summaryrefslogtreecommitdiffstats
path: root/routers/web/user
diff options
context:
space:
mode:
authorLunny Xiao <xiaolunwen@gmail.com>2022-01-02 21:12:35 +0800
committerGitHub <noreply@github.com>2022-01-02 21:12:35 +0800
commitde8e3948a5e38f7eaf82d3c0cfd10e995bf68e92 (patch)
treebbcb011d264e0d614d49c734856b446360c5a4a3 /routers/web/user
parente61b390d545919244141b699b28e3fbc42adc66f (diff)
downloadgitea-de8e3948a5e38f7eaf82d3c0cfd10e995bf68e92.tar.gz
gitea-de8e3948a5e38f7eaf82d3c0cfd10e995bf68e92.zip
Refactor auth package (#17962)
Diffstat (limited to 'routers/web/user')
-rw-r--r--routers/web/user/auth.go2006
-rw-r--r--routers/web/user/auth_openid.go457
-rw-r--r--routers/web/user/oauth.go752
-rw-r--r--routers/web/user/oauth_test.go76
-rw-r--r--routers/web/user/setting/applications.go6
-rw-r--r--routers/web/user/setting/keys.go1
-rw-r--r--routers/web/user/setting/oauth2.go18
-rw-r--r--routers/web/user/setting/security/2fa.go (renamed from routers/web/user/setting/security_twofa.go)30
-rw-r--r--routers/web/user/setting/security/openid.go (renamed from routers/web/user/setting/security_openid.go)2
-rw-r--r--routers/web/user/setting/security/security.go (renamed from routers/web/user/setting/security.go)26
-rw-r--r--routers/web/user/setting/security/u2f.go (renamed from routers/web/user/setting/security_u2f.go)14
11 files changed, 48 insertions, 3340 deletions
diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go
deleted file mode 100644
index 356a907859..0000000000
--- a/routers/web/user/auth.go
+++ /dev/null
@@ -1,2006 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2018 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package user
-
-import (
- "errors"
- "fmt"
- "io"
- "net/http"
- "strings"
-
- "code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/login"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/context"
- "code.gitea.io/gitea/modules/eventsource"
- "code.gitea.io/gitea/modules/hcaptcha"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/password"
- "code.gitea.io/gitea/modules/recaptcha"
- "code.gitea.io/gitea/modules/session"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/web"
- "code.gitea.io/gitea/modules/web/middleware"
- "code.gitea.io/gitea/routers/utils"
- "code.gitea.io/gitea/services/auth"
- "code.gitea.io/gitea/services/auth/source/oauth2"
- "code.gitea.io/gitea/services/externalaccount"
- "code.gitea.io/gitea/services/forms"
- "code.gitea.io/gitea/services/mailer"
- user_service "code.gitea.io/gitea/services/user"
-
- "github.com/markbates/goth"
- "github.com/tstranex/u2f"
-)
-
-const (
- // tplMustChangePassword template for updating a user's password
- tplMustChangePassword = "user/auth/change_passwd"
- // tplSignIn template for sign in page
- tplSignIn base.TplName = "user/auth/signin"
- // tplSignUp template path for sign up page
- tplSignUp base.TplName = "user/auth/signup"
- // TplActivate template path for activate user
- TplActivate base.TplName = "user/auth/activate"
- tplForgotPassword base.TplName = "user/auth/forgot_passwd"
- tplResetPassword base.TplName = "user/auth/reset_passwd"
- tplTwofa base.TplName = "user/auth/twofa"
- tplTwofaScratch base.TplName = "user/auth/twofa_scratch"
- tplLinkAccount base.TplName = "user/auth/link_account"
- tplU2F base.TplName = "user/auth/u2f"
-)
-
-// AutoSignIn reads cookie and try to auto-login.
-func AutoSignIn(ctx *context.Context) (bool, error) {
- if !db.HasEngine {
- return false, nil
- }
-
- uname := ctx.GetCookie(setting.CookieUserName)
- if len(uname) == 0 {
- return false, nil
- }
-
- isSucceed := false
- defer func() {
- if !isSucceed {
- log.Trace("auto-login cookie cleared: %s", uname)
- ctx.DeleteCookie(setting.CookieUserName)
- ctx.DeleteCookie(setting.CookieRememberName)
- }
- }()
-
- u, err := user_model.GetUserByName(uname)
- if err != nil {
- if !user_model.IsErrUserNotExist(err) {
- return false, fmt.Errorf("GetUserByName: %v", err)
- }
- return false, nil
- }
-
- if val, ok := ctx.GetSuperSecureCookie(
- base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
- return false, nil
- }
-
- isSucceed = true
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- return false, fmt.Errorf("unable to RegenerateSession: Error: %w", err)
- }
-
- // Set session IDs
- if err := ctx.Session.Set("uid", u.ID); err != nil {
- return false, err
- }
- if err := ctx.Session.Set("uname", u.Name); err != nil {
- return false, err
- }
- if err := ctx.Session.Release(); err != nil {
- return false, err
- }
-
- if err := resetLocale(ctx, u); err != nil {
- return false, err
- }
-
- middleware.DeleteCSRFCookie(ctx.Resp)
- return true, nil
-}
-
-func resetLocale(ctx *context.Context, u *user_model.User) error {
- // Language setting of the user overwrites the one previously set
- // If the user does not have a locale set, we save the current one.
- if len(u.Language) == 0 {
- u.Language = ctx.Locale.Language()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
- return err
- }
- }
-
- middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
-
- if ctx.Locale.Language() != u.Language {
- ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
- }
-
- return nil
-}
-
-func checkAutoLogin(ctx *context.Context) bool {
- // Check auto-login.
