid() == nil {
- grant, err := login.GetOAuth2GrantByID(token.GrantID)
+ grant, err := auth.GetOAuth2GrantByID(token.GrantID)
if err == nil && grant != nil {
- app, err := login.GetOAuth2ApplicationByID(grant.ApplicationID)
+ app, err := auth.GetOAuth2ApplicationByID(grant.ApplicationID)
if err == nil && app != nil {
response.Active = true
response.Scope = grant.Scope
@@ -346,9 +354,9 @@ func AuthorizeOAuth(ctx *context.Context) {
return
}
- app, err := login.GetOAuth2ApplicationByClientID(form.ClientID)
+ app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID)
if err != nil {
- if login.IsErrOauthClientIDInvalid(err) {
+ if auth.IsErrOauthClientIDInvalid(err) {
handleAuthorizeError(ctx, AuthorizeError{
ErrorCode: ErrorCodeUnauthorizedClient,
ErrorDescription: "Client ID not registered",
@@ -492,7 +500,7 @@ func GrantApplicationOAuth(ctx *context.Context) {
ctx.Error(http.StatusBadRequest)
return
}
- app, err := login.GetOAuth2ApplicationByClientID(form.ClientID)
+ app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID)
if err != nil {
ctx.ServerError("GetOAuth2ApplicationByClientID", err)
return
@@ -630,7 +638,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server
return
}
// get grant before increasing counter
- grant, err := login.GetOAuth2GrantByID(token.GrantID)
+ grant, err := auth.GetOAuth2GrantByID(token.GrantID)
if err != nil || grant == nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidGrant,
@@ -657,7 +665,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server
}
func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
- app, err := login.GetOAuth2ApplicationByClientID(form.ClientID)
+ app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID)
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidClient,
@@ -679,7 +687,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
})
return
}
- authorizationCode, err := login.GetOAuth2AuthorizationByCode(form.Code)
+ authorizationCode, err := auth.GetOAuth2AuthorizationByCode(form.Code)
if err != nil || authorizationCode == nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
@@ -750,3 +758,367 @@ func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirect
redirect.RawQuery = q.Encode()
ctx.Redirect(redirect.String(), 302)
}
+
+// SignInOAuth handles the OAuth2 login buttons
+func SignInOAuth(ctx *context.Context) {
+ provider := ctx.Params(":provider")
+
+ authSource, err := auth.GetActiveOAuth2SourceByName(provider)
+ if err != nil {
+ ctx.ServerError("SignIn", err)
+ return
+ }
+
+ // try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
+ user, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp)
+ if err == nil && user != nil {
+ // we got the user without going through the whole OAuth2 authentication flow again
+ handleOAuth2SignIn(ctx, authSource, user, gothUser)
+ return
+ }
+
+ if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
+ if strings.Contains(err.Error(), "no provider for ") {
+ if err = oauth2.ResetOAuth2(); err != nil {
+ ctx.ServerError("SignIn", err)
+ return
+ }
+ if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
+ ctx.ServerError("SignIn", err)
+ }
+ return
+ }
+ ctx.ServerError("SignIn", err)
+ }
+ // redirect is done in oauth2.Auth
+}
+
+// SignInOAuthCallback handles the callback from the given provider
+func SignInOAuthCallback(ctx *context.Context) {
+ provider := ctx.Params(":provider")
+
+ // first look if the provider is still active
+ authSource, err := auth.GetActiveOAuth2SourceByName(provider)
+ if err != nil {
+ ctx.ServerError("SignIn", err)
+ return
+ }
+
+ if authSource == nil {
+ ctx.ServerError("SignIn", errors.New("No valid provider found, check configured callback url in provider"))
+ return
+ }
+
+ u, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp)
+
+ if err != nil {
+ if user_model.IsErrUserProhibitLogin(err) {
+ uplerr := err.(*user_model.ErrUserProhibitLogin)
+ log.Info("Failed authentication attempt for %s from %s: %v", uplerr.Name, ctx.RemoteAddr(), err)
+ ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+ ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+ return
+ }
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ if u == nil {
+ if !setting.Service.AllowOnlyInternalRegistration && setting.OAuth2Client.EnableAutoRegistration {
+ // create new user with details from oauth2 provider
+ var missingFields []string
+ if gothUser.UserID == "" {
+ missingFields = append(missingFields, "sub")
+ }
+ if gothUser.Email == "" {
+ missingFields = append(missingFields, "email")
+ }
+ if setting.OAuth2Client.Username == setting.OAuth2UsernameNickname && gothUser.NickName == "" {
+ missingFields = append(missingFields, "nickname")
+ }
+ if len(missingFields) > 0 {
+ log.Error("OAuth2 Provider %s returned empty or missing fields: %s", authSource.Name, missingFields)
+ if authSource.IsOAuth2() && authSource.Cfg.(*oauth2.Source).Provider == "openidConnect" {
+ log.Error("You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields")
+ }
+ err = fmt.Errorf("OAuth2 Provider %s returned empty or missing fields: %s", authSource.Name, missingFields)
+ ctx.ServerError("CreateUser", err)
+ return
+ }
+ u = &user_model.User{
+ Name: getUserName(&gothUser),
+ FullName: gothUser.Name,
+ Email: gothUser.Email,
+ IsActive: !setting.OAuth2Client.RegisterEmailConfirm,
+ LoginType: auth.OAuth2,
+ LoginSource: authSource.ID,
+ LoginName: gothUser.UserID,
+ IsRestricted: setting.Service.DefaultUserIsRestricted,
+ }
+
+ setUserGroupClaims(authSource, u, &gothUser)
+
+ if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
+ // error already handled
+ return
+ }
+ } else {
+ // no existing user is found, request attach or new account
+ showLinkingLogin(ctx, gothUser)
+ return
+ }
+ }
+
+ handleOAuth2SignIn(ctx, authSource, u, gothUser)
+}
+
+func claimValueToStringSlice(claimValue interface{}) []string {
+ var groups []string
+
+ switch rawGroup := claimValue.(type) {
+ case []string:
+ groups = rawGroup
+ default:
+ str := fmt.Sprintf("%s", rawGroup)
+ groups = strings.Split(str, ",")
+ }
+ return groups
+}
+
+func setUserGroupClaims(loginSource *auth.Source, u *user_model.User, gothUser *goth.User) bool {
+ source := loginSource.Cfg.(*oauth2.Source)
+ if source.GroupClaimName == "" || (source.AdminGroup == "" && source.RestrictedGroup == "") {
+ return false
+ }
+
+ groupClaims, has := gothUser.RawData[source.GroupClaimName]
+ if !has {
+ return false
+ }
+
+ groups := claimValueToStringSlice(groupClaims)
+
+ wasAdmin, wasRestricted := u.IsAdmin, u.IsRestricted
+
+ if source.AdminGroup != "" {
+ u.IsAdmin = false
+ }
+ if source.RestrictedGroup != "" {
+ u.IsRestricted = false
+ }
+
+ for _, g := range groups {
+ if source.AdminGroup != "" && g == source.AdminGroup {
+ u.IsAdmin = true
+ } else if source.RestrictedGroup != "" && g == source.RestrictedGroup {
+ u.IsRestricted = true
+ }
+ }
+
+ return wasAdmin != u.IsAdmin || wasRestricted != u.IsRestricted
+}
+
+func showLinkingLogin(ctx *context.Context, gothUser goth.User) {
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ ctx.ServerError("RegenerateSession", err)
+ return
+ }
+
+ if err := ctx.Session.Set("linkAccountGothUser", gothUser); err != nil {
+ log.Error("Error setting linkAccountGothUser in session: %v", err)
+ }
+ if err := ctx.Session.Release(); err != nil {
+ log.Error("Error storing session: %v", err)
+ }
+ ctx.Redirect(setting.AppSubURL + "/user/link_account")
+}
+
+func updateAvatarIfNeed(url string, u *user_model.User) {
+ if setting.OAuth2Client.UpdateAvatar && len(url) > 0 {
+ resp, err := http.Get(url)
+ if err == nil {
+ defer func() {
+ _ = resp.Body.Close()
+ }()
+ }
+ // ignore any error
+ if err == nil && resp.StatusCode == http.StatusOK {
+ data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1))
+ if err == nil && int64(len(data)) <= setting.Avatar.MaxFileSize {
+ _ = user_service.UploadAvatar(u, data)
+ }
+ }
+ }
+}
+
+func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model.User, gothUser goth.User) {
+ updateAvatarIfNeed(gothUser.AvatarURL, u)
+
+ needs2FA := false
+ if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA {
+ _, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ needs2FA = err == nil
+ }
+
+ // If this user is enrolled in 2FA and this source doesn't override it,
+ // we can't sign the user in just yet. Instead, redirect them to the 2FA authentication page.
+ if !needs2FA {
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ ctx.ServerError("RegenerateSession", err)
+ return
+ }
+
+ if err := ctx.Session.Set("uid", u.ID); err != nil {
+ log.Error("Error setting uid in session: %v", err)
+ }
+ if err := ctx.Session.Set("uname", u.Name); err != nil {
+ log.Error("Error setting uname in session: %v", err)
+ }
+ if err := ctx.Session.Release(); err != nil {
+ log.Error("Error storing session: %v", err)
+ }
+
+ // Clear whatever CSRF has right now, force to generate a new one
+ middleware.DeleteCSRFCookie(ctx.Resp)
+
+ // Register last login
+ u.SetLastLogin()
+
+ // Update GroupClaims
+ changed := setUserGroupClaims(source, u, &gothUser)
+ cols := []string{"last_login_unix"}
+ if changed {
+ cols = append(cols, "is_admin", "is_restricted")
+ }
+
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, cols...); err != nil {
+ ctx.ServerError("UpdateUserCols", err)
+ return
+ }
+
+ // update external user information
+ if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil {
+ log.Error("UpdateExternalUser failed: %v", err)
+ }
+
+ if err := resetLocale(ctx, u); err != nil {
+ ctx.ServerError("resetLocale", err)
+ return
+ }
+
+ if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
+ middleware.DeleteRedirectToCookie(ctx.Resp)
+ ctx.RedirectToFirst(redirectTo)
+ return
+ }
+
+ ctx.Redirect(setting.AppSubURL + "/")
+ return
+ }
+
+ changed := setUserGroupClaims(source, u, &gothUser)
+ if changed {
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_restricted"); err != nil {
+ ctx.ServerError("UpdateUserCols", err)
+ return
+ }
+ }
+
+ if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+ ctx.ServerError("RegenerateSession", err)
+ return
+ }
+
+ // User needs to use 2FA, save data and redirect to 2FA page.
+ if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
+ log.Error("Error setting twofaUid in session: %v", err)
+ }
+ if err := ctx.Session.Set("twofaRemember", false); err != nil {
+ log.Error("Error setting twofaRemember in session: %v", err)
+ }
+ if err := ctx.Session.Release(); err != nil {
+ log.Error("Error storing session: %v", err)
+ }
+
+ // If U2F is enrolled -> Redirect to U2F instead
+ regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+ if err == nil && len(regs) > 0 {
+ ctx.Redirect(setting.AppSubURL + "/user/u2f")
+ return
+ }
+
+ ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
+// login the user
+func oAuth2UserLoginCallback(authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
+ oauth2Source := authSource.Cfg.(*oauth2.Source)
+
+ gothUser, err := oauth2Source.Callback(request, response)
+ if err != nil {
+ if err.Error() == "securecookie: the value is too long" || strings.Contains(err.Error(), "Data too long") {
+ log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
+ err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
+ }
+ return nil, goth.User{}, err
+ }
+
+ if oauth2Source.RequiredClaimName != "" {
+ claimInterface, has := gothUser.RawData[oauth2Source.RequiredClaimName]
+ if !has {
+ return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
+ }
+
+ if oauth2Source.RequiredClaimValue != "" {
+ groups := claimValueToStringSlice(claimInterface)
+ found := false
+ for _, group := range groups {
+ if group == oauth2Source.RequiredClaimValue {
+ found = true
+ break
+ }
+ }
+ if !found {
+ return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
+ }
+ }
+ }
+
+ user := &user_model.User{
+ LoginName: gothUser.UserID,
+ LoginType: auth.OAuth2,
+ LoginSource: authSource.ID,
+ }
+
+ hasUser, err := user_model.GetUser(user)
+ if err != nil {
+ return nil, goth.User{}, err
+ }
+
+ if hasUser {
+ return user, gothUser, nil
+ }
+
+ // search in external linked users
+ externalLoginUser := &user_model.ExternalLoginUser{
+ ExternalID: gothUser.UserID,
+ LoginSourceID: authSource.ID,
+ }
+ hasUser, err = user_model.GetExternalLogin(externalLoginUser)
+ if err != nil {
+ return nil, goth.User{}, err
+ }
+ if hasUser {
+ user, err = user_model.GetUserByID(externalLoginUser.UserID)
+ return user, gothUser, err
+ }
+
+ // no user found to login
+ return nil, gothUser, nil
+
+}
diff --git a/routers/web/user/oauth_test.go b/routers/web/auth/oauth_test.go
index e26a42b2fc..c652d901f3 100644
--- a/routers/web/user/oauth_test.go
+++ b/routers/web/auth/oauth_test.go
@@ -2,12 +2,12 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package user
+package auth
import (
"testing"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/services/auth/source/oauth2"
@@ -16,7 +16,7 @@ import (
"github.com/stretchr/testify/assert"
)
-func createAndParseToken(t *testing.T, grant *login.OAuth2Grant) *oauth2.OIDCToken {
+func createAndParseToken(t *testing.T, grant *auth.OAuth2Grant) *oauth2.OIDCToken {
signingKey, err := oauth2.CreateJWTSigningKey("HS256", make([]byte, 32))
assert.NoError(t, err)
assert.NotNil(t, signingKey)
@@ -43,7 +43,7 @@ func createAndParseToken(t *testing.T, grant *login.OAuth2Grant) *oauth2.OIDCTok
func TestNewAccessTokenResponse_OIDCToken(t *testing.T) {
assert.NoError(t, unittest.PrepareTestDatabase())
- grants, err := login.GetOAuth2GrantsByUserID(3)
+ grants, err := auth.GetOAuth2GrantsByUserID(3)
assert.NoError(t, err)
assert.Len(t, grants, 1)
@@ -59,7 +59,7 @@ func TestNewAccessTokenResponse_OIDCToken(t *testing.T) {
assert.False(t, oidcToken.EmailVerified)
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User)
- grants, err = login.GetOAuth2GrantsByUserID(user.ID)
+ grants, err = auth.GetOAuth2GrantsByUserID(user.ID)
assert.NoError(t, err)
assert.Len(t, grants, 1)
diff --git a/routers/web/user/auth_openid.go b/routers/web/auth/openid.go
index 55dd8f8d09..4395641795 100644
--- a/routers/web/user/auth_openid.go
+++ b/routers/web/auth/openid.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package user
+package auth
import (
"fmt"
diff --git a/routers/web/auth/password.go b/routers/web/auth/password.go
new file mode 100644
index 0000000000..65d5c55976
--- /dev/null
+++ b/routers/web/auth/password.go
@@ -0,0 +1,346 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "errors"
+ "net/http"
+
+ "code.gitea.io/gitea/models/auth"
+ "code.gitea.io/gitea/models/db"
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/password"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/web"
+ "code.gitea.io/gitea/modules/web/middleware"
+ "code.gitea.io/gitea/routers/utils"
+ "code.gitea.io/gitea/services/forms"
+ "code.gitea.io/gitea/services/mailer"
+)
+
+var (
+ // tplMustChangePassword template for updating a user's password
+ tplMustChangePassword base.TplName = "user/auth/change_passwd"
+ tplForgotPassword base.TplName = "user/auth/forgot_passwd"
+ tplResetPassword base.TplName = "user/auth/reset_passwd"
+)
+
+// ForgotPasswd render the forget password page
+func ForgotPasswd(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
+
+ if setting.MailService == nil {
+ log.Warn(ctx.Tr("auth.disable_forgot_password_mail_admin"))
+ ctx.Data["IsResetDisable"] = true
+ ctx.HTML(http.StatusOK, tplForgotPassword)
+ return
+ }
+
+ ctx.Data["Email"] = ctx.FormString("email")
+
+ ctx.Data["IsResetRequest"] = true
+ ctx.HTML(http.StatusOK, tplForgotPassword)
+}
+
+// ForgotPasswdPost response for forget password request
+func ForgotPasswdPost(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
+
+ if setting.MailService == nil {
+ ctx.NotFound("ForgotPasswdPost", nil)
+ return
+ }
+ ctx.Data["IsResetRequest"] = true
+
+ email := ctx.FormString("email")
+ ctx.Data["Email"] = email
+
+ u, err := user_model.GetUserByEmail(email)
+ if err != nil {
+ if user_model.IsErrUserNotExist(err) {
+ ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
+ ctx.Data["IsResetSent"] = true
+ ctx.HTML(http.StatusOK, tplForgotPassword)
+ return
+ }
+
+ ctx.ServerError("user.ResetPasswd(check existence)", err)
+ return
+ }
+
+ if !u.IsLocal() && !u.IsOAuth2() {
+ ctx.Data["Err_Email"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil)
+ return
+ }
+
+ if ctx.Cache.IsExist("MailResendLimit_" + u.LowerName) {
+ ctx.Data["ResendLimited"] = true
+ ctx.HTML(http.StatusOK, tplForgotPassword)
+ return
+ }
+
+ mailer.SendResetPasswordMail(u)
+
+ if err = ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
+ log.Error("Set cache(MailResendLimit) fail: %v", err)
+ }
+
+ ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
+ ctx.Data["IsResetSent"] = true
+ ctx.HTML(http.StatusOK, tplForgotPassword)
+}
+
+func commonResetPassword(ctx *context.Context) (*user_model.User, *auth.TwoFactor) {
+ code := ctx.FormString("code")
+
+ ctx.Data["Title"] = ctx.Tr("auth.reset_password")
+ ctx.Data["Code"] = code
+
+ if nil != ctx.User {
+ ctx.Data["user_signed_in"] = true
+ }
+
+ if len(code) == 0 {
+ ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
+ return nil, nil
+ }
+
+ // Fail early, don't frustrate the user
+ u := user_model.VerifyUserActiveCode(code)
+ if u == nil {
+ ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
+ return nil, nil
+ }
+
+ twofa, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil {
+ if !auth.IsErrTwoFactorNotEnrolled(err) {
+ ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error())
+ return nil, nil
+ }
+ } else {
+ ctx.Data["has_two_factor"] = true
+ ctx.Data["scratch_code"] = ctx.FormBool("scratch_code")
+ }
+
+ // Show the user that they are affecting the account that they intended to
+ ctx.Data["user_email"] = u.Email
+
+ if nil != ctx.User && u.ID != ctx.User.ID {
+ ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
+ return nil, nil
+ }
+
+ return u, twofa
+}
+
+// ResetPasswd render the account recovery page
+func ResetPasswd(ctx *context.Context) {
+ ctx.Data["IsResetForm"] = true
+
+ commonResetPassword(ctx)
+ if ctx.Written() {
+ return
+ }
+
+ ctx.HTML(http.StatusOK, tplResetPassword)
+}
+
+// ResetPasswdPost response from account recovery request
+func ResetPasswdPost(ctx *context.Context) {
+ u, twofa := commonResetPassword(ctx)
+ if ctx.Written() {
+ return
+ }
+
+ if u == nil {
+ // Flash error has been set
+ ctx.HTML(http.StatusOK, tplResetPassword)
+ return
+ }
+
+ // Validate password length.