- isSucceed, err := AutoSignIn(ctx)
- if err != nil {
- ctx.ServerError("AutoSignIn", err)
- return true
- }
-
- redirectTo := ctx.FormString("redirect_to")
- if len(redirectTo) > 0 {
- middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
- } else {
- redirectTo = ctx.GetCookie("redirect_to")
- }
-
- if isSucceed {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
- return true
- }
-
- return false
-}
-
-// SignIn render sign in page
-func SignIn(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("sign_in")
-
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
- ctx.Data["OAuth2Providers"] = oauth2Providers
- ctx.Data["Title"] = ctx.Tr("sign_in")
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsLogin"] = true
- ctx.Data["EnableSSPI"] = login.IsSSPIEnabled()
-
- ctx.HTML(http.StatusOK, tplSignIn)
-}
-
-// SignInPost response for sign in request
-func SignInPost(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("sign_in")
-
- orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
- ctx.Data["OAuth2Providers"] = oauth2Providers
- ctx.Data["Title"] = ctx.Tr("sign_in")
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsLogin"] = true
- ctx.Data["EnableSSPI"] = login.IsSSPIEnabled()
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplSignIn)
- return
- }
-
- form := web.GetForm(ctx).(*forms.SignInForm)
- u, source, err := auth.UserSignIn(form.UserName, form.Password)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- } else if user_model.IsErrEmailAlreadyUsed(err) {
- ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- } else if user_model.IsErrUserProhibitLogin(err) {
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
- } else if user_model.IsErrUserInactive(err) {
- if setting.Service.RegisterEmailConfirm {
- ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
- ctx.HTML(http.StatusOK, TplActivate)
- } else {
- log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
- }
- } else {
- ctx.ServerError("UserSignIn", err)
- }
- return
- }
-
- // Now handle 2FA:
-
- // First of all if the source can skip local two fa we're done
- if skipper, ok := source.Cfg.(auth.LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
- handleSignIn(ctx, u, form.Remember)
- return
- }
-
- // If this user is enrolled in 2FA TOTP, we can't sign the user in just yet.
- // Instead, redirect them to the 2FA authentication page.
- hasTOTPtwofa, err := login.HasTwoFactorByUID(u.ID)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- // Check if the user has u2f registration
- hasU2Ftwofa, err := login.HasU2FRegistrationsByUID(u.ID)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if !hasTOTPtwofa && !hasU2Ftwofa {
- // No two factor auth configured we can sign in the user
- handleSignIn(ctx, u, form.Remember)
- return
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("UserSignIn: Unable to set regenerate session", err)
- return
- }
-
- // User will need to use 2FA TOTP or U2F, save data
- if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
- ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
- return
- }
-
- if err := ctx.Session.Set("twofaRemember", form.Remember); err != nil {
- ctx.ServerError("UserSignIn: Unable to set twofaRemember in session", err)
- return
- }
-
- if hasTOTPtwofa {
- // User will need to use U2F, save data
- if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
- ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err)
- return
- }
- }
-
- if err := ctx.Session.Release(); err != nil {
- ctx.ServerError("UserSignIn: Unable to save session", err)
- return
- }
-
- // If we have U2F redirect there first
- if hasU2Ftwofa {
- ctx.Redirect(setting.AppSubURL + "/user/u2f")
- return
- }
-
- // Fallback to 2FA
- ctx.Redirect(setting.AppSubURL + "/user/two_factor")
-}
-
-// TwoFactor shows the user a two-factor authentication page.
-func TwoFactor(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("twofa")
-
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- // Ensure user is in a 2FA session.
- if ctx.Session.Get("twofaUid") == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- ctx.HTML(http.StatusOK, tplTwofa)
-}
-
-// TwoFactorPost validates a user's two-factor authentication token.
-func TwoFactorPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.TwoFactorAuthForm)
- ctx.Data["Title"] = ctx.Tr("twofa")
-
- // Ensure user is in a 2FA session.
- idSess := ctx.Session.Get("twofaUid")
- if idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- id := idSess.(int64)
- twofa, err := login.GetTwoFactorByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- // Validate the passcode with the stored TOTP secret.
- ok, err := twofa.ValidateTOTP(form.Passcode)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if ok && twofa.LastUsedPasscode != form.Passcode {
- remember := ctx.Session.Get("twofaRemember").(bool)
- u, err := user_model.GetUserByID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if ctx.Session.Get("linkAccount") != nil {
- if err := externalaccount.LinkAccountFromStore(ctx.Session, u); err != nil {
- ctx.ServerError("UserSignIn", err)
- }
- }
-
- twofa.LastUsedPasscode = form.Passcode
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- handleSignIn(ctx, u, remember)
- return
- }
-
- ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplTwofa, forms.TwoFactorAuthForm{})
-}
-
-// TwoFactorScratch shows the scratch code form for two-factor authentication.
-func TwoFactorScratch(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("twofa_scratch")
-
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- // Ensure user is in a 2FA session.
- if ctx.Session.Get("twofaUid") == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- ctx.HTML(http.StatusOK, tplTwofaScratch)
-}
-
-// TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.
-func TwoFactorScratchPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.TwoFactorScratchAuthForm)
- ctx.Data["Title"] = ctx.Tr("twofa_scratch")
-
- // Ensure user is in a 2FA session.
- idSess := ctx.Session.Get("twofaUid")
- if idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
- return
- }
-
- id := idSess.(int64)
- twofa, err := login.GetTwoFactorByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- // Validate the passcode with the stored TOTP secret.
- if twofa.VerifyScratchToken(form.Token) {
- // Invalidate the scratch token.
- _, err = twofa.GenerateScratchToken()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- remember := ctx.Session.Get("twofaRemember").(bool)
- u, err := user_model.GetUserByID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- handleSignInFull(ctx, u, remember, false)
- if ctx.Written() {
- return
- }
- ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
- ctx.Redirect(setting.AppSubURL + "/user/settings/security")
- return
- }
-
- ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, forms.TwoFactorScratchAuthForm{})
-}
-
-// U2F shows the U2F login page
-func U2F(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("twofa")
- ctx.Data["RequireU2F"] = true
- // Check auto-login.
- if checkAutoLogin(ctx) {
- return
- }
-
- // Ensure user is in a 2FA session.
- if ctx.Session.Get("twofaUid") == nil {
- ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
- return
- }
-
- // See whether TOTP is also available.
- if ctx.Session.Get("totpEnrolled") != nil {
- ctx.Data["TOTPEnrolled"] = true
- }
-
- ctx.HTML(http.StatusOK, tplU2F)
-}
-
-// U2FChallenge submits a sign challenge to the browser
-func U2FChallenge(ctx *context.Context) {
- // Ensure user is in a U2F session.