+ passwd := ctx.FormString("password")
+ if len(passwd) < setting.MinPasswordLength {
+ ctx.Data["IsResetForm"] = true
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil)
+ return
+ } else if !password.IsComplexEnough(passwd) {
+ ctx.Data["IsResetForm"] = true
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(password.BuildComplexityError(ctx), tplResetPassword, nil)
+ return
+ } else if pwned, err := password.IsPwned(ctx, passwd); pwned || err != nil {
+ errMsg := ctx.Tr("auth.password_pwned")
+ if err != nil {
+ log.Error(err.Error())
+ errMsg = ctx.Tr("auth.password_pwned_err")
+ }
+ ctx.Data["IsResetForm"] = true
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(errMsg, tplResetPassword, nil)
+ return
+ }
+
+ // Handle two-factor
+ regenerateScratchToken := false
+ if twofa != nil {
+ if ctx.FormBool("scratch_code") {
+ if !twofa.VerifyScratchToken(ctx.FormString("token")) {
+ ctx.Data["IsResetForm"] = true
+ ctx.Data["Err_Token"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil)
+ return
+ }
+ regenerateScratchToken = true
+ } else {
+ passcode := ctx.FormString("passcode")
+ ok, err := twofa.ValidateTOTP(passcode)
+ if err != nil {
+ ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error())
+ return
+ }
+ if !ok || twofa.LastUsedPasscode == passcode {
+ ctx.Data["IsResetForm"] = true
+ ctx.Data["Err_Passcode"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil)
+ return
+ }
+
+ twofa.LastUsedPasscode = passcode
+ if err = auth.UpdateTwoFactor(twofa); err != nil {
+ ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err)
+ return
+ }
+ }
+ }
+ var err error
+ if u.Rands, err = user_model.GetUserSalt(); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+ if err = u.SetPassword(passwd); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+ u.MustChangePassword = false
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "rands", "salt"); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+
+ log.Trace("User password reset: %s", u.Name)
+ ctx.Data["IsResetFailed"] = true
+ remember := len(ctx.FormString("remember")) != 0
+
+ if regenerateScratchToken {
+ // Invalidate the scratch token.
+ _, err = twofa.GenerateScratchToken()
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ if err = auth.UpdateTwoFactor(twofa); err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ handleSignInFull(ctx, u, remember, false)
+ if ctx.Written() {
+ return
+ }
+ ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
+ ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+ return
+ }
+
+ handleSignIn(ctx, u, remember)
+}
+
+// MustChangePassword renders the page to change a user's password
+func MustChangePassword(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+ ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
+ ctx.Data["MustChangePassword"] = true
+ ctx.HTML(http.StatusOK, tplMustChangePassword)
+}
+
+// MustChangePasswordPost response for updating a user's password after his/her
+// account was created by an admin
+func MustChangePasswordPost(ctx *context.Context) {
+ form := web.GetForm(ctx).(*forms.MustChangePasswordForm)
+ ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+ ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
+ if ctx.HasError() {
+ ctx.HTML(http.StatusOK, tplMustChangePassword)
+ return
+ }
+ u := ctx.User
+ // Make sure only requests for users who are eligible to change their password via
+ // this method passes through
+ if !u.MustChangePassword {
+ ctx.ServerError("MustUpdatePassword", errors.New("cannot update password.. Please visit the settings page"))
+ return
+ }
+
+ if form.Password != form.Retype {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplMustChangePassword, &form)
+ return
+ }
+
+ if len(form.Password) < setting.MinPasswordLength {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
+ return
+ }
+
+ if !password.IsComplexEnough(form.Password) {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
+ return
+ }
+ pwned, err := password.IsPwned(ctx, form.Password)
+ if pwned {
+ ctx.Data["Err_Password"] = true
+ errMsg := ctx.Tr("auth.password_pwned")
+ if err != nil {
+ log.Error(err.Error())
+ errMsg = ctx.Tr("auth.password_pwned_err")
+ }
+ ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
+ return
+ }
+
+ if err = u.SetPassword(form.Password); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+
+ u.MustChangePassword = false
+
+ if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "salt"); err != nil {
+ ctx.ServerError("UpdateUser", err)
+ return
+ }
+
+ ctx.Flash.Success(ctx.Tr("settings.change_password_success"))
+
+ log.Trace("User updated password: %s", u.Name)
+
+ if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
+ middleware.DeleteRedirectToCookie(ctx.Resp)
+ ctx.RedirectToFirst(redirectTo)
+ return
+ }
+
+ ctx.Redirect(setting.AppSubURL + "/")
+}
diff --git a/routers/web/auth/u2f.go b/routers/web/auth/u2f.go
new file mode 100644
index 0000000000..915671cd1e
--- /dev/null
+++ b/routers/web/auth/u2f.go
@@ -0,0 +1,136 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "errors"
+ "net/http"
+
+ "code.gitea.io/gitea/models/auth"
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/web"
+ "code.gitea.io/gitea/services/externalaccount"
+
+ "github.com/tstranex/u2f"
+)
+
+var tplU2F base.TplName = "user/auth/u2f"
+
+// U2F shows the U2F login page
+func U2F(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("twofa")
+ ctx.Data["RequireU2F"] = true
+ // Check auto-login.
+ if checkAutoLogin(ctx) {
+ return
+ }
+
+ // Ensure user is in a 2FA session.
+ if ctx.Session.Get("twofaUid") == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+ return
+ }
+
+ // See whether TOTP is also available.
+ if ctx.Session.Get("totpEnrolled") != nil {
+ ctx.Data["TOTPEnrolled"] = true
+ }
+
+ ctx.HTML(http.StatusOK, tplU2F)
+}
+
+// U2FChallenge submits a sign challenge to the browser
+func U2FChallenge(ctx *context.Context) {
+ // Ensure user is in a U2F session.
+ idSess := ctx.Session.Get("twofaUid")
+ if idSess == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+ return
+ }
+ id := idSess.(int64)
+ regs, err := auth.GetU2FRegistrationsByUID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ if len(regs) == 0 {
+ ctx.ServerError("UserSignIn", errors.New("no device registered"))
+ return
+ }
+ challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
+ if err != nil {
+ ctx.ServerError("u2f.NewChallenge", err)
+ return
+ }
+ if err := ctx.Session.Set("u2fChallenge", challenge); err != nil {
+ ctx.ServerError("UserSignIn: unable to set u2fChallenge in session", err)
+ return
+ }
+ if err := ctx.Session.Release(); err != nil {
+ ctx.ServerError("UserSignIn: unable to store session", err)
+ }
+
+ ctx.JSON(http.StatusOK, challenge.SignRequest(regs.ToRegistrations()))
+}
+
+// U2FSign authenticates the user by signResp
+func U2FSign(ctx *context.Context) {
+ signResp := web.GetForm(ctx).(*u2f.SignResponse)
+ challSess := ctx.Session.Get("u2fChallenge")
+ idSess := ctx.Session.Get("twofaUid")
+ if challSess == nil || idSess == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+ return
+ }
+ challenge := challSess.(*u2f.Challenge)
+ id := idSess.(int64)
+ regs, err := auth.GetU2FRegistrationsByUID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ for _, reg := range regs {
+ r, err := reg.Parse()
+ if err != nil {
+ log.Error("parsing u2f registration: %v", err)
+ continue
+ }
+ newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter)
+ if authErr == nil {
+ reg.Counter = newCounter
+ user, err := user_model.GetUserByID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ remember := ctx.Session.Get("twofaRemember").(bool)
+ if err := reg.UpdateCounter(); err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ if ctx.Session.Get("linkAccount") != nil {
+ if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ }
+ redirect := handleSignInFull(ctx, user, remember, false)
+ if ctx.Written() {
+ return
+ }
+ if redirect == "" {
+ redirect = setting.AppSubURL + "/"
+ }
+ ctx.PlainText(http.StatusOK, redirect)
+ return
+ }
+ }
+ ctx.Error(http.StatusUnauthorized)
+}
diff --git a/routers/web/events/events.go b/routers/web/events/events.go
index 974aa755d1..41f52375c3 100644
--- a/routers/web/events/events.go
+++ b/routers/web/events/events.go
@@ -17,7 +17,7 @@ import (
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/routers/web/user"
+ "code.gitea.io/gitea/routers/web/auth"
)
// Events listens for events
@@ -133,7 +133,7 @@ loop:
}).WriteTo(ctx.Resp)
ctx.Resp.Flush()
go unregister()
- user.HandleSignOut(ctx)
+ auth.HandleSignOut(ctx)
break loop
}
// Replace the event - we don't want to expose the session ID to the user
diff --git a/routers/web/home.go b/routers/web/home.go
index f50197691f..ed81d84c7f 100644
--- a/routers/web/home.go
+++ b/routers/web/home.go
@@ -13,6 +13,7 @@ import (
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
+ "code.gitea.io/gitea/routers/web/auth"
"code.gitea.io/gitea/routers/web/user"
)
@@ -26,7 +27,7 @@ func Home(ctx *context.Context) {
if ctx.IsSigned {
if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
- ctx.HTML(http.StatusOK, user.TplActivate)
+ ctx.HTML(http.StatusOK, auth.TplActivate)
} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
diff --git a/routers/web/repo/http.go b/routers/web/repo/http.go
index 64e617dc4a..6ebf6a789a 100644
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -20,8 +20,8 @@ import (
"time"
"code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
"code.gitea.io/gitea/models/perm"
repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/unit"
@@ -179,12 +179,12 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
}
if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true {
- _, err = login.GetTwoFactorByUID(ctx.User.ID)
+ _, err = auth.GetTwoFactorByUID(ctx.User.ID)
if err == nil {
// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
ctx.PlainText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")
return
- } else if !login.IsErrTwoFactorNotEnrolled(err) {
+ } else if !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("IsErrTwoFactorNotEnrolled", err)
return
}
diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go
deleted file mode 100644
index 356a907859..0000000000
--- a/routers/web/user/auth.go
+++ /dev/null
@@ -1,2006 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package user
-
-import (
- "errors"
- "fmt"
- "io"
- "net/http"
- "strings"
-
- "code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/context"
- "code.gitea.io/gitea/modules/eventsource"
- "code.gitea.io/gitea/modules/hcaptcha"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/password"
- "code.gitea.io/gitea/modules/recaptcha"
- "code.gitea.io/gitea/modules/session"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/web"
- "code.gitea.io/gitea/modules/web/middleware"
- "code.gitea.io/gitea/routers/utils"
- "code.gitea.io/gitea/services/auth"
- "code.gitea.io/gitea/services/auth/source/oauth2"
- "code.gitea.io/gitea/services/externalaccount"
- "code.gitea.io/gitea/services/forms"
- "code.gitea.io/gitea/services/mailer"
- user_service "code.gitea.io/gitea/services/user"
-
- "github.com/markbates/goth"
- "github.com/tstranex/u2f"
-)
-
-const (
- // tplMustChangePassword template for updating a user's password
- tplMustChangePassword = "user/auth/change_passwd"
- // tplSignIn template for sign in page
- tplSignIn base.TplName = "user/auth/signin"
- // tplSignUp template path for sign up page
- tplSignUp base.TplName = "user/auth/signup"
- // TplActivate template path for activate user
- TplActivate base.TplName = "user/auth/activate"
- tplForgotPassword base.TplName = "user/auth/forgot_passwd"
- tplResetPassword base.TplName = "user/auth/reset_passwd"
- tplTwofa base.TplName = "user/auth/twofa"
- tplTwofaScratch base.TplName = "user/auth/twofa_scratch"
- tplLinkAccount base.TplName = "user/auth/link_account"
- tplU2F base.TplName = "user/auth/u2f"
-)
-
-// AutoSignIn reads cookie and try to auto-login.
-func AutoSignIn(ctx *context.Context) (bool, error) {
- if !db.HasEngine {
- return false, nil
- }
-
- uname := ctx.GetCookie(setting.CookieUserName)
- if len(uname) == 0 {
- return false, nil
- }
-
- isSucceed := false
- defer func() {
- if !isSucceed {
- log.Trace("auto-login cookie cleared: %s", uname)
- ctx.DeleteCookie(setting.CookieUserName)
- ctx.DeleteCookie(setting.CookieRememberName)
- }
- }()
-
- u, err := user_model.GetUserByName(uname)
- if err != nil {
- if !user_model.IsErrUserNotExist(err) {
- return false, fmt.Errorf("GetUserByName: %v", err)
- }
- return false, nil
- }
-
- if val, ok := ctx.GetSuperSecureCookie(
- base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
- return false, nil
- }
-
- isSucceed = true
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- return false, fmt.Errorf("unable to RegenerateSession: Error: %w", err)
- }
-
- // Set session IDs
- if err := ctx.Session.Set("uid", u.ID); err != nil {
- return false, err
- }
- if err := ctx.Session.Set("uname", u.Name); err != nil {
- return false, err
- }
- if err := ctx.Session.Release(); err != nil {
- return false, err
- }
-
- if err := resetLocale(ctx, u); err != nil {
- return false, err
- }
-
- middleware.DeleteCSRFCookie(ctx.Resp)
- return true, nil
-}
-
-func resetLocale(ctx *context.Context, u *user_model.User) error {
- // Language setting of the user overwrites the one previously set
- // If the user does not have a locale set, we save the current one.
- if len(u.Language) == 0 {
- u.Language = ctx.Locale.Language()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
- return err
- }
- }
-
- middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
-
- if ctx.Locale.Language() != u.Language {
- ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
- }
-
- return nil
-}
-
-func checkAutoLogin(ctx *context.Context) bool {
- // Check auto-login.
- isSucceed, err := AutoSignIn(ctx)
- if err != nil {
- ctx.ServerError("AutoSignIn", err)
- return true
- }
-
- redirectTo := ctx.FormString("redirect_to")
- if len(redirectTo) > 0 {
- middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
- } else {
- redirectTo = ctx.GetCookie("redirect_to")
- }
-
- if isSucceed {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
- return true
- }
-
- return false
-}
-
-// SignIn render sign in page
-func SignIn(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("sign_in")
-
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
- ctx.Data["OAuth2Providers"] = oauth2Providers
- ctx.Data["Title"] = ctx.Tr("sign_in")
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsLogin"] = true
- ctx.Data["EnableSSPI"] = login.IsSSPIEnabled()
-
- ctx.HTML(http.StatusOK, tplSignIn)
-}
-
-// SignInPost response for sign in request
-func SignInPost(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("sign_in")
-
- orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
- ctx.Data["OAuth2Providers"] = oauth2Providers
- ctx.Data["Title"] = ctx.Tr("sign_in")
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsLogin"] = true
- ctx.Data["EnableSSPI"] = login.IsSSPIEnabled()
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplSignIn)
- return
- }
-
- form := web.GetForm(ctx).(*forms.SignInForm)
- u, source, err := auth.UserSignIn(form.UserName, form.Password)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- } else if user_model.IsErrEmailAlreadyUsed(err) {
- ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- } else if user_model.IsErrUserProhibitLogin(err) {
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
- } else if user_model.IsErrUserInactive(err) {
- if setting.Service.RegisterEmailConfirm {
- ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
- ctx.HTML(http.StatusOK, TplActivate)
- } else {
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
- }
- } else {
- ctx.ServerError("UserSignIn", err)
- }
- return
- }
-
- // Now handle 2FA:
-
- // First of all if the source can skip local two fa we're done
- if skipper, ok := source.Cfg.(auth.LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
- handleSignIn(ctx, u, form.Remember)
- return
- }
-
- // If this user is enrolled in 2FA TOTP, we can't sign the user in just yet.
- // Instead, redirect them to the 2FA authentication page.
- hasTOTPtwofa, err := login.HasTwoFactorByUID(u.ID)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- // Check if the user has u2f registration
- hasU2Ftwofa, err := login.HasU2FRegistrationsByUID(u.ID)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if !hasTOTPtwofa && !hasU2Ftwofa {
- // No two factor auth configured we can sign in the user
- handleSignIn(ctx, u, form.Remember)
- return
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("UserSignIn: Unable to set regenerate session", err)
- return
- }
-
- // User will need to use 2FA TOTP or U2F, save data
- if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
- ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
- return
- }
-
- if err := ctx.Session.Set("twofaRemember", form.Remember); err != nil {
- ctx.ServerError("UserSignIn: Unable to set twofaRemember in session", err)
- return
- }
-
- if hasTOTPtwofa {
- // User will need to use U2F, save data
- if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
- ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err)
- return
- }
- }
-
- if err := ctx.Session.Release(); err != nil {
- ctx.ServerError("UserSignIn: Unable to save session", err)
- return
- }
-
- // If we have U2F redirect there first
- if hasU2Ftwofa {
- ctx.Redirect(setting.AppSubURL + "/user/u2f")
- return
- }
-
- // Fallback to 2FA
- ctx.Redirect(setting.AppSubURL + "/user/two_factor")
-}
-
-// TwoFactor shows the user a two-factor authentication page.
-func TwoFactor(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("twofa")
-
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- // Ensure user is in a 2FA session.
- if ctx.Session.Get("twofaUid") == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- ctx.HTML(http.StatusOK, tplTwofa)
-}
-
-// TwoFactorPost validates a user's two-factor authentication token.
-func TwoFactorPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.TwoFactorAuthForm)
- ctx.Data["Title"] = ctx.Tr("twofa")
-
- // Ensure user is in a 2FA session.
- idSess := ctx.Session.Get("twofaUid")
- if idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- id := idSess.(int64)
- twofa, err := login.GetTwoFactorByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- // Validate the passcode with the stored TOTP secret.
- ok, err := twofa.ValidateTOTP(form.Passcode)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if ok && twofa.LastUsedPasscode != form.Passcode {
- remember := ctx.Session.Get("twofaRemember").(bool)
- u, err := user_model.GetUserByID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if ctx.Session.Get("linkAccount") != nil {
- if err := externalaccount.LinkAccountFromStore(ctx.Session, u); err != nil {
- ctx.ServerError("UserSignIn", err)
- }
- }
-
- twofa.LastUsedPasscode = form.Passcode
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- handleSignIn(ctx, u, remember)
- return
- }
-
- ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplTwofa, forms.TwoFactorAuthForm{})
-}
-
-// TwoFactorScratch shows the scratch code form for two-factor authentication.
-func TwoFactorScratch(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("twofa_scratch")
-
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- // Ensure user is in a 2FA session.
- if ctx.Session.Get("twofaUid") == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- ctx.HTML(http.StatusOK, tplTwofaScratch)
-}
-
-// TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.
-func TwoFactorScratchPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.TwoFactorScratchAuthForm)
- ctx.Data["Title"] = ctx.Tr("twofa_scratch")
-
- // Ensure user is in a 2FA session.
- idSess := ctx.Session.Get("twofaUid")
- if idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- id := idSess.(int64)
- twofa, err := login.GetTwoFactorByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- // Validate the passcode with the stored TOTP secret.
- if twofa.VerifyScratchToken(form.Token) {
- // Invalidate the scratch token.
- _, err = twofa.GenerateScratchToken()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- remember := ctx.Session.Get("twofaRemember").(bool)
- u, err := user_model.GetUserByID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- handleSignInFull(ctx, u, remember, false)
- if ctx.Written() {
- return
- }
- ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
- ctx.Redirect(setting.AppSubURL + "/user/settings/security")
- return
- }
-
- ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, forms.TwoFactorScratchAuthForm{})
-}
-
-// U2F shows the U2F login page
-func U2F(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("twofa")
- ctx.Data["RequireU2F"] = true
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- // Ensure user is in a 2FA session.
- if ctx.Session.Get("twofaUid") == nil {
- ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
- return
- }
-
- // See whether TOTP is also available.
- if ctx.Session.Get("totpEnrolled") != nil {
- ctx.Data["TOTPEnrolled"] = true
- }
-
- ctx.HTML(http.StatusOK, tplU2F)
-}
-
-// U2FChallenge submits a sign challenge to the browser
-func U2FChallenge(ctx *context.Context) {
- // Ensure user is in a U2F session.
- idSess := ctx.Session.Get("twofaUid")
- if idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
- return
- }
- id := idSess.(int64)
- regs, err := login.GetU2FRegistrationsByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if len(regs) == 0 {
- ctx.ServerError("UserSignIn", errors.New("no device registered"))
- return
- }
- challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
- if err != nil {
- ctx.ServerError("u2f.NewChallenge", err)
- return
- }
- if err := ctx.Session.Set("u2fChallenge", challenge); err != nil {
- ctx.ServerError("UserSignIn: unable to set u2fChallenge in session", err)
- return
- }
- if err := ctx.Session.Release(); err != nil {
- ctx.ServerError("UserSignIn: unable to store session", err)
- }
-
- ctx.JSON(http.StatusOK, challenge.SignRequest(regs.ToRegistrations()))
-}
-
-// U2FSign authenticates the user by signResp
-func U2FSign(ctx *context.Context) {
- signResp := web.GetForm(ctx).(*u2f.SignResponse)
- challSess := ctx.Session.Get("u2fChallenge")
- idSess := ctx.Session.Get("twofaUid")
- if challSess == nil || idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
- return
- }
- challenge := challSess.(*u2f.Challenge)
- id := idSess.(int64)
- regs, err := login.GetU2FRegistrationsByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- for _, reg := range regs {
- r, err := reg.Parse()
- if err != nil {
- log.Error("parsing u2f registration: %v", err)
- continue
- }
- newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter)
- if authErr == nil {
- reg.Counter = newCounter
- user, err := user_model.GetUserByID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- remember := ctx.Session.Get("twofaRemember").(bool)
- if err := reg.UpdateCounter(); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if ctx.Session.Get("linkAccount") != nil {
- if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
- ctx.ServerError("UserSignIn", err)
- }
- }
- redirect := handleSignInFull(ctx, user, remember, false)
- if ctx.Written() {
- return
- }
- if redirect == "" {
- redirect = setting.AppSubURL + "/"
- }
- ctx.PlainText(http.StatusOK, redirect)
- return
- }
- }
- ctx.Error(http.StatusUnauthorized)
-}
-
-// This handles the final part of the sign-in process of the user.
-func handleSignIn(ctx *context.Context, u *user_model.User, remember bool) {
- redirect := handleSignInFull(ctx, u, remember, true)
- if ctx.Written() {
- return
- }
- ctx.Redirect(redirect)
-}
-
-func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRedirect bool) string {
- if remember {
- days := 86400 * setting.LogInRememberDays
- ctx.SetCookie(setting.CookieUserName, u.Name, days)
- ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
- setting.CookieRememberName, u.Name, days)
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return setting.AppSubURL + "/"
- }
-
- // Delete the openid, 2fa and linkaccount data
- _ = ctx.Session.Delete("openid_verified_uri")
- _ = ctx.Session.Delete("openid_signin_remember")
- _ = ctx.Session.Delete("openid_determined_email")
- _ = ctx.Session.Delete("openid_determined_username")
- _ = ctx.Session.Delete("twofaUid")
- _ = ctx.Session.Delete("twofaRemember")
- _ = ctx.Session.Delete("u2fChallenge")
- _ = ctx.Session.Delete("linkAccount")
- if err := ctx.Session.Set("uid", u.ID); err != nil {
- log.Error("Error setting uid %d in session: %v", u.ID, err)
- }
- if err := ctx.Session.Set("uname", u.Name); err != nil {
- log.Error("Error setting uname %s session: %v", u.Name, err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Unable to store session: %v", err)
- }
-
- // Language setting of the user overwrites the one previously set
- // If the user does not have a locale set, we save the current one.
- if len(u.Language) == 0 {
- u.Language = ctx.Locale.Language()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
- ctx.ServerError("UpdateUserCols Language", fmt.Errorf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))
- return setting.AppSubURL + "/"
- }
- }
-
- middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
-
- if ctx.Locale.Language() != u.Language {
- ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
- }
-
- // Clear whatever CSRF has right now, force to generate a new one
- middleware.DeleteCSRFCookie(ctx.Resp)
-
- // Register last login
- u.SetLastLogin()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "last_login_unix"); err != nil {
- ctx.ServerError("UpdateUserCols", err)
- return setting.AppSubURL + "/"
- }
-
- if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- if obeyRedirect {
- ctx.RedirectToFirst(redirectTo)
- }
- return redirectTo
- }
-
- if obeyRedirect {
- ctx.Redirect(setting.AppSubURL + "/")
- }
- return setting.AppSubURL + "/"
-}
-
-// SignInOAuth handles the OAuth2 login buttons
-func SignInOAuth(ctx *context.Context) {
- provider := ctx.Params(":provider")
-
- loginSource, err := login.GetActiveOAuth2LoginSourceByName(provider)
- if err != nil {
- ctx.ServerError("SignIn", err)
- return
- }
-
- // try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
- user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req, ctx.Resp)
- if err == nil && user != nil {
- // we got the user without going through the whole OAuth2 authentication flow again
- handleOAuth2SignIn(ctx, loginSource, user, gothUser)
- return
- }
-
- if err = loginSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
- if strings.Contains(err.Error(), "no provider for ") {
- if err = oauth2.ResetOAuth2(); err != nil {
- ctx.ServerError("SignIn", err)
- return
- }
- if err = loginSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
- ctx.ServerError("SignIn", err)
- }
- return
- }
- ctx.ServerError("SignIn", err)
- }
- // redirect is done in oauth2.Auth
-}
-
-// SignInOAuthCallback handles the callback from the given provider
-func SignInOAuthCallback(ctx *context.Context) {
- provider := ctx.Params(":provider")
-
- // first look if the provider is still active
- loginSource, err := login.GetActiveOAuth2LoginSourceByName(provider)
- if err != nil {
- ctx.ServerError("SignIn", err)
- return
- }
-
- if loginSource == nil {
- ctx.ServerError("SignIn", errors.New("No valid provider found, check configured callback url in provider"))
- return
- }
-
- u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req, ctx.Resp)
-
- if err != nil {
- if user_model.IsErrUserProhibitLogin(err) {
- uplerr := err.(*user_model.ErrUserProhibitLogin)
- log.Info("Failed authentication attempt for %s from %s: %v", uplerr.Name, ctx.RemoteAddr(), err)
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
- return
- }
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if u == nil {
- if !setting.Service.AllowOnlyInternalRegistration && setting.OAuth2Client.EnableAutoRegistration {
- // create new user with details from oauth2 provider
- var missingFields []string
- if gothUser.UserID == "" {
- missingFields = append(missingFields, "sub")
- }
- if gothUser.Email == "" {
- missingFields = append(missingFields, "email")
- }
- if setting.OAuth2Client.Username == setting.OAuth2UsernameNickname && gothUser.NickName == "" {
- missingFields = append(missingFields, "nickname")
- }
- if len(missingFields) > 0 {
- log.Error("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields)
- if loginSource.IsOAuth2() && loginSource.Cfg.(*oauth2.Source).Provider == "openidConnect" {
- log.Error("You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields")
- }
- err = fmt.Errorf("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields)
- ctx.ServerError("CreateUser", err)
- return
- }
- u = &user_model.User{
- Name: getUserName(&gothUser),
- FullName: gothUser.Name,
- Email: gothUser.Email,
- IsActive: !setting.OAuth2Client.RegisterEmailConfirm,
- LoginType: login.OAuth2,
- LoginSource: loginSource.ID,
- LoginName: gothUser.UserID,
- IsRestricted: setting.Service.DefaultUserIsRestricted,
- }
-
- setUserGroupClaims(loginSource, u, &gothUser)
-
- if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
- // error already handled
- return
- }
- } else {
- // no existing user is found, request attach or new account
- showLinkingLogin(ctx, gothUser)
- return
- }
- }
-
- handleOAuth2SignIn(ctx, loginSource, u, gothUser)
-}
-
-func claimValueToStringSlice(claimValue interface{}) []string {
- var groups []string
-
- switch rawGroup := claimValue.(type) {
- case []string:
- groups = rawGroup
- default:
- str := fmt.Sprintf("%s", rawGroup)
- groups = strings.Split(str, ",")
- }
- return groups
-}
-
-func setUserGroupClaims(loginSource *login.Source, u *user_model.User, gothUser *goth.User) bool {
-
- source := loginSource.Cfg.(*oauth2.Source)
- if source.GroupClaimName == "" || (source.AdminGroup == "" && source.RestrictedGroup == "") {
- return false
- }
-
- groupClaims, has := gothUser.RawData[source.GroupClaimName]
- if !has {
- return false
- }
-
- groups := claimValueToStringSlice(groupClaims)
-
- wasAdmin, wasRestricted := u.IsAdmin, u.IsRestricted
-
- if source.AdminGroup != "" {
- u.IsAdmin = false
- }
- if source.RestrictedGroup != "" {
- u.IsRestricted = false
- }
-
- for _, g := range groups {
- if source.AdminGroup != "" && g == source.AdminGroup {
- u.IsAdmin = true
- } else if source.RestrictedGroup != "" && g == source.RestrictedGroup {
- u.IsRestricted = true
- }
- }
-
- return wasAdmin != u.IsAdmin || wasRestricted != u.IsRestricted
-}
-
-func getUserName(gothUser *goth.User) string {
- switch setting.OAuth2Client.Username {
- case setting.OAuth2UsernameEmail:
- return strings.Split(gothUser.Email, "@")[0]
- case setting.OAuth2UsernameNickname:
- return gothUser.NickName
- default: // OAuth2UsernameUserid
- return gothUser.UserID
- }
-}
-
-func showLinkingLogin(ctx *context.Context, gothUser goth.User) {
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- if err := ctx.Session.Set("linkAccountGothUser", gothUser); err != nil {
- log.Error("Error setting linkAccountGothUser in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
- ctx.Redirect(setting.AppSubURL + "/user/link_account")
-}
-
-func updateAvatarIfNeed(url string, u *user_model.User) {
- if setting.OAuth2Client.UpdateAvatar && len(url) > 0 {
- resp, err := http.Get(url)
- if err == nil {
- defer func() {
- _ = resp.Body.Close()
- }()
- }
- // ignore any error
- if err == nil && resp.StatusCode == http.StatusOK {
- data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1))
- if err == nil && int64(len(data)) <= setting.Avatar.MaxFileSize {
- _ = user_service.UploadAvatar(u, data)
- }
- }
- }
-}
-
-func handleOAuth2SignIn(ctx *context.Context, source *login.Source, u *user_model.User, gothUser goth.User) {
- updateAvatarIfNeed(gothUser.AvatarURL, u)
-
- needs2FA := false
- if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA {
- _, err := login.GetTwoFactorByUID(u.ID)
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
- ctx.ServerError("UserSignIn", err)
- return
- }
- needs2FA = err == nil
- }
-
- // If this user is enrolled in 2FA and this source doesn't override it,
- // we can't sign the user in just yet. Instead, redirect them to the 2FA authentication page.
- if !needs2FA {
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- // Set session IDs
- if err := ctx.Session.Set("uid", u.ID); err != nil {
- log.Error("Error setting uid in session: %v", err)
- }
- if err := ctx.Session.Set("uname", u.Name); err != nil {
- log.Error("Error setting uname in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
-
- // Clear whatever CSRF has right now, force to generate a new one
- middleware.DeleteCSRFCookie(ctx.Resp)
-
- // Register last login
- u.SetLastLogin()
-
- // Update GroupClaims
- changed := setUserGroupClaims(source, u, &gothUser)
- cols := []string{"last_login_unix"}
- if changed {
- cols = append(cols, "is_admin", "is_restricted")
- }
-
- if err := user_model.UpdateUserCols(db.DefaultContext, u, cols...); err != nil {
- ctx.ServerError("UpdateUserCols", err)
- return
- }
-
- // update external user information
- if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil {
- log.Error("UpdateExternalUser failed: %v", err)
- }
-
- if err := resetLocale(ctx, u); err != nil {
- ctx.ServerError("resetLocale", err)
- return
- }
-
- if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- ctx.RedirectToFirst(redirectTo)
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/")
- return
- }
-
- changed := setUserGroupClaims(source, u, &gothUser)
- if changed {
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_restricted"); err != nil {
- ctx.ServerError("UpdateUserCols", err)
- return
- }
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- // User needs to use 2FA, save data and redirect to 2FA page.