- idSess := ctx.Session.Get("twofaUid")
- if idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
- return
- }
- id := idSess.(int64)
- regs, err := login.GetU2FRegistrationsByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if len(regs) == 0 {
- ctx.ServerError("UserSignIn", errors.New("no device registered"))
- return
- }
- challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
- if err != nil {
- ctx.ServerError("u2f.NewChallenge", err)
- return
- }
- if err := ctx.Session.Set("u2fChallenge", challenge); err != nil {
- ctx.ServerError("UserSignIn: unable to set u2fChallenge in session", err)
- return
- }
- if err := ctx.Session.Release(); err != nil {
- ctx.ServerError("UserSignIn: unable to store session", err)
- }
-
- ctx.JSON(http.StatusOK, challenge.SignRequest(regs.ToRegistrations()))
-}
-
-// U2FSign authenticates the user by signResp
-func U2FSign(ctx *context.Context) {
- signResp := web.GetForm(ctx).(*u2f.SignResponse)
- challSess := ctx.Session.Get("u2fChallenge")
- idSess := ctx.Session.Get("twofaUid")
- if challSess == nil || idSess == nil {
- ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
- return
- }
- challenge := challSess.(*u2f.Challenge)
- id := idSess.(int64)
- regs, err := login.GetU2FRegistrationsByUID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- for _, reg := range regs {
- r, err := reg.Parse()
- if err != nil {
- log.Error("parsing u2f registration: %v", err)
- continue
- }
- newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter)
- if authErr == nil {
- reg.Counter = newCounter
- user, err := user_model.GetUserByID(id)
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- remember := ctx.Session.Get("twofaRemember").(bool)
- if err := reg.UpdateCounter(); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if ctx.Session.Get("linkAccount") != nil {
- if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
- ctx.ServerError("UserSignIn", err)
- }
- }
- redirect := handleSignInFull(ctx, user, remember, false)
- if ctx.Written() {
- return
- }
- if redirect == "" {
- redirect = setting.AppSubURL + "/"
- }
- ctx.PlainText(http.StatusOK, redirect)
- return
- }
- }
- ctx.Error(http.StatusUnauthorized)
-}
-
-// This handles the final part of the sign-in process of the user.
-func handleSignIn(ctx *context.Context, u *user_model.User, remember bool) {
- redirect := handleSignInFull(ctx, u, remember, true)
- if ctx.Written() {
- return
- }
- ctx.Redirect(redirect)
-}
-
-func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRedirect bool) string {
- if remember {
- days := 86400 * setting.LogInRememberDays
- ctx.SetCookie(setting.CookieUserName, u.Name, days)
- ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
- setting.CookieRememberName, u.Name, days)
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return setting.AppSubURL + "/"
- }
-
- // Delete the openid, 2fa and linkaccount data
- _ = ctx.Session.Delete("openid_verified_uri")
- _ = ctx.Session.Delete("openid_signin_remember")
- _ = ctx.Session.Delete("openid_determined_email")
- _ = ctx.Session.Delete("openid_determined_username")
- _ = ctx.Session.Delete("twofaUid")
- _ = ctx.Session.Delete("twofaRemember")
- _ = ctx.Session.Delete("u2fChallenge")
- _ = ctx.Session.Delete("linkAccount")
- if err := ctx.Session.Set("uid", u.ID); err != nil {
- log.Error("Error setting uid %d in session: %v", u.ID, err)
- }
- if err := ctx.Session.Set("uname", u.Name); err != nil {
- log.Error("Error setting uname %s session: %v", u.Name, err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Unable to store session: %v", err)
- }
-
- // Language setting of the user overwrites the one previously set
- // If the user does not have a locale set, we save the current one.
- if len(u.Language) == 0 {
- u.Language = ctx.Locale.Language()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
- ctx.ServerError("UpdateUserCols Language", fmt.Errorf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))
- return setting.AppSubURL + "/"
- }
- }
-
- middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
-
- if ctx.Locale.Language() != u.Language {
- ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
- }
-
- // Clear whatever CSRF has right now, force to generate a new one
- middleware.DeleteCSRFCookie(ctx.Resp)
-
- // Register last login
- u.SetLastLogin()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "last_login_unix"); err != nil {
- ctx.ServerError("UpdateUserCols", err)
- return setting.AppSubURL + "/"
- }
-
- if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- if obeyRedirect {
- ctx.RedirectToFirst(redirectTo)
- }
- return redirectTo
- }
-
- if obeyRedirect {
- ctx.Redirect(setting.AppSubURL + "/")
- }
- return setting.AppSubURL + "/"
-}
-
-// SignInOAuth handles the OAuth2 login buttons
-func SignInOAuth(ctx *context.Context) {
- provider := ctx.Params(":provider")
-
- loginSource, err := login.GetActiveOAuth2LoginSourceByName(provider)
- if err != nil {
- ctx.ServerError("SignIn", err)
- return
- }
-
- // try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
- user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req, ctx.Resp)
- if err == nil && user != nil {
- // we got the user without going through the whole OAuth2 authentication flow again
- handleOAuth2SignIn(ctx, loginSource, user, gothUser)
- return
- }
-
- if err = loginSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
- if strings.Contains(err.Error(), "no provider for ") {
- if err = oauth2.ResetOAuth2(); err != nil {
- ctx.ServerError("SignIn", err)
- return
- }
- if err = loginSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
- ctx.ServerError("SignIn", err)
- }
- return
- }
- ctx.ServerError("SignIn", err)
- }
- // redirect is done in oauth2.Auth
-}
-
-// SignInOAuthCallback handles the callback from the given provider
-func SignInOAuthCallback(ctx *context.Context) {
- provider := ctx.Params(":provider")
-
- // first look if the provider is still active
- loginSource, err := login.GetActiveOAuth2LoginSourceByName(provider)
- if err != nil {
- ctx.ServerError("SignIn", err)
- return
- }
-
- if loginSource == nil {
- ctx.ServerError("SignIn", errors.New("No valid provider found, check configured callback url in provider"))
- return
- }
-
- u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req, ctx.Resp)
-
- if err != nil {
- if user_model.IsErrUserProhibitLogin(err) {