- if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
- log.Error("Error setting twofaUid in session: %v", err)
- }
- if err := ctx.Session.Set("twofaRemember", false); err != nil {
- log.Error("Error setting twofaRemember in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
-
- // If U2F is enrolled -> Redirect to U2F instead
- regs, err := login.GetU2FRegistrationsByUID(u.ID)
- if err == nil && len(regs) > 0 {
- ctx.Redirect(setting.AppSubURL + "/user/u2f")
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/user/two_factor")
-}
-
-// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
-// login the user
-func oAuth2UserLoginCallback(loginSource *login.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
- oauth2Source := loginSource.Cfg.(*oauth2.Source)
-
- gothUser, err := oauth2Source.Callback(request, response)
- if err != nil {
- if err.Error() == "securecookie: the value is too long" || strings.Contains(err.Error(), "Data too long") {
- log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength)
- err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength)
- }
- return nil, goth.User{}, err
- }
-
- if oauth2Source.RequiredClaimName != "" {
- claimInterface, has := gothUser.RawData[oauth2Source.RequiredClaimName]
- if !has {
- return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
- }
-
- if oauth2Source.RequiredClaimValue != "" {
- groups := claimValueToStringSlice(claimInterface)
- found := false
- for _, group := range groups {
- if group == oauth2Source.RequiredClaimValue {
- found = true
- break
- }
- }
- if !found {
- return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
- }
- }
- }
-
- user := &user_model.User{
- LoginName: gothUser.UserID,
- LoginType: login.OAuth2,
- LoginSource: loginSource.ID,
- }
-
- hasUser, err := user_model.GetUser(user)
- if err != nil {
- return nil, goth.User{}, err
- }
-
- if hasUser {
- return user, gothUser, nil
- }
-
- // search in external linked users
- externalLoginUser := &user_model.ExternalLoginUser{
- ExternalID: gothUser.UserID,
- LoginSourceID: loginSource.ID,
- }
- hasUser, err = user_model.GetExternalLogin(externalLoginUser)
- if err != nil {
- return nil, goth.User{}, err
- }
- if hasUser {
- user, err = user_model.GetUserByID(externalLoginUser.UserID)
- return user, gothUser, err
- }
-
- // no user found to login
- return nil, gothUser, nil
-
-}
-
-// LinkAccount shows the page where the user can decide to login or create a new account
-func LinkAccount(ctx *context.Context) {
- ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
- ctx.Data["Title"] = ctx.Tr("link_account")
- ctx.Data["LinkAccountMode"] = true
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
- ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
- ctx.Data["ShowRegistrationButton"] = false
-
- // use this to set the right link into the signIn and signUp templates in the link_account template
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
-
- gothUser := ctx.Session.Get("linkAccountGothUser")
- if gothUser == nil {
- ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
- return
- }
-
- gu, _ := gothUser.(goth.User)
- uname := getUserName(&gu)
- email := gu.Email
- ctx.Data["user_name"] = uname
- ctx.Data["email"] = email
-
- if len(email) != 0 {
- u, err := user_model.GetUserByEmail(email)
- if err != nil && !user_model.IsErrUserNotExist(err) {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if u != nil {
- ctx.Data["user_exists"] = true
- }
- } else if len(uname) != 0 {
- u, err := user_model.GetUserByName(uname)
- if err != nil && !user_model.IsErrUserNotExist(err) {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if u != nil {
- ctx.Data["user_exists"] = true
- }
- }
-
- ctx.HTML(http.StatusOK, tplLinkAccount)
-}
-
-// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
-func LinkAccountPostSignIn(ctx *context.Context) {
- signInForm := web.GetForm(ctx).(*forms.SignInForm)
- ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
- ctx.Data["Title"] = ctx.Tr("link_account")
- ctx.Data["LinkAccountMode"] = true
- ctx.Data["LinkAccountModeSignIn"] = true
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
- ctx.Data["ShowRegistrationButton"] = false
-
- // use this to set the right link into the signIn and signUp templates in the link_account template
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
-
- gothUser := ctx.Session.Get("linkAccountGothUser")
- if gothUser == nil {
- ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
- return
- }
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplLinkAccount)
- return
- }
-
- u, _, err := auth.UserSignIn(signInForm.UserName, signInForm.Password)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.Data["user_exists"] = true
- ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
- } else {
- ctx.ServerError("UserLinkAccount", err)
- }
- return
- }
-
- linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember)
-}
-
-func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) {
- updateAvatarIfNeed(gothUser.AvatarURL, u)
-
- // If this user is enrolled in 2FA, we can't sign the user in just yet.
- // Instead, redirect them to the 2FA authentication page.
- // We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here
- _, err := login.GetTwoFactorByUID(u.ID)
- if err != nil {
- if !login.IsErrTwoFactorNotEnrolled(err) {
- ctx.ServerError("UserLinkAccount", err)
- return
- }
-
- err = externalaccount.LinkAccountToUser(u, gothUser)
- if err != nil {
- ctx.ServerError("UserLinkAccount", err)
- return
- }
-
- handleSignIn(ctx, u, remember)
- return
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- // User needs to use 2FA, save data and redirect to 2FA page.
- if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
- log.Error("Error setting twofaUid in session: %v", err)
- }
- if err := ctx.Session.Set("twofaRemember", remember); err != nil {
- log.Error("Error setting twofaRemember in session: %v", err)
- }
- if err := ctx.Session.Set("linkAccount", true); err != nil {
- log.Error("Error setting linkAccount in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
-
- // If U2F is enrolled -> Redirect to U2F instead
- regs, err := login.GetU2FRegistrationsByUID(u.ID)
- if err == nil && len(regs) > 0 {
- ctx.Redirect(setting.AppSubURL + "/user/u2f")
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/user/two_factor")
-}
-
-// LinkAccountPostRegister handle the creation of a new account for an external account using signUp
-func LinkAccountPostRegister(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.RegisterForm)
- // TODO Make insecure passwords optional for local accounts also,
- // once email-based Second-Factor Auth is available
- ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
- ctx.Data["Title"] = ctx.Tr("link_account")
- ctx.Data["LinkAccountMode"] = true
- ctx.Data["LinkAccountModeRegister"] = true
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
- ctx.Data["ShowRegistrationButton"] = false
-
- // use this to set the right link into the signIn and signUp templates in the link_account template
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
-
- gothUserInterface := ctx.Session.Get("linkAccountGothUser")
- if gothUserInterface == nil {
- ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))
- return
- }
- gothUser, ok := gothUserInterface.(goth.User)
- if !ok {
- ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface))
- return
- }
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplLinkAccount)
- return
- }
-
- if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
- ctx.Error(http.StatusForbidden)
- return
- }
-
- if setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha {
- var valid bool
- var err error
- switch setting.Service.CaptchaType {
- case setting.ImageCaptcha:
- valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
- case setting.ReCaptcha:
- valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
- case setting.HCaptcha:
- valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
- default:
- ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
- return
- }
- if err != nil {
- log.Debug("%s", err.Error())
- }
-
- if !valid {
- ctx.Data["Err_Captcha"] = true
- ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)
- return
- }
- }
-
- if !form.IsEmailDomainAllowed() {
- ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplLinkAccount, &form)
- return
- }
-
- if setting.Service.AllowOnlyExternalRegistration || !setting.Service.RequireExternalRegistrationPassword {
- // In user_model.User an empty password is classed as not set, so we set form.Password to empty.
- // Eventually the database should be changed to indicate "Second Factor"-enabled accounts
- // (accounts that do not introduce the security vulnerabilities of a password).
- // If a user decides to circumvent second-factor security, and purposefully create a password,
- // they can still do so using the "Recover Account" option.
- form.Password = ""
- } else {
- if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form)
- return
- }
- if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form)
- return
- }
- }
-
- loginSource, err := login.GetActiveOAuth2LoginSourceByName(gothUser.Provider)
- if err != nil {
- ctx.ServerError("CreateUser", err)
- }
-
- u := &user_model.User{
- Name: form.UserName,
- Email: form.Email,
- Passwd: form.Password,
- IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
- LoginType: login.OAuth2,
- LoginSource: loginSource.ID,
- LoginName: gothUser.UserID,
- }
-
- if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, &gothUser, false) {
- // error already handled
- return
- }
-
- handleSignIn(ctx, u, false)
-}
-
-// HandleSignOut resets the session and sets the cookies
-func HandleSignOut(ctx *context.Context) {
- _ = ctx.Session.Flush()
- _ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
- ctx.DeleteCookie(setting.CookieUserName)
- ctx.DeleteCookie(setting.CookieRememberName)
- middleware.DeleteCSRFCookie(ctx.Resp)
- middleware.DeleteLocaleCookie(ctx.Resp)
- middleware.DeleteRedirectToCookie(ctx.Resp)
-}
-
-// SignOut sign out from login status
-func SignOut(ctx *context.Context) {
- if ctx.User != nil {
- eventsource.GetManager().SendMessageBlocking(ctx.User.ID, &eventsource.Event{
- Name: "logout",
- Data: ctx.Session.ID(),
- })
- }
- HandleSignOut(ctx)
- ctx.Redirect(setting.AppSubURL + "/")
-}
-
-// SignUp render the register page
-func SignUp(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("sign_up")
-
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
-
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["PageIsSignUp"] = true
-
- //Show Disabled Registration message if DisableRegistration or AllowOnlyExternalRegistration options are true
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration
-
- ctx.HTML(http.StatusOK, tplSignUp)
-}
-
-// SignUpPost response for sign up information submission
-func SignUpPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.RegisterForm)
- ctx.Data["Title"] = ctx.Tr("sign_up")
-
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
-
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["PageIsSignUp"] = true
-
- //Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
- if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration {
- ctx.Error(http.StatusForbidden)
- return
- }
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplSignUp)
- return
- }
-
- if setting.Service.EnableCaptcha {
- var valid bool
- var err error
- switch setting.Service.CaptchaType {
- case setting.ImageCaptcha:
- valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
- case setting.ReCaptcha:
- valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
- case setting.HCaptcha:
- valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
- default:
- ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
- return
- }
- if err != nil {
- log.Debug("%s", err.Error())
- }
-
- if !valid {
- ctx.Data["Err_Captcha"] = true
- ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUp, &form)
- return
- }
- }
-
- if !form.IsEmailDomainAllowed() {
- ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplSignUp, &form)
- return
- }
-
- if form.Password != form.Retype {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplSignUp, &form)
- return
- }
- if len(form.Password) < setting.MinPasswordLength {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplSignUp, &form)
- return
- }
- if !password.IsComplexEnough(form.Password) {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(password.BuildComplexityError(ctx), tplSignUp, &form)
- return
- }
- pwned, err := password.IsPwned(ctx, form.Password)
- if pwned {
- errMsg := ctx.Tr("auth.password_pwned")
- if err != nil {
- log.Error(err.Error())
- errMsg = ctx.Tr("auth.password_pwned_err")
- }
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(errMsg, tplSignUp, &form)
- return
- }
-
- u := &user_model.User{
- Name: form.UserName,
- Email: form.Email,
- Passwd: form.Password,
- IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
- IsRestricted: setting.Service.DefaultUserIsRestricted,
- }
-
- if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {
- // error already handled
- return
- }
-
- ctx.Flash.Success(ctx.Tr("auth.sign_up_successful"))
- handleSignIn(ctx, u, false)
-}
-
-// createAndHandleCreatedUser calls createUserInContext and
-// then handleUserCreated.
-func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) bool {
- if !createUserInContext(ctx, tpl, form, u, gothUser, allowLink) {
- return false
- }
- return handleUserCreated(ctx, u, gothUser)
-}
-
-// createUserInContext creates a user and handles errors within a given context.
-// Optionally a template can be specified.
-func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) (ok bool) {
- if err := user_model.CreateUser(u); err != nil {
- if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
- if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto {
- var user *user_model.User
- user = &user_model.User{Name: u.Name}
- hasUser, err := user_model.GetUser(user)
- if !hasUser || err != nil {
- user = &user_model.User{Email: u.Email}
- hasUser, err = user_model.GetUser(user)
- if !hasUser || err != nil {
- ctx.ServerError("UserLinkAccount", err)
- return
- }
- }
-
- // TODO: probably we should respect 'remember' user's choice...
- linkAccount(ctx, user, *gothUser, true)
- return // user is already created here, all redirects are handled
- } else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingLogin {
- showLinkingLogin(ctx, *gothUser)
- return // user will be created only after linking login
- }
- }
-
- // handle error without template
- if len(tpl) == 0 {
- ctx.ServerError("CreateUser", err)
- return
- }
-
- // handle error with template
- switch {
- case user_model.IsErrUserAlreadyExist(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tpl, form)
- case user_model.IsErrEmailAlreadyUsed(err):
- ctx.Data["Err_Email"] = true
- ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tpl, form)
- case user_model.IsErrEmailInvalid(err):
- ctx.Data["Err_Email"] = true
- ctx.RenderWithErr(ctx.Tr("form.email_invalid"), tpl, form)
- case db.IsErrNameReserved(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(db.ErrNameReserved).Name), tpl, form)
- case db.IsErrNamePatternNotAllowed(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(db.ErrNamePatternNotAllowed).Pattern), tpl, form)
- case db.IsErrNameCharsNotAllowed(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("user.form.name_chars_not_allowed", err.(db.ErrNameCharsNotAllowed).Name), tpl, form)
- default:
- ctx.ServerError("CreateUser", err)
- }
- return
- }
- log.Trace("Account created: %s", u.Name)
- return true
-}
-
-// handleUserCreated does additional steps after a new user is created.
-// It auto-sets admin for the only user, updates the optional external user and
-// sends a confirmation email if required.
-func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) {
- // Auto-set admin for the only user.
- if user_model.CountUsers() == 1 {
- u.IsAdmin = true
- u.IsActive = true
- u.SetLastLogin()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_active", "last_login_unix"); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- }
-
- // update external user information
- if gothUser != nil {
- if err := externalaccount.UpdateExternalUser(u, *gothUser); err != nil {
- log.Error("UpdateExternalUser failed: %v", err)
- }
- }
-
- // Send confirmation email
- if !u.IsActive && u.ID > 1 {
- mailer.SendActivateAccountMail(ctx.Locale, u)
-
- ctx.Data["IsSendRegisterMail"] = true
- ctx.Data["Email"] = u.Email
- ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
- ctx.HTML(http.StatusOK, TplActivate)
-
- if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
- log.Error("Set cache(MailResendLimit) fail: %v", err)
- }
- return
- }
-
- return true
-}
-
-// Activate render activate user page
-func Activate(ctx *context.Context) {
- code := ctx.FormString("code")
-
- if len(code) == 0 {
- ctx.Data["IsActivatePage"] = true
- if ctx.User == nil || ctx.User.IsActive {
- ctx.NotFound("invalid user", nil)
- return
- }
- // Resend confirmation email.
- if setting.Service.RegisterEmailConfirm {
- if ctx.Cache.IsExist("MailResendLimit_" + ctx.User.LowerName) {
- ctx.Data["ResendLimited"] = true
- } else {
- ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
- mailer.SendActivateAccountMail(ctx.Locale, ctx.User)
-
- if err := ctx.Cache.Put("MailResendLimit_"+ctx.User.LowerName, ctx.User.LowerName, 180); err != nil {
- log.Error("Set cache(MailResendLimit) fail: %v", err)
- }
- }
- } else {
- ctx.Data["ServiceNotEnabled"] = true
- }
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- user := user_model.VerifyUserActiveCode(code)
- // if code is wrong
- if user == nil {
- ctx.Data["IsActivateFailed"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- // if account is local account, verify password
- if user.LoginSource == 0 {
- ctx.Data["Code"] = code
- ctx.Data["NeedsPassword"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- handleAccountActivation(ctx, user)
-}
-
-// ActivatePost handles account activation with password check
-func ActivatePost(ctx *context.Context) {
- code := ctx.FormString("code")
- if len(code) == 0 {
- ctx.Redirect(setting.AppSubURL + "/user/activate")
- return
- }
-
- user := user_model.VerifyUserActiveCode(code)
- // if code is wrong
- if user == nil {
- ctx.Data["IsActivateFailed"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- // if account is local account, verify password
- if user.LoginSource == 0 {
- password := ctx.FormString("password")
- if len(password) == 0 {
- ctx.Data["Code"] = code
- ctx.Data["NeedsPassword"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
- if !user.ValidatePassword(password) {
- ctx.Data["IsActivateFailed"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
- }
-
- handleAccountActivation(ctx, user)
-}
-
-func handleAccountActivation(ctx *context.Context, user *user_model.User) {
- user.IsActive = true
- var err error
- if user.Rands, err = user_model.GetUserSalt(); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- if err := user_model.UpdateUserCols(db.DefaultContext, user, "is_active", "rands"); err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.NotFound("UpdateUserCols", err)
- } else {
- ctx.ServerError("UpdateUser", err)
- }
- return
- }
-
- if err := user_model.ActivateUserEmail(user.ID, user.Email, true); err != nil {
- log.Error("Unable to activate email for user: %-v with email: %s: %v", user, user.Email, err)
- ctx.ServerError("ActivateUserEmail", err)
- return
- }
-
- log.Trace("User activated: %s", user.Name)
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- log.Error("Unable to regenerate session for user: %-v with email: %s: %v", user, user.Email, err)
- ctx.ServerError("ActivateUserEmail", err)
- return
- }
-
- // Set session IDs
- if err := ctx.Session.Set("uid", user.ID); err != nil {
- log.Error("Error setting uid in session[%s]: %v", ctx.Session.ID(), err)
- }
- if err := ctx.Session.Set("uname", user.Name); err != nil {
- log.Error("Error setting uname in session[%s]: %v", ctx.Session.ID(), err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session[%s]: %v", ctx.Session.ID(), err)
- }
-
- if err := resetLocale(ctx, user); err != nil {
- ctx.ServerError("resetLocale", err)
- return
- }
-
- ctx.Flash.Success(ctx.Tr("auth.account_activated"))
- ctx.Redirect(setting.AppSubURL + "/")
-}
-
-// ActivateEmail render the activate email page
-func ActivateEmail(ctx *context.Context) {
- code := ctx.FormString("code")
- emailStr := ctx.FormString("email")
-
- // Verify code.
- if email := user_model.VerifyActiveEmailCode(code, emailStr); email != nil {
- if err := user_model.ActivateEmail(email); err != nil {
- ctx.ServerError("ActivateEmail", err)
- }
-
- log.Trace("Email activated: %s", email.Email)
- ctx.Flash.Success(ctx.Tr("settings.add_email_success"))
-
- if u, err := user_model.GetUserByID(email.UID); err != nil {
- log.Warn("GetUserByID: %d", email.UID)
- } else {
- // Allow user to validate more emails
- _ = ctx.Cache.Delete("MailResendLimit_" + u.LowerName)
- }
- }
-
- // FIXME: e-mail verification does not require the user to be logged in,
- // so this could be redirecting to the login page.
- // Should users be logged in automatically here? (consider 2FA requirements, etc.)
- ctx.Redirect(setting.AppSubURL + "/user/settings/account")
-}
-
-// ForgotPasswd render the forget password page
-func ForgotPasswd(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
-
- if setting.MailService == nil {
- log.Warn(ctx.Tr("auth.disable_forgot_password_mail_admin"))
- ctx.Data["IsResetDisable"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
- return
- }
-
- ctx.Data["Email"] = ctx.FormString("email")
-
- ctx.Data["IsResetRequest"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
-}
-
-// ForgotPasswdPost response for forget password request
-func ForgotPasswdPost(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
-
- if setting.MailService == nil {
- ctx.NotFound("ForgotPasswdPost", nil)
- return
- }
- ctx.Data["IsResetRequest"] = true
-
- email := ctx.FormString("email")
- ctx.Data["Email"] = email
-
- u, err := user_model.GetUserByEmail(email)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
- ctx.Data["IsResetSent"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
- return
- }
-
- ctx.ServerError("user.ResetPasswd(check existence)", err)
- return
- }
-
- if !u.IsLocal() && !u.IsOAuth2() {
- ctx.Data["Err_Email"] = true
- ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil)
- return
- }
-
- if ctx.Cache.IsExist("MailResendLimit_" + u.LowerName) {
- ctx.Data["ResendLimited"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
- return
- }
-
- mailer.SendResetPasswordMail(u)
-
- if err = ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
- log.Error("Set cache(MailResendLimit) fail: %v", err)
- }
-
- ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
- ctx.Data["IsResetSent"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
-}
-
-func commonResetPassword(ctx *context.Context) (*user_model.User, *login.TwoFactor) {
- code := ctx.FormString("code")
-
- ctx.Data["Title"] = ctx.Tr("auth.reset_password")
- ctx.Data["Code"] = code
-
- if nil != ctx.User {
- ctx.Data["user_signed_in"] = true
- }
-
- if len(code) == 0 {
- ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
- return nil, nil
- }
-
- // Fail early, don't frustrate the user
- u := user_model.VerifyUserActiveCode(code)
- if u == nil {
- ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
- return nil, nil
- }
-
- twofa, err := login.GetTwoFactorByUID(u.ID)
- if err != nil {
- if !login.IsErrTwoFactorNotEnrolled(err) {
- ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error())
- return nil, nil
- }
- } else {
- ctx.Data["has_two_factor"] = true
- ctx.Data["scratch_code"] = ctx.FormBool("scratch_code")
- }
-
- // Show the user that they are affecting the account that they intended to
- ctx.Data["user_email"] = u.Email
-
- if nil != ctx.User && u.ID != ctx.User.ID {
- ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
- return nil, nil
- }
-
- return u, twofa
-}
-
-// ResetPasswd render the account recovery page
-func ResetPasswd(ctx *context.Context) {
- ctx.Data["IsResetForm"] = true
-
- commonResetPassword(ctx)
- if ctx.Written() {
- return
- }
-
- ctx.HTML(http.StatusOK, tplResetPassword)
-}
-
-// ResetPasswdPost response from account recovery request
-func ResetPasswdPost(ctx *context.Context) {
- u, twofa := commonResetPassword(ctx)
- if ctx.Written() {
- return
- }
-
- if u == nil {
- // Flash error has been set
- ctx.HTML(http.StatusOK, tplResetPassword)
- return
- }
-
- // Validate password length.
- passwd := ctx.FormString("password")
- if len(passwd) < setting.MinPasswordLength {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil)
- return
- } else if !password.IsComplexEnough(passwd) {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(password.BuildComplexityError(ctx), tplResetPassword, nil)
- return
- } else if pwned, err := password.IsPwned(ctx, passwd); pwned || err != nil {
- errMsg := ctx.Tr("auth.password_pwned")
- if err != nil {
- log.Error(err.Error())
- errMsg = ctx.Tr("auth.password_pwned_err")
- }
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(errMsg, tplResetPassword, nil)
- return
- }
-
- // Handle two-factor
- regenerateScratchToken := false
- if twofa != nil {
- if ctx.FormBool("scratch_code") {
- if !twofa.VerifyScratchToken(ctx.FormString("token")) {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Token"] = true
- ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil)
- return
- }
- regenerateScratchToken = true
- } else {
- passcode := ctx.FormString("passcode")
- ok, err := twofa.ValidateTOTP(passcode)
- if err != nil {
- ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error())
- return
- }
- if !ok || twofa.LastUsedPasscode == passcode {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Passcode"] = true
- ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil)
- return
- }
-
- twofa.LastUsedPasscode = passcode
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err)
- return
- }
- }
- }
- var err error
- if u.Rands, err = user_model.GetUserSalt(); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- if err = u.SetPassword(passwd); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- u.MustChangePassword = false
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "rands", "salt"); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
-
- log.Trace("User password reset: %s", u.Name)
- ctx.Data["IsResetFailed"] = true
- remember := len(ctx.FormString("remember")) != 0
-
- if regenerateScratchToken {
- // Invalidate the scratch token.
- _, err = twofa.GenerateScratchToken()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- handleSignInFull(ctx, u, remember, false)
- ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
- if ctx.Written() {
- return
- }
- ctx.Redirect(setting.AppSubURL + "/user/settings/security")
- return
- }
-
- handleSignIn(ctx, u, remember)
-}
-
-// MustChangePassword renders the page to change a user's password
-func MustChangePassword(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
- ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
- ctx.Data["MustChangePassword"] = true
- ctx.HTML(http.StatusOK, tplMustChangePassword)
-}
-
-// MustChangePasswordPost response for updating a user's password after his/her
-// account was created by an admin
-func MustChangePasswordPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.MustChangePasswordForm)
- ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
- ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplMustChangePassword)
- return
- }
- u := ctx.User
- // Make sure only requests for users who are eligible to change their password via
- // this method passes through
- if !u.MustChangePassword {
- ctx.ServerError("MustUpdatePassword", errors.New("cannot update password.. Please visit the settings page"))
- return
- }
-
- if form.Password != form.Retype {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplMustChangePassword, &form)
- return
- }
-
- if len(form.Password) < setting.MinPasswordLength {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
- return
- }
- if !password.IsComplexEnough(form.Password) {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
- return
- }
- pwned, err := password.IsPwned(ctx, form.Password)
- if pwned {
- ctx.Data["Err_Password"] = true
- errMsg := ctx.Tr("auth.password_pwned")
- if err != nil {
- log.Error(err.Error())
- errMsg = ctx.Tr("auth.password_pwned_err")
- }
- ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
- return
- }
-
- if err = u.SetPassword(form.Password); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
-
- u.MustChangePassword = false
-
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "salt"); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
-
- ctx.Flash.Success(ctx.Tr("settings.change_password_success"))
-
- log.Trace("User updated password: %s", u.Name)
-
- if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- ctx.RedirectToFirst(redirectTo)
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/")
-}
diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go
index 9976337bfa..20ffdfaf84 100644
--- a/routers/web/user/setting/applications.go
+++ b/routers/web/user/setting/applications.go
@@ -9,7 +9,7 @@ import (
"net/http"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/setting"
@@ -93,12 +93,12 @@ func loadApplicationsData(ctx *context.Context) {
ctx.Data["Tokens"] = tokens
ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable
if setting.OAuth2.Enable {
- ctx.Data["Applications"], err = login.GetOAuth2ApplicationsByUserID(ctx.User.ID)
+ ctx.Data["Applications"], err = auth.GetOAuth2ApplicationsByUserID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetOAuth2ApplicationsByUserID", err)
return
}
- ctx.Data["Grants"], err = login.GetOAuth2GrantsByUserID(ctx.User.ID)
+ ctx.Data["Grants"], err = auth.GetOAuth2GrantsByUserID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetOAuth2GrantsByUserID", err)
return
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 8274f8b1b3..26bbf7c195 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -216,7 +216,6 @@ func KeysPost(ctx *context.Context) {
// DeleteKey response for delete user's SSH/GPG key
func DeleteKey(ctx *context.Context) {
-
switch ctx.FormString("type") {
case "gpg":
if err := asymkey_model.DeleteGPGKey(ctx.User, ctx.FormInt64("id")); err != nil {
diff --git a/routers/web/user/setting/oauth2.go b/routers/web/user/setting/oauth2.go
index 0f338ab5d1..65d0924da0 100644
--- a/routers/web/user/setting/oauth2.go
+++ b/routers/web/user/setting/oauth2.go
@@ -8,7 +8,7 @@ import (
"fmt"
"net/http"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
@@ -34,7 +34,7 @@ func OAuthApplicationsPost(ctx *context.Context) {
return
}
// TODO validate redirect URI
- app, err := login.CreateOAuth2Application(login.CreateOAuth2ApplicationOptions{
+ app, err := auth.CreateOAuth2Application(auth.CreateOAuth2ApplicationOptions{
Name: form.Name,
RedirectURIs: []string{form.RedirectURI},
UserID: ctx.User.ID,
@@ -67,7 +67,7 @@ func OAuthApplicationsEdit(ctx *context.Context) {
}
// TODO validate redirect URI
var err error
- if ctx.Data["App"], err = login.UpdateOAuth2Application(login.UpdateOAuth2ApplicationOptions{
+ if ctx.Data["App"], err = auth.UpdateOAuth2Application(auth.UpdateOAuth2ApplicationOptions{
ID: ctx.ParamsInt64("id"),
Name: form.Name,
RedirectURIs: []string{form.RedirectURI},
@@ -85,9 +85,9 @@ func OAuthApplicationsRegenerateSecret(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsApplications"] = true
- app, err := login.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
+ app, err := auth.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
if err != nil {
- if login.IsErrOAuthApplicationNotFound(err) {
+ if auth.IsErrOAuthApplicationNotFound(err) {
ctx.NotFound("Application not found", err)
return
}
@@ -110,9 +110,9 @@ func OAuthApplicationsRegenerateSecret(ctx *context.Context) {
// OAuth2ApplicationShow displays the given application
func OAuth2ApplicationShow(ctx *context.Context) {
- app, err := login.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
+ app, err := auth.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
if err != nil {
- if login.IsErrOAuthApplicationNotFound(err) {
+ if auth.IsErrOAuthApplicationNotFound(err) {
ctx.NotFound("Application not found", err)
return
}
@@ -129,7 +129,7 @@ func OAuth2ApplicationShow(ctx *context.Context) {
// DeleteOAuth2Application deletes the given oauth2 application
func DeleteOAuth2Application(ctx *context.Context) {
- if err := login.DeleteOAuth2Application(ctx.FormInt64("id"), ctx.User.ID); err != nil {
+ if err := auth.DeleteOAuth2Application(ctx.FormInt64("id"), ctx.User.ID); err != nil {
ctx.ServerError("DeleteOAuth2Application", err)
return
}
@@ -147,7 +147,7 @@ func RevokeOAuth2Grant(ctx *context.Context) {
ctx.ServerError("RevokeOAuth2Grant", fmt.Errorf("user id or grant id is zero"))
return
}
- if err := login.RevokeOAuth2Grant(ctx.FormInt64("id"), ctx.User.ID); err != nil {
+ if err := auth.RevokeOAuth2Grant(ctx.FormInt64("id"), ctx.User.ID); err != nil {
ctx.ServerError("RevokeOAuth2Grant", err)
return
}
diff --git a/routers/web/user/setting/security_twofa.go b/routers/web/user/setting/security/2fa.go
index 94f975f9fe..98e1f9b083 100644
--- a/routers/web/user/setting/security_twofa.go
+++ b/routers/web/user/setting/security/2fa.go
@@ -3,7 +3,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"bytes"
@@ -13,7 +13,7 @@ import (
"net/http"
"strings"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -29,9 +29,9 @@ func RegenerateScratchTwoFactor(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
}
@@ -45,7 +45,7 @@ func RegenerateScratchTwoFactor(ctx *context.Context) {
return
}
- if err = login.UpdateTwoFactor(t); err != nil {
+ if err = auth.UpdateTwoFactor(t); err != nil {
ctx.ServerError("SettingsTwoFactor: Failed to UpdateTwoFactor", err)
return
}
@@ -59,9 +59,9 @@ func DisableTwoFactor(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
}
@@ -69,8 +69,8 @@ func DisableTwoFactor(ctx *context.Context) {
return
}
- if err = login.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if err = auth.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
// There is a potential DB race here - we must have been disabled by another request in the intervening period
ctx.Flash.Success(ctx.Tr("settings.twofa_disabled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
@@ -146,7 +146,7 @@ func EnrollTwoFactor(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if t != nil {
// already enrolled - we should redirect back!
log.Warn("Trying to re-enroll %-v in twofa when already enrolled", ctx.User)
@@ -154,7 +154,7 @@ func EnrollTwoFactor(ctx *context.Context) {
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
return
}
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("SettingsTwoFactor: GetTwoFactorByUID", err)
return
}
@@ -172,14 +172,14 @@ func EnrollTwoFactorPost(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if t != nil {
// already enrolled
ctx.Flash.Error(ctx.Tr("settings.twofa_is_enrolled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
return
}
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("SettingsTwoFactor: Failed to check if already enrolled with GetTwoFactorByUID", err)
return
}
@@ -209,7 +209,7 @@ func EnrollTwoFactorPost(ctx *context.Context) {
return
}
- t = &login.TwoFactor{
+ t = &auth.TwoFactor{
UID: ctx.User.ID,
}
err = t.SetSecret(secret)
@@ -238,7 +238,7 @@ func EnrollTwoFactorPost(ctx *context.Context) {
log.Error("Unable to save changes to the session: %v", err)
}
- if err = login.NewTwoFactor(t); err != nil {
+ if err = auth.NewTwoFactor(t); err != nil {
// FIXME: We need to handle a unique constraint fail here it's entirely possible that another request has beaten us.