- uplerr := err.(*user_model.ErrUserProhibitLogin)
- log.Info("Failed authentication attempt for %s from %s: %v", uplerr.Name, ctx.RemoteAddr(), err)
- ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
- ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
- return
- }
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- if u == nil {
- if !setting.Service.AllowOnlyInternalRegistration && setting.OAuth2Client.EnableAutoRegistration {
- // create new user with details from oauth2 provider
- var missingFields []string
- if gothUser.UserID == "" {
- missingFields = append(missingFields, "sub")
- }
- if gothUser.Email == "" {
- missingFields = append(missingFields, "email")
- }
- if setting.OAuth2Client.Username == setting.OAuth2UsernameNickname && gothUser.NickName == "" {
- missingFields = append(missingFields, "nickname")
- }
- if len(missingFields) > 0 {
- log.Error("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields)
- if loginSource.IsOAuth2() && loginSource.Cfg.(*oauth2.Source).Provider == "openidConnect" {
- log.Error("You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields")
- }
- err = fmt.Errorf("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields)
- ctx.ServerError("CreateUser", err)
- return
- }
- u = &user_model.User{
- Name: getUserName(&gothUser),
- FullName: gothUser.Name,
- Email: gothUser.Email,
- IsActive: !setting.OAuth2Client.RegisterEmailConfirm,
- LoginType: login.OAuth2,
- LoginSource: loginSource.ID,
- LoginName: gothUser.UserID,
- IsRestricted: setting.Service.DefaultUserIsRestricted,
- }
-
- setUserGroupClaims(loginSource, u, &gothUser)
-
- if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
- // error already handled
- return
- }
- } else {
- // no existing user is found, request attach or new account
- showLinkingLogin(ctx, gothUser)
- return
- }
- }
-
- handleOAuth2SignIn(ctx, loginSource, u, gothUser)
-}
-
-func claimValueToStringSlice(claimValue interface{}) []string {
- var groups []string
-
- switch rawGroup := claimValue.(type) {
- case []string:
- groups = rawGroup
- default:
- str := fmt.Sprintf("%s", rawGroup)
- groups = strings.Split(str, ",")
- }
- return groups
-}
-
-func setUserGroupClaims(loginSource *login.Source, u *user_model.User, gothUser *goth.User) bool {
-
- source := loginSource.Cfg.(*oauth2.Source)
- if source.GroupClaimName == "" || (source.AdminGroup == "" && source.RestrictedGroup == "") {
- return false
- }
-
- groupClaims, has := gothUser.RawData[source.GroupClaimName]
- if !has {
- return false
- }
-
- groups := claimValueToStringSlice(groupClaims)
-
- wasAdmin, wasRestricted := u.IsAdmin, u.IsRestricted
-
- if source.AdminGroup != "" {
- u.IsAdmin = false
- }
- if source.RestrictedGroup != "" {
- u.IsRestricted = false
- }
-
- for _, g := range groups {
- if source.AdminGroup != "" && g == source.AdminGroup {
- u.IsAdmin = true
- } else if source.RestrictedGroup != "" && g == source.RestrictedGroup {
- u.IsRestricted = true
- }
- }
-
- return wasAdmin != u.IsAdmin || wasRestricted != u.IsRestricted
-}
-
-func getUserName(gothUser *goth.User) string {
- switch setting.OAuth2Client.Username {
- case setting.OAuth2UsernameEmail:
- return strings.Split(gothUser.Email, "@")[0]
- case setting.OAuth2UsernameNickname:
- return gothUser.NickName
- default: // OAuth2UsernameUserid
- return gothUser.UserID
- }
-}
-
-func showLinkingLogin(ctx *context.Context, gothUser goth.User) {
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- if err := ctx.Session.Set("linkAccountGothUser", gothUser); err != nil {
- log.Error("Error setting linkAccountGothUser in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
- ctx.Redirect(setting.AppSubURL + "/user/link_account")
-}
-
-func updateAvatarIfNeed(url string, u *user_model.User) {
- if setting.OAuth2Client.UpdateAvatar && len(url) > 0 {
- resp, err := http.Get(url)
- if err == nil {
- defer func() {
- _ = resp.Body.Close()
- }()
- }
- // ignore any error
- if err == nil && resp.StatusCode == http.StatusOK {
- data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1))
- if err == nil && int64(len(data)) <= setting.Avatar.MaxFileSize {
- _ = user_service.UploadAvatar(u, data)
- }
- }
- }
-}
-
-func handleOAuth2SignIn(ctx *context.Context, source *login.Source, u *user_model.User, gothUser goth.User) {
- updateAvatarIfNeed(gothUser.AvatarURL, u)
-
- needs2FA := false
- if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA {
- _, err := login.GetTwoFactorByUID(u.ID)
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
- ctx.ServerError("UserSignIn", err)
- return
- }
- needs2FA = err == nil
- }
-
- // If this user is enrolled in 2FA and this source doesn't override it,
- // we can't sign the user in just yet. Instead, redirect them to the 2FA authentication page.
- if !needs2FA {
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- // Set session IDs
- if err := ctx.Session.Set("uid", u.ID); err != nil {
- log.Error("Error setting uid in session: %v", err)
- }
- if err := ctx.Session.Set("uname", u.Name); err != nil {
- log.Error("Error setting uname in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
-
- // Clear whatever CSRF has right now, force to generate a new one
- middleware.DeleteCSRFCookie(ctx.Resp)
-
- // Register last login
- u.SetLastLogin()
-
- // Update GroupClaims
- changed := setUserGroupClaims(source, u, &gothUser)
- cols := []string{"last_login_unix"}
- if changed {
- cols = append(cols, "is_admin", "is_restricted")
- }
-
- if err := user_model.UpdateUserCols(db.DefaultContext, u, cols...); err != nil {
- ctx.ServerError("UpdateUserCols", err)
- return
- }
-
- // update external user information
- if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil {
- log.Error("UpdateExternalUser failed: %v", err)
- }
-
- if err := resetLocale(ctx, u); err != nil {
- ctx.ServerError("resetLocale", err)
- return
- }
-
- if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- ctx.RedirectToFirst(redirectTo)
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/")
- return
- }
-
- changed := setUserGroupClaims(source, u, &gothUser)
- if changed {
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_restricted"); err != nil {
- ctx.ServerError("UpdateUserCols", err)
- return
- }
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- // User needs to use 2FA, save data and redirect to 2FA page.