// If there is a unique constraint fail we should just tolerate the error
ctx.ServerError("SettingsTwoFactor: Failed to save two factor", err)
diff --git a/routers/web/user/setting/security_openid.go b/routers/web/user/setting/security/openid.go
index 9cdda79b92..1a15a2414c 100644
--- a/routers/web/user/setting/security_openid.go
+++ b/routers/web/user/setting/security/openid.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"net/http"
diff --git a/routers/web/user/setting/security.go b/routers/web/user/setting/security/security.go
index d34de519b7..0ca6503f05 100644
--- a/routers/web/user/setting/security.go
+++ b/routers/web/user/setting/security/security.go
@@ -3,13 +3,13 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"net/http"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
@@ -17,8 +17,8 @@ import (
)
const (
- tplSettingsSecurity base.TplName = "user/settings/security"
- tplSettingsTwofaEnroll base.TplName = "user/settings/twofa_enroll"
+ tplSettingsSecurity base.TplName = "user/settings/security/security"
+ tplSettingsTwofaEnroll base.TplName = "user/settings/security/twofa_enroll"
)
// Security render change user's password page and 2FA
@@ -56,14 +56,14 @@ func DeleteAccountLink(ctx *context.Context) {
}
func loadSecurityData(ctx *context.Context) {
- enrolled, err := login.HasTwoFactorByUID(ctx.User.ID)
+ enrolled, err := auth.HasTwoFactorByUID(ctx.User.ID)
if err != nil {
ctx.ServerError("SettingsTwoFactor", err)
return
}
ctx.Data["TOTPEnrolled"] = enrolled
- ctx.Data["U2FRegistrations"], err = login.GetU2FRegistrationsByUID(ctx.User.ID)
+ ctx.Data["U2FRegistrations"], err = auth.GetU2FRegistrationsByUID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetU2FRegistrationsByUID", err)
return
@@ -82,10 +82,10 @@ func loadSecurityData(ctx *context.Context) {
return
}
- // map the provider display name with the LoginSource
- sources := make(map[*login.Source]string)
+ // map the provider display name with the AuthSource
+ sources := make(map[*auth.Source]string)
for _, externalAccount := range accountLinks {
- if loginSource, err := login.GetSourceByID(externalAccount.LoginSourceID); err == nil {
+ if authSource, err := auth.GetSourceByID(externalAccount.LoginSourceID); err == nil {
var providerDisplayName string
type DisplayNamed interface {
@@ -96,14 +96,14 @@ func loadSecurityData(ctx *context.Context) {
Name() string
}
- if displayNamed, ok := loginSource.Cfg.(DisplayNamed); ok {
+ if displayNamed, ok := authSource.Cfg.(DisplayNamed); ok {
providerDisplayName = displayNamed.DisplayName()
- } else if named, ok := loginSource.Cfg.(Named); ok {
+ } else if named, ok := authSource.Cfg.(Named); ok {
providerDisplayName = named.Name()
} else {
- providerDisplayName = loginSource.Name
+ providerDisplayName = authSource.Name
}
- sources[loginSource] = providerDisplayName
+ sources[authSource] = providerDisplayName
}
}
ctx.Data["AccountLinks"] = sources
diff --git a/routers/web/user/setting/security_u2f.go b/routers/web/user/setting/security/u2f.go
index d1d6d1e8ca..dd35a893f4 100644
--- a/routers/web/user/setting/security_u2f.go
+++ b/routers/web/user/setting/security/u2f.go
@@ -2,13 +2,13 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"errors"
"net/http"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -34,7 +34,7 @@ func U2FRegister(ctx *context.Context) {
ctx.ServerError("Unable to set session key for u2fChallenge", err)
return
}
- regs, err := login.GetU2FRegistrationsByUID(ctx.User.ID)
+ regs, err := auth.GetU2FRegistrationsByUID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetU2FRegistrationsByUID", err)
return
@@ -78,7 +78,7 @@ func U2FRegisterPost(ctx *context.Context) {
ctx.ServerError("u2f.Register", err)
return
}
- if _, err = login.CreateRegistration(ctx.User.ID, name, reg); err != nil {
+ if _, err = auth.CreateRegistration(ctx.User.ID, name, reg); err != nil {
ctx.ServerError("u2f.Register", err)
return
}
@@ -88,9 +88,9 @@ func U2FRegisterPost(ctx *context.Context) {
// U2FDelete deletes an security key by id
func U2FDelete(ctx *context.Context) {
form := web.GetForm(ctx).(*forms.U2FDeleteForm)
- reg, err := login.GetU2FRegistrationByID(form.ID)
+ reg, err := auth.GetU2FRegistrationByID(form.ID)
if err != nil {
- if login.IsErrU2FRegistrationNotExist(err) {
+ if auth.IsErrU2FRegistrationNotExist(err) {
ctx.Status(200)
return
}
@@ -101,7 +101,7 @@ func U2FDelete(ctx *context.Context) {
ctx.Status(401)
return
}
- if err := login.DeleteRegistration(reg); err != nil {
+ if err := auth.DeleteRegistration(reg); err != nil {
ctx.ServerError("DeleteRegistration", err)
return
}
diff --git a/routers/web/web.go b/routers/web/web.go
index 486255096d..3589ec9bd6 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -24,14 +24,16 @@ import (
"code.gitea.io/gitea/modules/web"
"code.gitea.io/gitea/routers/api/v1/misc"
"code.gitea.io/gitea/routers/web/admin"
+ "code.gitea.io/gitea/routers/web/auth"
"code.gitea.io/gitea/routers/web/dev"
"code.gitea.io/gitea/routers/web/events"
"code.gitea.io/gitea/routers/web/explore"
"code.gitea.io/gitea/routers/web/org"
"code.gitea.io/gitea/routers/web/repo"
"code.gitea.io/gitea/routers/web/user"
- userSetting "code.gitea.io/gitea/routers/web/user/setting"
- "code.gitea.io/gitea/services/auth"
+ user_setting "code.gitea.io/gitea/routers/web/user/setting"
+ "code.gitea.io/gitea/routers/web/user/setting/security"
+ auth_service "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/forms"
"code.gitea.io/gitea/services/lfs"
"code.gitea.io/gitea/services/mailer"
@@ -154,7 +156,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
common = append(common, context.Contexter())
// Get user from session if logged in.
- common = append(common, context.Auth(auth.NewGroup(auth.Methods()...)))
+ common = append(common, context.Auth(auth_service.NewGroup(auth_service.Methods()...)))
// GetHead allows a HEAD request redirect to GET if HEAD method is not defined for that route
common = append(common, middleware.GetHead)
@@ -233,7 +235,7 @@ func RegisterRoutes(m *web.Route) {
// for health check
m.Get("/", Home)
m.Group("/.well-known", func() {
- m.Get("/openid-configuration", user.OIDCWellKnown)
+ m.Get("/openid-configuration", auth.OIDCWellKnown)
if setting.Federation.Enabled {
m.Get("/nodeinfo", NodeInfoLinks)
}
@@ -257,42 +259,42 @@ func RegisterRoutes(m *web.Route) {
// ***** START: User *****
m.Group("/user", func() {
- m.Get("/login", user.SignIn)
- m.Post("/login", bindIgnErr(forms.SignInForm{}), user.SignInPost)
+ m.Get("/login", auth.SignIn)
+ m.Post("/login", bindIgnErr(forms.SignInForm{}), auth.SignInPost)
m.Group("", func() {
m.Combo("/login/openid").
- Get(user.SignInOpenID).
- Post(bindIgnErr(forms.SignInOpenIDForm{}), user.SignInOpenIDPost)
+ Get(auth.SignInOpenID).
+ Post(bindIgnErr(forms.SignInOpenIDForm{}), auth.SignInOpenIDPost)
}, openIDSignInEnabled)
m.Group("/openid", func() {
m.Combo("/connect").
- Get(user.ConnectOpenID).
- Post(bindIgnErr(forms.ConnectOpenIDForm{}), user.ConnectOpenIDPost)
+ Get(auth.ConnectOpenID).
+ Post(bindIgnErr(forms.ConnectOpenIDForm{}), auth.ConnectOpenIDPost)
m.Group("/register", func() {
m.Combo("").
- Get(user.RegisterOpenID, openIDSignUpEnabled).
- Post(bindIgnErr(forms.SignUpOpenIDForm{}), user.RegisterOpenIDPost)
+ Get(auth.RegisterOpenID, openIDSignUpEnabled).
+ Post(bindIgnErr(forms.SignUpOpenIDForm{}), auth.RegisterOpenIDPost)
}, openIDSignUpEnabled)
}, openIDSignInEnabled)
- m.Get("/sign_up", user.SignUp)
- m.Post("/sign_up", bindIgnErr(forms.RegisterForm{}), user.SignUpPost)
+ m.Get("/sign_up", auth.SignUp)
+ m.Post("/sign_up", bindIgnErr(forms.RegisterForm{}), auth.SignUpPost)
m.Group("/oauth2", func() {
- m.Get("/{provider}", user.SignInOAuth)
- m.Get("/{provider}/callback", user.SignInOAuthCallback)
+ m.Get("/{provider}", auth.SignInOAuth)
+ m.Get("/{provider}/callback", auth.SignInOAuthCallback)
})
- m.Get("/link_account", user.LinkAccount)
- m.Post("/link_account_signin", bindIgnErr(forms.SignInForm{}), user.LinkAccountPostSignIn)
- m.Post("/link_account_signup", bindIgnErr(forms.RegisterForm{}), user.LinkAccountPostRegister)
+ m.Get("/link_account", auth.LinkAccount)
+ m.Post("/link_account_signin", bindIgnErr(forms.SignInForm{}), auth.LinkAccountPostSignIn)
+ m.Post("/link_account_signup", bindIgnErr(forms.RegisterForm{}), auth.LinkAccountPostRegister)
m.Group("/two_factor", func() {
- m.Get("", user.TwoFactor)
- m.Post("", bindIgnErr(forms.TwoFactorAuthForm{}), user.TwoFactorPost)
- m.Get("/scratch", user.TwoFactorScratch)
- m.Post("/scratch", bindIgnErr(forms.TwoFactorScratchAuthForm{}), user.TwoFactorScratchPost)
+ m.Get("", auth.TwoFactor)
+ m.Post("", bindIgnErr(forms.TwoFactorAuthForm{}), auth.TwoFactorPost)
+ m.Get("/scratch", auth.TwoFactorScratch)
+ m.Post("/scratch", bindIgnErr(forms.TwoFactorScratchAuthForm{}), auth.TwoFactorScratchPost)
})
m.Group("/u2f", func() {
- m.Get("", user.U2F)
- m.Get("/challenge", user.U2FChallenge)
- m.Post("/sign", bindIgnErr(u2f.SignResponse{}), user.U2FSign)
+ m.Get("", auth.U2F)
+ m.Get("/challenge", auth.U2FChallenge)
+ m.Post("/sign", bindIgnErr(u2f.SignResponse{}), auth.U2FSign)
})
}, reqSignOut)
@@ -300,71 +302,71 @@ func RegisterRoutes(m *web.Route) {
m.Any("/user/events", events.Events)
m.Group("/login/oauth", func() {
- m.Get("/authorize", bindIgnErr(forms.AuthorizationForm{}), user.AuthorizeOAuth)
- m.Post("/grant", bindIgnErr(forms.GrantApplicationForm{}), user.GrantApplicationOAuth)
+ m.Get("/authorize", bindIgnErr(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
+ m.Post("/grant", bindIgnErr(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
// TODO manage redirection
- m.Post("/authorize", bindIgnErr(forms.AuthorizationForm{}), user.AuthorizeOAuth)
+ m.Post("/authorize", bindIgnErr(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
}, ignSignInAndCsrf, reqSignIn)
- m.Get("/login/oauth/userinfo", ignSignInAndCsrf, user.InfoOAuth)
- m.Post("/login/oauth/access_token", CorsHandler(), bindIgnErr(forms.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth)
- m.Get("/login/oauth/keys", ignSignInAndCsrf, user.OIDCKeys)
- m.Post("/login/oauth/introspect", CorsHandler(), bindIgnErr(forms.IntrospectTokenForm{}), ignSignInAndCsrf, user.IntrospectOAuth)
+ m.Get("/login/oauth/userinfo", ignSignInAndCsrf, auth.InfoOAuth)
+ m.Post("/login/oauth/access_token", CorsHandler(), bindIgnErr(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
+ m.Get("/login/oauth/keys", ignSignInAndCsrf, auth.OIDCKeys)
+ m.Post("/login/oauth/introspect", CorsHandler(), bindIgnErr(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
m.Group("/user/settings", func() {
- m.Get("", userSetting.Profile)
- m.Post("", bindIgnErr(forms.UpdateProfileForm{}), userSetting.ProfilePost)
- m.Get("/change_password", user.MustChangePassword)
- m.Post("/change_password", bindIgnErr(forms.MustChangePasswordForm{}), user.MustChangePasswordPost)
- m.Post("/avatar", bindIgnErr(forms.AvatarForm{}), userSetting.AvatarPost)
- m.Post("/avatar/delete", userSetting.DeleteAvatar)
+ m.Get("", user_setting.Profile)
+ m.Post("", bindIgnErr(forms.UpdateProfileForm{}), user_setting.ProfilePost)
+ m.Get("/change_password", auth.MustChangePassword)
+ m.Post("/change_password", bindIgnErr(forms.MustChangePasswordForm{}), auth.MustChangePasswordPost)
+ m.Post("/avatar", bindIgnErr(forms.AvatarForm{}), user_setting.AvatarPost)
+ m.Post("/avatar/delete", user_setting.DeleteAvatar)
m.Group("/account", func() {
- m.Combo("").Get(userSetting.Account).Post(bindIgnErr(forms.ChangePasswordForm{}), userSetting.AccountPost)
- m.Post("/email", bindIgnErr(forms.AddEmailForm{}), userSetting.EmailPost)
- m.Post("/email/delete", userSetting.DeleteEmail)
- m.Post("/delete", userSetting.DeleteAccount)
+ m.Combo("").Get(user_setting.Account).Post(bindIgnErr(forms.ChangePasswordForm{}), user_setting.AccountPost)
+ m.Post("/email", bindIgnErr(forms.AddEmailForm{}), user_setting.EmailPost)
+ m.Post("/email/delete", user_setting.DeleteEmail)
+ m.Post("/delete", user_setting.DeleteAccount)
})
m.Group("/appearance", func() {
- m.Get("", userSetting.Appearance)
- m.Post("/language", bindIgnErr(forms.UpdateLanguageForm{}), userSetting.UpdateUserLang)
- m.Post("/theme", bindIgnErr(forms.UpdateThemeForm{}), userSetting.UpdateUIThemePost)
+ m.Get("", user_setting.Appearance)
+ m.Post("/language", bindIgnErr(forms.UpdateLanguageForm{}), user_setting.UpdateUserLang)
+ m.Post("/theme", bindIgnErr(forms.UpdateThemeForm{}), user_setting.UpdateUIThemePost)
})
m.Group("/security", func() {
- m.Get("", userSetting.Security)
+ m.Get("", security.Security)
m.Group("/two_factor", func() {
- m.Post("/regenerate_scratch", userSetting.RegenerateScratchTwoFactor)
- m.Post("/disable", userSetting.DisableTwoFactor)
- m.Get("/enroll", userSetting.EnrollTwoFactor)
- m.Post("/enroll", bindIgnErr(forms.TwoFactorAuthForm{}), userSetting.EnrollTwoFactorPost)
+ m.Post("/regenerate_scratch", security.RegenerateScratchTwoFactor)
+ m.Post("/disable", security.DisableTwoFactor)
+ m.Get("/enroll", security.EnrollTwoFactor)
+ m.Post("/enroll", bindIgnErr(forms.TwoFactorAuthForm{}), security.EnrollTwoFactorPost)
})
m.Group("/u2f", func() {
- m.Post("/request_register", bindIgnErr(forms.U2FRegistrationForm{}), userSetting.U2FRegister)
- m.Post("/register", bindIgnErr(u2f.RegisterResponse{}), userSetting.U2FRegisterPost)
- m.Post("/delete", bindIgnErr(forms.U2FDeleteForm{}), userSetting.U2FDelete)
+ m.Post("/request_register", bindIgnErr(forms.U2FRegistrationForm{}), security.U2FRegister)
+ m.Post("/register", bindIgnErr(u2f.RegisterResponse{}), security.U2FRegisterPost)
+ m.Post("/delete", bindIgnErr(forms.U2FDeleteForm{}), security.U2FDelete)
})
m.Group("/openid", func() {
- m.Post("", bindIgnErr(forms.AddOpenIDForm{}), userSetting.OpenIDPost)
- m.Post("/delete", userSetting.DeleteOpenID)
- m.Post("/toggle_visibility", userSetting.ToggleOpenIDVisibility)
+ m.Post("", bindIgnErr(forms.AddOpenIDForm{}), security.OpenIDPost)
+ m.Post("/delete", security.DeleteOpenID)
+ m.Post("/toggle_visibility", security.ToggleOpenIDVisibility)
}, openIDSignInEnabled)
- m.Post("/account_link", userSetting.DeleteAccountLink)
+ m.Post("/account_link", security.DeleteAccountLink)
})
m.Group("/applications/oauth2", func() {
- m.Get("/{id}", userSetting.OAuth2ApplicationShow)
- m.Post("/{id}", bindIgnErr(forms.EditOAuth2ApplicationForm{}), userSetting.OAuthApplicationsEdit)
- m.Post("/{id}/regenerate_secret", userSetting.OAuthApplicationsRegenerateSecret)
- m.Post("", bindIgnErr(forms.EditOAuth2ApplicationForm{}), userSetting.OAuthApplicationsPost)
- m.Post("/delete", userSetting.DeleteOAuth2Application)
- m.Post("/revoke", userSetting.RevokeOAuth2Grant)
+ m.Get("/{id}", user_setting.OAuth2ApplicationShow)
+ m.Post("/{id}", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
+ m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
+ m.Post("", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
+ m.Post("/delete", user_setting.DeleteOAuth2Application)
+ m.Post("/revoke", user_setting.RevokeOAuth2Grant)
})
- m.Combo("/applications").Get(userSetting.Applications).
- Post(bindIgnErr(forms.NewAccessTokenForm{}), userSetting.ApplicationsPost)
- m.Post("/applications/delete", userSetting.DeleteApplication)
- m.Combo("/keys").Get(userSetting.Keys).
- Post(bindIgnErr(forms.AddKeyForm{}), userSetting.KeysPost)
- m.Post("/keys/delete", userSetting.DeleteKey)
- m.Get("/organization", userSetting.Organization)
- m.Get("/repos", userSetting.Repos)
- m.Post("/repos/unadopted", userSetting.AdoptOrDeleteRepository)
+ m.Combo("/applications").Get(user_setting.Applications).
+ Post(bindIgnErr(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
+ m.Post("/applications/delete", user_setting.DeleteApplication)
+ m.Combo("/keys").Get(user_setting.Keys).
+ Post(bindIgnErr(forms.AddKeyForm{}), user_setting.KeysPost)
+ m.Post("/keys/delete", user_setting.DeleteKey)
+ m.Get("/organization", user_setting.Organization)
+ m.Get("/repos", user_setting.Repos)
+ m.Post("/repos/unadopted", user_setting.AdoptOrDeleteRepository)
}, reqSignIn, func(ctx *context.Context) {
ctx.Data["PageIsUserSettings"] = true
ctx.Data["AllThemes"] = setting.UI.Themes
@@ -372,15 +374,15 @@ func RegisterRoutes(m *web.Route) {
m.Group("/user", func() {
// r.Get("/feeds", binding.Bind(auth.FeedsForm{}), user.Feeds)
- m.Get("/activate", user.Activate, reqSignIn)
- m.Post("/activate", user.ActivatePost, reqSignIn)
- m.Any("/activate_email", user.ActivateEmail)
+ m.Get("/activate", auth.Activate, reqSignIn)
+ m.Post("/activate", auth.ActivatePost, reqSignIn)
+ m.Any("/activate_email", auth.ActivateEmail)
m.Get("/avatar/{username}/{size}", user.AvatarByUserName)
- m.Get("/recover_account", user.ResetPasswd)
- m.Post("/recover_account", user.ResetPasswdPost)
- m.Get("/forgot_password", user.ForgotPasswd)
- m.Post("/forgot_password", user.ForgotPasswdPost)
- m.Post("/logout", user.SignOut)
+ m.Get("/recover_account", auth.ResetPasswd)
+ m.Post("/recover_account", auth.ResetPasswdPost)
+ m.Get("/forgot_password", auth.ForgotPasswd)
+ m.Post("/forgot_password", auth.ForgotPasswdPost)
+ m.Post("/logout", auth.SignOut)
m.Get("/task/{task}", user.TaskStatus)
})
// ***** END: User *****
diff --git a/services/asymkey/sign.go b/services/asymkey/sign.go
index 4ccc581803..79c5db18a6 100644
--- a/services/asymkey/sign.go
+++ b/services/asymkey/sign.go
@@ -10,8 +10,8 @@ import (
"code.gitea.io/gitea/models"
asymkey_model "code.gitea.io/gitea/models/asymkey"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/log"
@@ -150,8 +150,8 @@ Loop:
return false, "", nil, &ErrWontSign{pubkey}
}
case twofa:
- twofaModel, err := login.GetTwoFactorByUID(u.ID)
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ twofaModel, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
return false, "", nil, err
}
if twofaModel == nil {
@@ -186,8 +186,8 @@ Loop:
return false, "", nil, &ErrWontSign{pubkey}
}
case twofa:
- twofaModel, err := login.GetTwoFactorByUID(u.ID)
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ twofaModel, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
return false, "", nil, err
}
if twofaModel == nil {
@@ -239,8 +239,8 @@ Loop:
return false, "", nil, &ErrWontSign{pubkey}
}
case twofa:
- twofaModel, err := login.GetTwoFactorByUID(u.ID)
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ twofaModel, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
return false, "", nil, err
}
if twofaModel == nil {
@@ -301,8 +301,8 @@ Loop:
return false, "", nil, &ErrWontSign{pubkey}
}
case twofa:
- twofaModel, err := login.GetTwoFactorByUID(u.ID)
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ twofaModel, err := auth.GetTwoFactorByUID(u.ID)
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
return false, "", nil, err
}
if twofaModel == nil {
diff --git a/services/asymkey/ssh_key_test.go b/services/asymkey/ssh_key_test.go
index 9de6a4c11b..182371271a 100644
--- a/services/asymkey/ssh_key_test.go
+++ b/services/asymkey/ssh_key_test.go
@@ -8,7 +8,7 @@ import (
"testing"
asymkey_model "code.gitea.io/gitea/models/asymkey"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
@@ -19,7 +19,7 @@ func TestAddLdapSSHPublicKeys(t *testing.T) {
assert.NoError(t, unittest.PrepareTestDatabase())
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
- s := &login.Source{ID: 1}
+ s := &auth.Source{ID: 1}
testCases := []struct {
keyString string
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index 74dc5eaaf6..fae981d800 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -11,8 +11,8 @@ import (
"time"
"code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/timeutil"
@@ -37,8 +37,8 @@ func CheckOAuthAccessToken(accessToken string) int64 {
log.Trace("oauth2.ParseToken: %v", err)
return 0
}
- var grant *login.OAuth2Grant
- if grant, err = login.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
+ var grant *auth.OAuth2Grant
+ if grant, err = auth.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
return 0
}
if token.Type != oauth2.TypeAccessToken {
diff --git a/services/auth/signin.go b/services/auth/signin.go
index 80be419962..4392e861f9 100644
--- a/services/auth/signin.go
+++ b/services/auth/signin.go
@@ -7,8 +7,8 @@ package auth
import (
"strings"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/services/auth/source/oauth2"
@@ -21,7 +21,7 @@ import (
)
// UserSignIn validates user name and password.
-func UserSignIn(username, password string) (*user_model.User, *login.Source, error) {
+func UserSignIn(username, password string) (*user_model.User, *auth.Source, error) {
var user *user_model.User
if strings.Contains(username, "@") {
user = &user_model.User{Email: strings.ToLower(strings.TrimSpace(username))}
@@ -50,13 +50,13 @@ func UserSignIn(username, password string) (*user_model.User, *login.Source, err
}
if hasUser {
- source, err := login.GetSourceByID(user.LoginSource)
+ source, err := auth.GetSourceByID(user.LoginSource)
if err != nil {
return nil, nil, err
}
if !source.IsActive {
- return nil, nil, oauth2.ErrLoginSourceNotActived
+ return nil, nil, oauth2.ErrAuthSourceNotActived
}
authenticator, ok := source.Cfg.(PasswordAuthenticator)
@@ -78,7 +78,7 @@ func UserSignIn(username, password string) (*user_model.User, *login.Source, err
return user, source, nil
}
- sources, err := login.AllActiveSources()
+ sources, err := auth.AllActiveSources()
if err != nil {
return nil, nil, err
}
diff --git a/services/auth/login_source.go b/services/auth/source.go
index 47a687f63b..b7108292d5 100644
--- a/services/auth/login_source.go
+++ b/services/auth/source.go
@@ -5,18 +5,18 @@
package auth
import (
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
)
-// DeleteLoginSource deletes a LoginSource record in DB.
-func DeleteLoginSource(source *login.Source) error {
+// DeleteSource deletes a AuthSource record in DB.
+func DeleteSource(source *auth.Source) error {
count, err := db.GetEngine(db.DefaultContext).Count(&user_model.User{LoginSource: source.ID})
if err != nil {
return err
} else if count > 0 {
- return login.ErrSourceInUse{
+ return auth.ErrSourceInUse{
ID: source.ID,
}
}
@@ -25,17 +25,17 @@ func DeleteLoginSource(source *login.Source) error {
if err != nil {
return err
} else if count > 0 {
- return login.ErrSourceInUse{
+ return auth.ErrSourceInUse{
ID: source.ID,
}
}
- if registerableSource, ok := source.Cfg.(login.RegisterableSource); ok {
+ if registerableSource, ok := source.Cfg.(auth.RegisterableSource); ok {
if err := registerableSource.UnregisterSource(); err != nil {
return err
}
}
- _, err = db.GetEngine(db.DefaultContext).ID(source.ID).Delete(new(login.Source))
+ _, err = db.GetEngine(db.DefaultContext).ID(source.ID).Delete(new(auth.Source))
return err
}
diff --git a/services/auth/source/db/assert_interface_test.go b/services/auth/source/db/assert_interface_test.go
index a8b137ec48..f39aaeb1e4 100644
--- a/services/auth/source/db/assert_interface_test.go
+++ b/services/auth/source/db/assert_interface_test.go
@@ -5,7 +5,7 @@
package db_test
import (
- "code.gitea.io/gitea/models/login"
+ auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/db"
)
@@ -15,7 +15,7 @@ import (
type sourceInterface interface {
auth.PasswordAuthenticator
- login.Config
+ auth_model.Config
}
var _ (sourceInterface) = &db.Source{}
diff --git a/services/auth/source/db/source.go b/services/auth/source/db/source.go
index 5ae2107a3b..ecab6d5f35 100644
--- a/services/auth/source/db/source.go
+++ b/services/auth/source/db/source.go
@@ -5,7 +5,7 @@
package db
import (
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
)
@@ -29,6 +29,6 @@ func (source *Source) Authenticate(user *user_model.User, login, password string
}
func init() {
- login.RegisterTypeConfig(login.NoType, &Source{})
- login.RegisterTypeConfig(login.Plain, &Source{})
+ auth.RegisterTypeConfig(auth.NoType, &Source{})
+ auth.RegisterTypeConfig(auth.Plain, &Source{})
}
diff --git a/services/auth/source/ldap/assert_interface_test.go b/services/auth/source/ldap/assert_interface_test.go
index c480119cd3..8fc6903cf3 100644
--- a/services/auth/source/ldap/assert_interface_test.go
+++ b/services/auth/source/ldap/assert_interface_test.go
@@ -5,7 +5,7 @@
package ldap_test
import (
- "code.gitea.io/gitea/models/login"
+ auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/ldap"
)
@@ -17,12 +17,12 @@ type sourceInterface interface {
auth.PasswordAuthenticator
auth.SynchronizableSource
auth.LocalTwoFASkipper
- login.SSHKeyProvider
- login.Config
- login.SkipVerifiable
- login.HasTLSer
- login.UseTLSer
- login.SourceSettable
+ auth_model.SSHKeyProvider
+ auth_model.Config
+ auth_model.SkipVerifiable
+ auth_model.HasTLSer
+ auth_model.UseTLSer
+ auth_model.SourceSettable
}
var _ (sourceInterface) = &ldap.Source{}
diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go
index be4a4b2d62..fc778b0114 100644
--- a/services/auth/source/ldap/source.go
+++ b/services/auth/source/ldap/source.go
@@ -7,7 +7,7 @@ package ldap
import (
"strings"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/secret"
"code.gitea.io/gitea/modules/setting"
@@ -55,8 +55,8 @@ type Source struct {
UserUID string // User Attribute listed in Group
SkipLocalTwoFA bool `json:",omitempty"` // Skip Local 2fa for users authenticated with this source
- // reference to the loginSource
- loginSource *login.Source
+ // reference to the authSource
+ authSource *auth.Source
}
// FromDB fills up a LDAPConfig from serialized format.
@@ -109,12 +109,12 @@ func (source *Source) ProvidesSSHKeys() bool {
return len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
}
-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
- source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+ source.authSource = authSource
}
func init() {
- login.RegisterTypeConfig(login.LDAP, &Source{})
- login.RegisterTypeConfig(login.DLDAP, &Source{})
+ auth.RegisterTypeConfig(auth.LDAP, &Source{})
+ auth.RegisterTypeConfig(auth.DLDAP, &Source{})
}
diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go
index 9938525c0e..52971bb87e 100644
--- a/services/auth/source/ldap/source_authenticate.go
+++ b/services/auth/source/ldap/source_authenticate.go
@@ -9,8 +9,8 @@ import (
"strings"
asymkey_model "code.gitea.io/gitea/models/asymkey"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/services/mailer"
user_service "code.gitea.io/gitea/services/user"
@@ -19,7 +19,7 @@ import (
// Authenticate queries if login/password is valid against the LDAP directory pool,
// and create a local user if success when enabled.
func (source *Source) Authenticate(user *user_model.User, userName, password string) (*user_model.User, error) {
- sr := source.SearchEntry(userName, password, source.loginSource.Type == login.DLDAP)
+ sr := source.SearchEntry(userName, password, source.authSource.Type == auth.DLDAP)
if sr == nil {
// User not in LDAP, do nothing
return nil, user_model.ErrUserNotExist{Name: userName}
@@ -59,7 +59,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
}
if user != nil {
- if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(user, source.loginSource, sr.SSHPublicKey) {
+ if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(user, source.authSource, sr.SSHPublicKey) {
return user, asymkey_model.RewriteAllPublicKeys()
}
@@ -80,8 +80,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
Name: sr.Username,
FullName: composeFullName(sr.Name, sr.Surname, sr.Username),
Email: sr.Mail,
- LoginType: source.loginSource.Type,
- LoginSource: source.loginSource.ID,
+ LoginType: source.authSource.Type,
+ LoginSource: source.authSource.ID,
LoginName: userName,
IsActive: true,
IsAdmin: sr.IsAdmin,
@@ -95,7 +95,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
mailer.SendRegisterNotifyMail(user)
- if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(user, source.loginSource, sr.SSHPublicKey) {
+ if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(user, source.authSource, sr.SSHPublicKey) {
err = asymkey_model.RewriteAllPublicKeys()
}
diff --git a/services/auth/source/ldap/source_sync.go b/services/auth/source/ldap/source_sync.go
index fb15b2f046..78aa90aaa5 100644
--- a/services/auth/source/ldap/source_sync.go
+++ b/services/auth/source/ldap/source_sync.go
@@ -19,22 +19,22 @@ import (
// Sync causes this ldap source to synchronize its users with the db
func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
- log.Trace("Doing: SyncExternalUsers[%s]", source.loginSource.Name)
+ log.Trace("Doing: SyncExternalUsers[%s]", source.authSource.Name)
var existingUsers []int
isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
var sshKeysNeedUpdate bool
// Find all users with this login type - FIXME: Should this be an iterator?
- users, err := user_model.GetUsersBySource(source.loginSource)
+ users, err := user_model.GetUsersBySource(source.authSource)
if err != nil {
log.Error("SyncExternalUsers: %v", err)
return err
}
select {
case <-ctx.Done():
- log.Warn("SyncExternalUsers: Cancelled before update of %s", source.loginSource.Name)
- return db.ErrCancelledf("Before update of %s", source.loginSource.Name)
+ log.Warn("SyncExternalUsers: Cancelled before update of %s", source.authSource.Name)
+ return db.ErrCancelledf("Before update of %s", source.authSource.Name)
default:
}
@@ -44,7 +44,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
sr, err := source.SearchEntries()
if err != nil {
- log.Error("SyncExternalUsers LDAP source failure [%s], skipped", source.loginSource.Name)
+ log.Error("SyncExternalUsers LDAP source failure [%s], skipped", source.authSource.Name)
return nil
}
@@ -65,7 +65,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
for _, su := range sr {
select {
case <-ctx.Done():
- log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", source.loginSource.Name)
+ log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", source.authSource.Name)
// Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed
if sshKeysNeedUpdate {
err = asymkey_model.RewriteAllPublicKeys()
@@ -73,7 +73,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
log.Error("RewriteAllPublicKeys: %v", err)
}
}
- return db.ErrCancelledf("During update of %s before completed update of users", source.loginSource.Name)
+ return db.ErrCancelledf("During update of %s before completed update of users", source.authSource.Name)
default:
}
if len(su.Username) == 0 {
@@ -96,14 +96,14 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
fullName := composeFullName(su.Name, su.Surname, su.Username)
// If no existing user found, create one
if usr == nil {
- log.Trace("SyncExternalUsers[%s]: Creating user %s", source.loginSource.Name, su.Username)
+ log.Trace("SyncExternalUsers[%s]: Creating user %s", source.authSource.Name, su.Username)
usr = &user_model.User{
LowerName: su.LowerName,
Name: su.Username,
FullName: fullName,
- LoginType: source.loginSource.Type,
- LoginSource: source.loginSource.ID,
+ LoginType: source.authSource.Type,
+ LoginSource: source.authSource.ID,
LoginName: su.Username,
Email: su.Mail,
IsAdmin: su.IsAdmin,
@@ -114,12 +114,12 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
err = user_model.CreateUser(usr)
if err != nil {
- log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.loginSource.Name, su.Username, err)
+ log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.authSource.Name, su.Username, err)
}
if err == nil && isAttributeSSHPublicKeySet {
- log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.loginSource.Name, usr.Name)
- if asymkey_model.AddPublicKeysBySource(usr, source.loginSource, su.SSHPublicKey) {
+ log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.authSource.Name, usr.Name)
+ if asymkey_model.AddPublicKeysBySource(usr, source.authSource, su.SSHPublicKey) {
sshKeysNeedUpdate = true
}
}
@@ -129,7 +129,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
}
} else if updateExisting {
// Synchronize SSH Public Key if that attribute is set
- if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(usr, source.loginSource, su.SSHPublicKey) {
+ if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(usr, source.authSource, su.SSHPublicKey) {
sshKeysNeedUpdate = true
}
@@ -140,7 +140,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
usr.FullName != fullName ||
!usr.IsActive {
- log.Trace("SyncExternalUsers[%s]: Updating user %s", source.loginSource.Name, usr.Name)
+ log.Trace("SyncExternalUsers[%s]: Updating user %s", source.authSource.Name, usr.Name)
usr.FullName = fullName
usr.Email = su.Mail
@@ -156,7 +156,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
err = user_model.UpdateUserCols(db.DefaultContext, usr, "full_name", "email", "is_admin", "is_restricted", "is_active")
if err != nil {
- log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.loginSource.Name, usr.Name, err)
+ log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.authSource.Name, usr.Name, err)
}
}
@@ -179,8 +179,8 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
select {
case <-ctx.Done():
- log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", source.loginSource.Name)
- return db.ErrCancelledf("During update of %s before delete users", source.loginSource.Name)
+ log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", source.authSource.Name)
+ return db.ErrCancelledf("During update of %s before delete users", source.authSource.Name)
default:
}
@@ -192,12 +192,12 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
existPos++
}
if usr.IsActive && (existPos >= len(existingUsers) || i < existingUsers[existPos]) {
- log.Trace("SyncExternalUsers[%s]: Deactivating user %s", source.loginSource.Name, usr.Name)
+ log.Trace("SyncExternalUsers[%s]: Deactivating user %s", source.authSource.Name, usr.Name)
usr.IsActive = false
err = user_model.UpdateUserCols(db.DefaultContext, usr, "is_active")
if err != nil {
- log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", source.loginSource.Name, usr.Name, err)
+ log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", source.authSource.Name, usr.Name, err)
}
}
}
diff --git a/services/auth/source/oauth2/assert_interface_test.go b/services/auth/source/oauth2/assert_interface_test.go
index 0a1986a3b2..0ec7361ca8 100644
--- a/services/auth/source/oauth2/assert_interface_test.go
+++ b/services/auth/source/oauth2/assert_interface_test.go
@@ -5,7 +5,7 @@
package oauth2_test
import (
- "code.gitea.io/gitea/models/login"
+ auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/oauth2"
)
@@ -14,9 +14,9 @@ import (
// It tightly binds the interfaces and implementation without breaking go import cycles
type sourceInterface interface {
- login.Config
- login.SourceSettable
- login.RegisterableSource
+ auth_model.Config
+ auth_model.SourceSettable
+ auth_model.RegisterableSource
auth.PasswordAuthenticator
}
diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go
index edbbb8969e..e4eedd34cb 100644
--- a/services/auth/source/oauth2/init.go
+++ b/services/auth/source/oauth2/init.go
@@ -9,7 +9,7 @@ import (
"net/http"
"sync"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -52,19 +52,19 @@ func Init() error {
// Unlock our mutex
gothRWMutex.Unlock()
- return initOAuth2LoginSources()
+ return initOAuth2Sources()
}
// ResetOAuth2 clears existing OAuth2 providers and loads them from DB
func ResetOAuth2() error {
ClearProviders()
- return initOAuth2LoginSources()
+ return initOAuth2Sources()
}
-// initOAuth2LoginSources is used to load and register all active OAuth2 providers
-func initOAuth2LoginSources() error {
- loginSources, _ := login.GetActiveOAuth2ProviderLoginSources()
- for _, source := range loginSources {
+// initOAuth2Sources is used to load and register all active OAuth2 providers
+func initOAuth2Sources() error {
+ authSources, _ := auth.GetActiveOAuth2ProviderSources()
+ for _, source := range authSources {
oauth2Source, ok := source.Cfg.(*Source)
if !ok {
continue
diff --git a/services/auth/source/oauth2/providers.go b/services/auth/source/oauth2/providers.go
index 18879e917b..065c6884e0 100644
--- a/services/auth/source/oauth2/providers.go
+++ b/services/auth/source/oauth2/providers.go
@@ -9,7 +9,7 @@ import (
"net/url"
"sort"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -55,7 +55,7 @@ func NewImagedProvider(image string, provider GothProvider) *ImagedProvider {
}
// Providers contains the map of registered OAuth2 providers in Gitea (based on goth)
-// key is used to map the OAuth2Provider with the goth provider type (also in LoginSource.OAuth2Config.Provider)
+// key is used to map the OAuth2Provider with the goth provider type (also in AuthSource.OAuth2Config.Provider)
// value is used to store display data
var gothProviders = map[string]GothProvider{}
@@ -88,14 +88,14 @@ func GetOAuth2Providers() []Provider {
func GetActiveOAuth2Providers() ([]string, map[string]Provider, error) {
// Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type
- loginSources, err := login.GetActiveOAuth2ProviderLoginSources()
+ authSources, err := auth.GetActiveOAuth2ProviderSources()
if err != nil {
return nil, nil, err
}
var orderedKeys []string
providers := make(map[string]Provider)
- for _, source := range loginSources {
+ for _, source := range authSources {
prov := gothProviders[source.Cfg.(*Source).Provider]
if source.Cfg.(*Source).IconURL != "" {
prov = &ImagedProvider{prov, source.Cfg.(*Source).IconURL}
@@ -140,8 +140,8 @@ func ClearProviders() {
}
var (
- // ErrLoginSourceNotActived login source is not actived error
- ErrLoginSourceNotActived = errors.New("Login source is not actived")
+ // ErrAuthSourceNotActived login source is not actived error
+ ErrAuthSourceNotActived = errors.New("auth source is not actived")
)
// used to create different types of goth providers
@@ -153,7 +153,7 @@ func createProvider(providerName string, source *Source) (goth.Provider, error)
p, ok := gothProviders[source.Provider]
if !ok {
- return nil, ErrLoginSourceNotActived
+ return nil, ErrAuthSourceNotActived
}
provider, err = p.CreateGothProvider(providerName, callbackURL, source)
diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go
index 68ff08d1ee..457686ba1f 100644
--- a/services/auth/source/oauth2/source.go
+++ b/services/auth/source/oauth2/source.go
@@ -5,7 +5,7 @@
package oauth2
import (
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json"
)
@@ -33,8 +33,8 @@ type Source struct {
RestrictedGroup string
SkipLocalTwoFA bool `json:",omitempty"`
- // reference to the loginSource
- loginSource *login.Source
+ // reference to the authSource
+ authSource *auth.Source
}
// FromDB fills up an OAuth2Config from serialized format.