- if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
- log.Error("Error setting twofaUid in session: %v", err)
- }
- if err := ctx.Session.Set("twofaRemember", false); err != nil {
- log.Error("Error setting twofaRemember in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
-
- // If U2F is enrolled -> Redirect to U2F instead
- regs, err := login.GetU2FRegistrationsByUID(u.ID)
- if err == nil && len(regs) > 0 {
- ctx.Redirect(setting.AppSubURL + "/user/u2f")
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/user/two_factor")
-}
-
-// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
-// login the user
-func oAuth2UserLoginCallback(loginSource *login.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
- oauth2Source := loginSource.Cfg.(*oauth2.Source)
-
- gothUser, err := oauth2Source.Callback(request, response)
- if err != nil {
- if err.Error() == "securecookie: the value is too long" || strings.Contains(err.Error(), "Data too long") {
- log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength)
- err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength)
- }
- return nil, goth.User{}, err
- }
-
- if oauth2Source.RequiredClaimName != "" {
- claimInterface, has := gothUser.RawData[oauth2Source.RequiredClaimName]
- if !has {
- return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
- }
-
- if oauth2Source.RequiredClaimValue != "" {
- groups := claimValueToStringSlice(claimInterface)
- found := false
- for _, group := range groups {
- if group == oauth2Source.RequiredClaimValue {
- found = true
- break
- }
- }
- if !found {
- return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
- }
- }
- }
-
- user := &user_model.User{
- LoginName: gothUser.UserID,
- LoginType: login.OAuth2,
- LoginSource: loginSource.ID,
- }
-
- hasUser, err := user_model.GetUser(user)
- if err != nil {
- return nil, goth.User{}, err
- }
-
- if hasUser {
- return user, gothUser, nil
- }
-
- // search in external linked users
- externalLoginUser := &user_model.ExternalLoginUser{
- ExternalID: gothUser.UserID,
- LoginSourceID: loginSource.ID,
- }
- hasUser, err = user_model.GetExternalLogin(externalLoginUser)
- if err != nil {
- return nil, goth.User{}, err
- }
- if hasUser {
- user, err = user_model.GetUserByID(externalLoginUser.UserID)
- return user, gothUser, err
- }
-
- // no user found to login
- return nil, gothUser, nil
-
-}
-
-// LinkAccount shows the page where the user can decide to login or create a new account
-func LinkAccount(ctx *context.Context) {
- ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
- ctx.Data["Title"] = ctx.Tr("link_account")
- ctx.Data["LinkAccountMode"] = true
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
- ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
- ctx.Data["ShowRegistrationButton"] = false
-
- // use this to set the right link into the signIn and signUp templates in the link_account template
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
-
- gothUser := ctx.Session.Get("linkAccountGothUser")
- if gothUser == nil {
- ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
- return
- }
-
- gu, _ := gothUser.(goth.User)
- uname := getUserName(&gu)
- email := gu.Email
- ctx.Data["user_name"] = uname
- ctx.Data["email"] = email
-
- if len(email) != 0 {
- u, err := user_model.GetUserByEmail(email)
- if err != nil && !user_model.IsErrUserNotExist(err) {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if u != nil {
- ctx.Data["user_exists"] = true
- }
- } else if len(uname) != 0 {
- u, err := user_model.GetUserByName(uname)
- if err != nil && !user_model.IsErrUserNotExist(err) {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if u != nil {
- ctx.Data["user_exists"] = true
- }
- }
-
- ctx.HTML(http.StatusOK, tplLinkAccount)
-}
-
-// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
-func LinkAccountPostSignIn(ctx *context.Context) {
- signInForm := web.GetForm(ctx).(*forms.SignInForm)
- ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
- ctx.Data["Title"] = ctx.Tr("link_account")
- ctx.Data["LinkAccountMode"] = true
- ctx.Data["LinkAccountModeSignIn"] = true
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
- ctx.Data["ShowRegistrationButton"] = false
-
- // use this to set the right link into the signIn and signUp templates in the link_account template
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
-
- gothUser := ctx.Session.Get("linkAccountGothUser")
- if gothUser == nil {
- ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
- return
- }
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplLinkAccount)
- return
- }
-
- u, _, err := auth.UserSignIn(signInForm.UserName, signInForm.Password)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.Data["user_exists"] = true
- ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
- } else {
- ctx.ServerError("UserLinkAccount", err)
- }
- return
- }
-
- linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember)
-}
-
-func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) {
- updateAvatarIfNeed(gothUser.AvatarURL, u)
-
- // If this user is enrolled in 2FA, we can't sign the user in just yet.
- // Instead, redirect them to the 2FA authentication page.
- // We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here
- _, err := login.GetTwoFactorByUID(u.ID)
- if err != nil {
- if !login.IsErrTwoFactorNotEnrolled(err) {
- ctx.ServerError("UserLinkAccount", err)
- return
- }
-
- err = externalaccount.LinkAccountToUser(u, gothUser)
- if err != nil {
- ctx.ServerError("UserLinkAccount", err)
- return
- }
-
- handleSignIn(ctx, u, remember)
- return
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- // User needs to use 2FA, save data and redirect to 2FA page.
- if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
- log.Error("Error setting twofaUid in session: %v", err)
- }
- if err := ctx.Session.Set("twofaRemember", remember); err != nil {
- log.Error("Error setting twofaRemember in session: %v", err)
- }
- if err := ctx.Session.Set("linkAccount", true); err != nil {
- log.Error("Error setting linkAccount in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session: %v", err)
- }
-
- // If U2F is enrolled -> Redirect to U2F instead
- regs, err := login.GetU2FRegistrationsByUID(u.ID)
- if err == nil && len(regs) > 0 {
- ctx.Redirect(setting.AppSubURL + "/user/u2f")
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/user/two_factor")
-}
-
-// LinkAccountPostRegister handle the creation of a new account for an external account using signUp
-func LinkAccountPostRegister(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.RegisterForm)
- // TODO Make insecure passwords optional for local accounts also,
- // once email-based Second-Factor Auth is available
- ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
- ctx.Data["Title"] = ctx.Tr("link_account")
- ctx.Data["LinkAccountMode"] = true
- ctx.Data["LinkAccountModeRegister"] = true
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
- ctx.Data["ShowRegistrationButton"] = false
-
- // use this to set the right link into the signIn and signUp templates in the link_account template
- ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
-
- gothUserInterface := ctx.Session.Get("linkAccountGothUser")
- if gothUserInterface == nil {
- ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))
- return
- }
- gothUser, ok := gothUserInterface.(goth.User)
- if !ok {
- ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface))
- return
- }
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplLinkAccount)
- return
- }
-
- if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
- ctx.Error(http.StatusForbidden)
- return
- }
-
- if setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha {
- var valid bool
- var err error
- switch setting.Service.CaptchaType {
- case setting.ImageCaptcha:
- valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
- case setting.ReCaptcha:
- valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
- case setting.HCaptcha:
- valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
- default:
- ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
- return
- }
- if err != nil {
- log.Debug("%s", err.Error())
- }
-
- if !valid {
- ctx.Data["Err_Captcha"] = true
- ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)
- return
- }
- }
-
- if !form.IsEmailDomainAllowed() {
- ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplLinkAccount, &form)
- return
- }
-
- if setting.Service.AllowOnlyExternalRegistration || !setting.Service.RequireExternalRegistrationPassword {
- // In user_model.User an empty password is classed as not set, so we set form.Password to empty.