@@ -47,11 +47,11 @@ func (source *Source) ToDB() ([]byte, error) {
return json.Marshal(source)
}
-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
- source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+ source.authSource = authSource
}
func init() {
- login.RegisterTypeConfig(login.OAuth2, &Source{})
+ auth.RegisterTypeConfig(auth.OAuth2, &Source{})
}
diff --git a/services/auth/source/oauth2/source_callout.go b/services/auth/source/oauth2/source_callout.go
index c0ac7e0410..8596dd187d 100644
--- a/services/auth/source/oauth2/source_callout.go
+++ b/services/auth/source/oauth2/source_callout.go
@@ -14,7 +14,7 @@ import (
// Callout redirects request/response pair to authenticate against the provider
func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error {
// not sure if goth is thread safe (?) when using multiple providers
- request.Header.Set(ProviderHeaderKey, source.loginSource.Name)
+ request.Header.Set(ProviderHeaderKey, source.authSource.Name)
// don't use the default gothic begin handler to prevent issues when some error occurs
// normally the gothic library will write some custom stuff to the response instead of our own nice error page
@@ -34,7 +34,7 @@ func (source *Source) Callout(request *http.Request, response http.ResponseWrite
// this will trigger a new authentication request, but because we save it in the session we can use that
func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) {
// not sure if goth is thread safe (?) when using multiple providers
- request.Header.Set(ProviderHeaderKey, source.loginSource.Name)
+ request.Header.Set(ProviderHeaderKey, source.authSource.Name)
gothRWMutex.RLock()
defer gothRWMutex.RUnlock()
diff --git a/services/auth/source/oauth2/source_register.go b/services/auth/source/oauth2/source_register.go
index 71ba288bf4..f61de7e1d6 100644
--- a/services/auth/source/oauth2/source_register.go
+++ b/services/auth/source/oauth2/source_register.go
@@ -10,13 +10,13 @@ import (
// RegisterSource causes an OAuth2 configuration to be registered
func (source *Source) RegisterSource() error {
- err := RegisterProviderWithGothic(source.loginSource.Name, source)
- return wrapOpenIDConnectInitializeError(err, source.loginSource.Name, source)
+ err := RegisterProviderWithGothic(source.authSource.Name, source)
+ return wrapOpenIDConnectInitializeError(err, source.authSource.Name, source)
}
// UnregisterSource causes an OAuth2 configuration to be unregistered
func (source *Source) UnregisterSource() error {
- RemoveProviderFromGothic(source.loginSource.Name)
+ RemoveProviderFromGothic(source.authSource.Name)
return nil
}
diff --git a/services/auth/source/pam/assert_interface_test.go b/services/auth/source/pam/assert_interface_test.go
index a151c2f52e..d8754cdf77 100644
--- a/services/auth/source/pam/assert_interface_test.go
+++ b/services/auth/source/pam/assert_interface_test.go
@@ -5,7 +5,7 @@
package pam_test
import (
- "code.gitea.io/gitea/models/login"
+ auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/pam"
)
@@ -15,8 +15,8 @@ import (
type sourceInterface interface {
auth.PasswordAuthenticator
- login.Config
- login.SourceSettable
+ auth_model.Config
+ auth_model.SourceSettable
}
var _ (sourceInterface) = &pam.Source{}
diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go
index 65ae76138c..957c89dc85 100644
--- a/services/auth/source/pam/source.go
+++ b/services/auth/source/pam/source.go
@@ -5,7 +5,7 @@
package pam
import (
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json"
)
@@ -22,8 +22,8 @@ type Source struct {
EmailDomain string
SkipLocalTwoFA bool `json:",omitempty"` // Skip Local 2fa for users authenticated with this source
- // reference to the loginSource
- loginSource *login.Source
+ // reference to the authSource
+ authSource *auth.Source
}
// FromDB fills up a PAMConfig from serialized format.
@@ -36,11 +36,11 @@ func (source *Source) ToDB() ([]byte, error) {
return json.Marshal(source)
}
-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
- source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+ source.authSource = authSource
}
func init() {
- login.RegisterTypeConfig(login.PAM, &Source{})
+ auth.RegisterTypeConfig(auth.PAM, &Source{})
}
diff --git a/services/auth/source/pam/source_authenticate.go b/services/auth/source/pam/source_authenticate.go
index 8553653ea0..d5bd940996 100644
--- a/services/auth/source/pam/source_authenticate.go
+++ b/services/auth/source/pam/source_authenticate.go
@@ -8,7 +8,7 @@ import (
"fmt"
"strings"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/auth/pam"
"code.gitea.io/gitea/modules/setting"
@@ -55,8 +55,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
Name: username,
Email: email,
Passwd: password,
- LoginType: login.PAM,
- LoginSource: source.loginSource.ID,
+ LoginType: auth.PAM,
+ LoginSource: source.authSource.ID,
LoginName: userName, // This is what the user typed in
IsActive: true,
}
diff --git a/services/auth/source/smtp/assert_interface_test.go b/services/auth/source/smtp/assert_interface_test.go
index d1c982472f..c7fae6431f 100644
--- a/services/auth/source/smtp/assert_interface_test.go
+++ b/services/auth/source/smtp/assert_interface_test.go
@@ -5,7 +5,7 @@
package smtp_test
import (
- "code.gitea.io/gitea/models/login"
+ auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/smtp"
)
@@ -15,11 +15,11 @@ import (
type sourceInterface interface {
auth.PasswordAuthenticator
- login.Config
- login.SkipVerifiable
- login.HasTLSer
- login.UseTLSer
- login.SourceSettable
+ auth_model.Config
+ auth_model.SkipVerifiable
+ auth_model.HasTLSer
+ auth_model.UseTLSer
+ auth_model.SourceSettable
}
var _ (sourceInterface) = &smtp.Source{}
diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go
index 006202e0d5..5e69f912da 100644
--- a/services/auth/source/smtp/source.go
+++ b/services/auth/source/smtp/source.go
@@ -5,7 +5,7 @@
package smtp
import (
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json"
)
@@ -28,8 +28,8 @@ type Source struct {
DisableHelo bool
SkipLocalTwoFA bool `json:",omitempty"`
- // reference to the loginSource
- loginSource *login.Source
+ // reference to the authSource
+ authSource *auth.Source
}
// FromDB fills up an SMTPConfig from serialized format.
@@ -57,11 +57,11 @@ func (source *Source) UseTLS() bool {
return source.ForceSMTPS || source.Port == 465
}
-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
- source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+ source.authSource = authSource
}
func init() {
- login.RegisterTypeConfig(login.SMTP, &Source{})
+ auth.RegisterTypeConfig(auth.SMTP, &Source{})
}
diff --git a/services/auth/source/smtp/source_authenticate.go b/services/auth/source/smtp/source_authenticate.go
index c32d638b54..3be2f1128d 100644
--- a/services/auth/source/smtp/source_authenticate.go
+++ b/services/auth/source/smtp/source_authenticate.go
@@ -10,7 +10,7 @@ import (
"net/textproto"
"strings"
- "code.gitea.io/gitea/models/login"
+ auth_model "code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/util"
"code.gitea.io/gitea/services/mailer"
@@ -71,8 +71,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
Name: strings.ToLower(username),
Email: userName,
Passwd: password,
- LoginType: login.SMTP,
- LoginSource: source.loginSource.ID,
+ LoginType: auth_model.SMTP,
+ LoginSource: source.authSource.ID,
LoginName: userName,
IsActive: true,
}
diff --git a/services/auth/source/sspi/assert_interface_test.go b/services/auth/source/sspi/assert_interface_test.go
index 1efa69c05b..3344245186 100644
--- a/services/auth/source/sspi/assert_interface_test.go
+++ b/services/auth/source/sspi/assert_interface_test.go
@@ -5,7 +5,7 @@
package sspi_test
import (
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth/source/sspi"
)
@@ -13,7 +13,7 @@ import (
// It tightly binds the interfaces and implementation without breaking go import cycles
type sourceInterface interface {
- login.Config
+ auth.Config
}
var _ (sourceInterface) = &sspi.Source{}
diff --git a/services/auth/source/sspi/source.go b/services/auth/source/sspi/source.go
index 8d469d481f..e6e63ee1eb 100644
--- a/services/auth/source/sspi/source.go
+++ b/services/auth/source/sspi/source.go
@@ -5,7 +5,7 @@
package sspi
import (
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json"
)
@@ -36,5 +36,5 @@ func (cfg *Source) ToDB() ([]byte, error) {
}
func init() {
- login.RegisterTypeConfig(login.SSPI, &Source{})
+ auth.RegisterTypeConfig(auth.SSPI, &Source{})
}
diff --git a/services/auth/sspi_windows.go b/services/auth/sspi_windows.go
index 19f2349122..cadf721796 100644
--- a/services/auth/sspi_windows.go
+++ b/services/auth/sspi_windows.go
@@ -9,8 +9,8 @@ import (
"net/http"
"strings"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/avatars"
- "code.gitea.io/gitea/models/login"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/log"
@@ -154,7 +154,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore,
// getConfig retrieves the SSPI configuration from login sources
func (s *SSPI) getConfig() (*sspi.Source, error) {
- sources, err := login.ActiveSources(login.SSPI)
+ sources, err := auth.ActiveSources(auth.SSPI)
if err != nil {
return nil, err
}
@@ -250,7 +250,7 @@ func sanitizeUsername(username string, cfg *sspi.Source) string {
// fails (or if negotiation should continue), which would prevent other authentication methods
// to execute at all.
func specialInit() {
- if login.IsSSPIEnabled() {
+ if auth.IsSSPIEnabled() {
Register(&SSPI{})
}
}
diff --git a/services/auth/sync.go b/services/auth/sync.go
index 494dfc3a38..b7f3232a30 100644
--- a/services/auth/sync.go
+++ b/services/auth/sync.go
@@ -7,8 +7,8 @@ package auth
import (
"context"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
"code.gitea.io/gitea/modules/log"
)
@@ -16,7 +16,7 @@ import (
func SyncExternalUsers(ctx context.Context, updateExisting bool) error {
log.Trace("Doing: SyncExternalUsers")
- ls, err := login.Sources()
+ ls, err := auth.Sources()
if err != nil {
log.Error("SyncExternalUsers: %v", err)
return err
diff --git a/services/externalaccount/user.go b/services/externalaccount/user.go
index 8fd0680a1f..e5cd443770 100644
--- a/services/externalaccount/user.go
+++ b/services/externalaccount/user.go
@@ -8,7 +8,7 @@ import (
"strings"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/structs"
@@ -16,14 +16,14 @@ import (
)
func toExternalLoginUser(user *user_model.User, gothUser goth.User) (*user_model.ExternalLoginUser, error) {
- loginSource, err := login.GetActiveOAuth2LoginSourceByName(gothUser.Provider)
+ authSource, err := auth.GetActiveOAuth2SourceByName(gothUser.Provider)
if err != nil {
return nil, err
}
return &user_model.ExternalLoginUser{
ExternalID: gothUser.UserID,
UserID: user.ID,
- LoginSourceID: loginSource.ID,
+ LoginSourceID: authSource.ID,
RawData: gothUser.RawData,
Provider: gothUser.Provider,
Email: gothUser.Email,
diff --git a/templates/user/settings/security_accountlinks.tmpl b/templates/user/settings/security/accountlinks.tmpl
index 7a9935d031..7a9935d031 100644
--- a/templates/user/settings/security_accountlinks.tmpl
+++ b/templates/user/settings/security/accountlinks.tmpl
diff --git a/templates/user/settings/security_openid.tmpl b/templates/user/settings/security/openid.tmpl
index 2a167a712b..2a167a712b 100644
--- a/templates/user/settings/security_openid.tmpl
+++ b/templates/user/settings/security/openid.tmpl
diff --git a/templates/user/settings/security.tmpl b/templates/user/settings/security/security.tmpl
index 891f7b9535..6d5f38ab70 100644
--- a/templates/user/settings/security.tmpl
+++ b/templates/user/settings/security/security.tmpl
@@ -3,11 +3,11 @@
{{template "user/settings/navbar" .}}
<div class="ui container">
{{template "base/alert" .}}
- {{template "user/settings/security_twofa" .}}
- {{template "user/settings/security_u2f" .}}
- {{template "user/settings/security_accountlinks" .}}
+ {{template "user/settings/security/twofa" .}}
+ {{template "user/settings/security/u2f" .}}
+ {{template "user/settings/security/accountlinks" .}}
{{if .EnableOpenIDSignIn}}
- {{template "user/settings/security_openid" .}}
+ {{template "user/settings/security/openid" .}}
{{end}}
</div>
</div>
diff --git a/templates/user/settings/security_twofa.tmpl b/templates/user/settings/security/twofa.tmpl
index 3d6804d9c6..3d6804d9c6 100644
--- a/templates/user/settings/security_twofa.tmpl
+++ b/templates/user/settings/security/twofa.tmpl
diff --git a/templates/user/settings/twofa_enroll.tmpl b/templates/user/settings/security/twofa_enroll.tmpl
index c8ed0b7761..c8ed0b7761 100644
--- a/templates/user/settings/twofa_enroll.tmpl
+++ b/templates/user/settings/security/twofa_enroll.tmpl
diff --git a/templates/user/settings/security_u2f.tmpl b/templates/user/settings/security/u2f.tmpl
index 97e76b6da2..97e76b6da2 100644
--- a/templates/user/settings/security_u2f.tmpl
+++ b/templates/user/settings/security/u2f.tmpl