- // Eventually the database should be changed to indicate "Second Factor"-enabled accounts
- // (accounts that do not introduce the security vulnerabilities of a password).
- // If a user decides to circumvent second-factor security, and purposefully create a password,
- // they can still do so using the "Recover Account" option.
- form.Password = ""
- } else {
- if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form)
- return
- }
- if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form)
- return
- }
- }
-
- loginSource, err := login.GetActiveOAuth2LoginSourceByName(gothUser.Provider)
- if err != nil {
- ctx.ServerError("CreateUser", err)
- }
-
- u := &user_model.User{
- Name: form.UserName,
- Email: form.Email,
- Passwd: form.Password,
- IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
- LoginType: login.OAuth2,
- LoginSource: loginSource.ID,
- LoginName: gothUser.UserID,
- }
-
- if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, &gothUser, false) {
- // error already handled
- return
- }
-
- handleSignIn(ctx, u, false)
-}
-
-// HandleSignOut resets the session and sets the cookies
-func HandleSignOut(ctx *context.Context) {
- _ = ctx.Session.Flush()
- _ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
- ctx.DeleteCookie(setting.CookieUserName)
- ctx.DeleteCookie(setting.CookieRememberName)
- middleware.DeleteCSRFCookie(ctx.Resp)
- middleware.DeleteLocaleCookie(ctx.Resp)
- middleware.DeleteRedirectToCookie(ctx.Resp)
-}
-
-// SignOut sign out from login status
-func SignOut(ctx *context.Context) {
- if ctx.User != nil {
- eventsource.GetManager().SendMessageBlocking(ctx.User.ID, &eventsource.Event{
- Name: "logout",
- Data: ctx.Session.ID(),
- })
- }
- HandleSignOut(ctx)
- ctx.Redirect(setting.AppSubURL + "/")
-}
-
-// SignUp render the register page
-func SignUp(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("sign_up")
-
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
-
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["PageIsSignUp"] = true
-
- //Show Disabled Registration message if DisableRegistration or AllowOnlyExternalRegistration options are true
- ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration
-
- ctx.HTML(http.StatusOK, tplSignUp)
-}
-
-// SignUpPost response for sign up information submission
-func SignUpPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.RegisterForm)
- ctx.Data["Title"] = ctx.Tr("sign_up")
-
- ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
-
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["PageIsSignUp"] = true
-
- //Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
- if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration {
- ctx.Error(http.StatusForbidden)
- return
- }
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplSignUp)
- return
- }
-
- if setting.Service.EnableCaptcha {
- var valid bool
- var err error
- switch setting.Service.CaptchaType {
- case setting.ImageCaptcha:
- valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
- case setting.ReCaptcha:
- valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
- case setting.HCaptcha:
- valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
- default:
- ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
- return
- }
- if err != nil {
- log.Debug("%s", err.Error())
- }
-
- if !valid {
- ctx.Data["Err_Captcha"] = true
- ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUp, &form)
- return
- }
- }
-
- if !form.IsEmailDomainAllowed() {
- ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplSignUp, &form)
- return
- }
-
- if form.Password != form.Retype {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplSignUp, &form)
- return
- }
- if len(form.Password) < setting.MinPasswordLength {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplSignUp, &form)
- return
- }
- if !password.IsComplexEnough(form.Password) {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(password.BuildComplexityError(ctx), tplSignUp, &form)
- return
- }
- pwned, err := password.IsPwned(ctx, form.Password)
- if pwned {
- errMsg := ctx.Tr("auth.password_pwned")
- if err != nil {
- log.Error(err.Error())
- errMsg = ctx.Tr("auth.password_pwned_err")
- }
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(errMsg, tplSignUp, &form)
- return
- }
-
- u := &user_model.User{
- Name: form.UserName,
- Email: form.Email,
- Passwd: form.Password,
- IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
- IsRestricted: setting.Service.DefaultUserIsRestricted,
- }
-
- if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {
- // error already handled
- return
- }
-
- ctx.Flash.Success(ctx.Tr("auth.sign_up_successful"))
- handleSignIn(ctx, u, false)
-}
-
-// createAndHandleCreatedUser calls createUserInContext and
-// then handleUserCreated.
-func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) bool {
- if !createUserInContext(ctx, tpl, form, u, gothUser, allowLink) {
- return false
- }
- return handleUserCreated(ctx, u, gothUser)
-}
-
-// createUserInContext creates a user and handles errors within a given context.
-// Optionally a template can be specified.
-func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) (ok bool) {
- if err := user_model.CreateUser(u); err != nil {
- if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
- if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto {
- var user *user_model.User
- user = &user_model.User{Name: u.Name}
- hasUser, err := user_model.GetUser(user)
- if !hasUser || err != nil {
- user = &user_model.User{Email: u.Email}
- hasUser, err = user_model.GetUser(user)
- if !hasUser || err != nil {
- ctx.ServerError("UserLinkAccount", err)
- return
- }
- }
-
- // TODO: probably we should respect 'remember' user's choice...
- linkAccount(ctx, user, *gothUser, true)
- return // user is already created here, all redirects are handled
- } else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingLogin {
- showLinkingLogin(ctx, *gothUser)
- return // user will be created only after linking login
- }
- }
-
- // handle error without template
- if len(tpl) == 0 {
- ctx.ServerError("CreateUser", err)
- return
- }
-
- // handle error with template
- switch {
- case user_model.IsErrUserAlreadyExist(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tpl, form)
- case user_model.IsErrEmailAlreadyUsed(err):
- ctx.Data["Err_Email"] = true
- ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tpl, form)
- case user_model.IsErrEmailInvalid(err):
- ctx.Data["Err_Email"] = true
- ctx.RenderWithErr(ctx.Tr("form.email_invalid"), tpl, form)
- case db.IsErrNameReserved(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(db.ErrNameReserved).Name), tpl, form)
- case db.IsErrNamePatternNotAllowed(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(db.ErrNamePatternNotAllowed).Pattern), tpl, form)
- case db.IsErrNameCharsNotAllowed(err):
- ctx.Data["Err_UserName"] = true
- ctx.RenderWithErr(ctx.Tr("user.form.name_chars_not_allowed", err.(db.ErrNameCharsNotAllowed).Name), tpl, form)
- default:
- ctx.ServerError("CreateUser", err)
- }
- return
- }
- log.Trace("Account created: %s", u.Name)
- return true
-}
-
-// handleUserCreated does additional steps after a new user is created.
-// It auto-sets admin for the only user, updates the optional external user and
-// sends a confirmation email if required.
-func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) {
- // Auto-set admin for the only user.
- if user_model.CountUsers() == 1 {
- u.IsAdmin = true
- u.IsActive = true
- u.SetLastLogin()
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_active", "last_login_unix"); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- }
-
- // update external user information
- if gothUser != nil {
- if err := externalaccount.UpdateExternalUser(u, *gothUser); err != nil {
- log.Error("UpdateExternalUser failed: %v", err)
- }
- }
-
- // Send confirmation email
- if !u.IsActive && u.ID > 1 {
- mailer.SendActivateAccountMail(ctx.Locale, u)
-
- ctx.Data["IsSendRegisterMail"] = true
- ctx.Data["Email"] = u.Email
- ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
- ctx.HTML(http.StatusOK, TplActivate)
-
- if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
- log.Error("Set cache(MailResendLimit) fail: %v", err)
- }
- return
- }
-
- return true
-}
-
-// Activate render activate user page
-func Activate(ctx *context.Context) {
- code := ctx.FormString("code")
-
- if len(code) == 0 {
- ctx.Data["IsActivatePage"] = true
- if ctx.User == nil || ctx.User.IsActive {
- ctx.NotFound("invalid user", nil)
- return
- }
- // Resend confirmation email.
- if setting.Service.RegisterEmailConfirm {
- if ctx.Cache.IsExist("MailResendLimit_" + ctx.User.LowerName) {
- ctx.Data["ResendLimited"] = true
- } else {
- ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
- mailer.SendActivateAccountMail(ctx.Locale, ctx.User)
-
- if err := ctx.Cache.Put("MailResendLimit_"+ctx.User.LowerName, ctx.User.LowerName, 180); err != nil {
- log.Error("Set cache(MailResendLimit) fail: %v", err)
- }
- }
- } else {
- ctx.Data["ServiceNotEnabled"] = true
- }
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- user := user_model.VerifyUserActiveCode(code)
- // if code is wrong
- if user == nil {
- ctx.Data["IsActivateFailed"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- // if account is local account, verify password
- if user.LoginSource == 0 {
- ctx.Data["Code"] = code
- ctx.Data["NeedsPassword"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- handleAccountActivation(ctx, user)
-}
-
-// ActivatePost handles account activation with password check
-func ActivatePost(ctx *context.Context) {
- code := ctx.FormString("code")
- if len(code) == 0 {
- ctx.Redirect(setting.AppSubURL + "/user/activate")
- return
- }
-
- user := user_model.VerifyUserActiveCode(code)
- // if code is wrong
- if user == nil {
- ctx.Data["IsActivateFailed"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
-
- // if account is local account, verify password
- if user.LoginSource == 0 {
- password := ctx.FormString("password")
- if len(password) == 0 {
- ctx.Data["Code"] = code
- ctx.Data["NeedsPassword"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
- if !user.ValidatePassword(password) {
- ctx.Data["IsActivateFailed"] = true
- ctx.HTML(http.StatusOK, TplActivate)
- return
- }
- }
-
- handleAccountActivation(ctx, user)
-}
-
-func handleAccountActivation(ctx *context.Context, user *user_model.User) {
- user.IsActive = true
- var err error
- if user.Rands, err = user_model.GetUserSalt(); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- if err := user_model.UpdateUserCols(db.DefaultContext, user, "is_active", "rands"); err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.NotFound("UpdateUserCols", err)
- } else {
- ctx.ServerError("UpdateUser", err)
- }
- return
- }
-
- if err := user_model.ActivateUserEmail(user.ID, user.Email, true); err != nil {
- log.Error("Unable to activate email for user: %-v with email: %s: %v", user, user.Email, err)
- ctx.ServerError("ActivateUserEmail", err)
- return
- }
-
- log.Trace("User activated: %s", user.Name)
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- log.Error("Unable to regenerate session for user: %-v with email: %s: %v", user, user.Email, err)
- ctx.ServerError("ActivateUserEmail", err)
- return
- }
-
- // Set session IDs
- if err := ctx.Session.Set("uid", user.ID); err != nil {
- log.Error("Error setting uid in session[%s]: %v", ctx.Session.ID(), err)
- }
- if err := ctx.Session.Set("uname", user.Name); err != nil {
- log.Error("Error setting uname in session[%s]: %v", ctx.Session.ID(), err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("Error storing session[%s]: %v", ctx.Session.ID(), err)
- }
-
- if err := resetLocale(ctx, user); err != nil {
- ctx.ServerError("resetLocale", err)
- return
- }
-
- ctx.Flash.Success(ctx.Tr("auth.account_activated"))
- ctx.Redirect(setting.AppSubURL + "/")
-}
-
-// ActivateEmail render the activate email page
-func ActivateEmail(ctx *context.Context) {
- code := ctx.FormString("code")
- emailStr := ctx.FormString("email")
-
- // Verify code.
- if email := user_model.VerifyActiveEmailCode(code, emailStr); email != nil {
- if err := user_model.ActivateEmail(email); err != nil {
- ctx.ServerError("ActivateEmail", err)
- }
-
- log.Trace("Email activated: %s", email.Email)
- ctx.Flash.Success(ctx.Tr("settings.add_email_success"))
-
- if u, err := user_model.GetUserByID(email.UID); err != nil {
- log.Warn("GetUserByID: %d", email.UID)
- } else {
- // Allow user to validate more emails
- _ = ctx.Cache.Delete("MailResendLimit_" + u.LowerName)
- }
- }
-
- // FIXME: e-mail verification does not require the user to be logged in,
- // so this could be redirecting to the login page.
- // Should users be logged in automatically here? (consider 2FA requirements, etc.)
- ctx.Redirect(setting.AppSubURL + "/user/settings/account")
-}
-
-// ForgotPasswd render the forget password page
-func ForgotPasswd(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
-
- if setting.MailService == nil {
- log.Warn(ctx.Tr("auth.disable_forgot_password_mail_admin"))
- ctx.Data["IsResetDisable"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
- return
- }
-
- ctx.Data["Email"] = ctx.FormString("email")
-
- ctx.Data["IsResetRequest"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
-}
-
-// ForgotPasswdPost response for forget password request
-func ForgotPasswdPost(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
-
- if setting.MailService == nil {
- ctx.NotFound("ForgotPasswdPost", nil)
- return
- }
- ctx.Data["IsResetRequest"] = true
-
- email := ctx.FormString("email")
- ctx.Data["Email"] = email
-
- u, err := user_model.GetUserByEmail(email)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
- ctx.Data["IsResetSent"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
- return
- }
-
- ctx.ServerError("user.ResetPasswd(check existence)", err)
- return
- }
-
- if !u.IsLocal() && !u.IsOAuth2() {
- ctx.Data["Err_Email"] = true
- ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil)
- return
- }
-
- if ctx.Cache.IsExist("MailResendLimit_" + u.LowerName) {
- ctx.Data["ResendLimited"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
- return
- }
-
- mailer.SendResetPasswordMail(u)
-
- if err = ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
- log.Error("Set cache(MailResendLimit) fail: %v", err)
- }
-
- ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
- ctx.Data["IsResetSent"] = true
- ctx.HTML(http.StatusOK, tplForgotPassword)
-}
-
-func commonResetPassword(ctx *context.Context) (*user_model.User, *login.TwoFactor) {
- code := ctx.FormString("code")
-
- ctx.Data["Title"] = ctx.Tr("auth.reset_password")
- ctx.Data["Code"] = code
-
- if nil != ctx.User {
- ctx.Data["user_signed_in"] = true
- }
-
- if len(code) == 0 {
- ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
- return nil, nil
- }
-
- // Fail early, don't frustrate the user
- u := user_model.VerifyUserActiveCode(code)
- if u == nil {
- ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
- return nil, nil
- }
-
- twofa, err := login.GetTwoFactorByUID(u.ID)
- if err != nil {
- if !login.IsErrTwoFactorNotEnrolled(err) {
- ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error())
- return nil, nil
- }
- } else {
- ctx.Data["has_two_factor"] = true
- ctx.Data["scratch_code"] = ctx.FormBool("scratch_code")
- }
-
- // Show the user that they are affecting the account that they intended to
- ctx.Data["user_email"] = u.Email
-
- if nil != ctx.User && u.ID != ctx.User.ID {
- ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
- return nil, nil
- }
-
- return u, twofa
-}
-
-// ResetPasswd render the account recovery page
-func ResetPasswd(ctx *context.Context) {
- ctx.Data["IsResetForm"] = true
-
- commonResetPassword(ctx)
- if ctx.Written() {
- return
- }
-
- ctx.HTML(http.StatusOK, tplResetPassword)
-}
-
-// ResetPasswdPost response from account recovery request
-func ResetPasswdPost(ctx *context.Context) {
- u, twofa := commonResetPassword(ctx)
- if ctx.Written() {
- return
- }
-
- if u == nil {
- // Flash error has been set
- ctx.HTML(http.StatusOK, tplResetPassword)
- return
- }
-
- // Validate password length.
- passwd := ctx.FormString("password")
- if len(passwd) < setting.MinPasswordLength {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil)
- return
- } else if !password.IsComplexEnough(passwd) {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(password.BuildComplexityError(ctx), tplResetPassword, nil)
- return
- } else if pwned, err := password.IsPwned(ctx, passwd); pwned || err != nil {
- errMsg := ctx.Tr("auth.password_pwned")
- if err != nil {
- log.Error(err.Error())
- errMsg = ctx.Tr("auth.password_pwned_err")
- }
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(errMsg, tplResetPassword, nil)
- return
- }
-
- // Handle two-factor
- regenerateScratchToken := false
- if twofa != nil {
- if ctx.FormBool("scratch_code") {
- if !twofa.VerifyScratchToken(ctx.FormString("token")) {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Token"] = true
- ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil)
- return
- }
- regenerateScratchToken = true
- } else {
- passcode := ctx.FormString("passcode")
- ok, err := twofa.ValidateTOTP(passcode)
- if err != nil {
- ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error())
- return
- }
- if !ok || twofa.LastUsedPasscode == passcode {
- ctx.Data["IsResetForm"] = true
- ctx.Data["Err_Passcode"] = true
- ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil)
- return
- }
-
- twofa.LastUsedPasscode = passcode
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err)
- return
- }
- }
- }
- var err error
- if u.Rands, err = user_model.GetUserSalt(); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- if err = u.SetPassword(passwd); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
- u.MustChangePassword = false
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "rands", "salt"); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
-
- log.Trace("User password reset: %s", u.Name)
- ctx.Data["IsResetFailed"] = true
- remember := len(ctx.FormString("remember")) != 0
-
- if regenerateScratchToken {
- // Invalidate the scratch token.
- _, err = twofa.GenerateScratchToken()
- if err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
- if err = login.UpdateTwoFactor(twofa); err != nil {
- ctx.ServerError("UserSignIn", err)
- return
- }
-
- handleSignInFull(ctx, u, remember, false)
- ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
- if ctx.Written() {
- return
- }
- ctx.Redirect(setting.AppSubURL + "/user/settings/security")
- return
- }
-
- handleSignIn(ctx, u, remember)
-}
-
-// MustChangePassword renders the page to change a user's password
-func MustChangePassword(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
- ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
- ctx.Data["MustChangePassword"] = true
- ctx.HTML(http.StatusOK, tplMustChangePassword)
-}
-
-// MustChangePasswordPost response for updating a user's password after his/her
-// account was created by an admin
-func MustChangePasswordPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.MustChangePasswordForm)
- ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
- ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplMustChangePassword)
- return
- }
- u := ctx.User
- // Make sure only requests for users who are eligible to change their password via
- // this method passes through
- if !u.MustChangePassword {
- ctx.ServerError("MustUpdatePassword", errors.New("cannot update password.. Please visit the settings page"))
- return
- }
-
- if form.Password != form.Retype {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplMustChangePassword, &form)
- return
- }
-
- if len(form.Password) < setting.MinPasswordLength {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
- return
- }
- if !password.IsComplexEnough(form.Password) {
- ctx.Data["Err_Password"] = true
- ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
- return
- }
- pwned, err := password.IsPwned(ctx, form.Password)
- if pwned {
- ctx.Data["Err_Password"] = true
- errMsg := ctx.Tr("auth.password_pwned")
- if err != nil {
- log.Error(err.Error())
- errMsg = ctx.Tr("auth.password_pwned_err")
- }
- ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
- return
- }
-
- if err = u.SetPassword(form.Password); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
-
- u.MustChangePassword = false
-
- if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "salt"); err != nil {
- ctx.ServerError("UpdateUser", err)
- return
- }
-
- ctx.Flash.Success(ctx.Tr("settings.change_password_success"))
-
- log.Trace("User updated password: %s", u.Name)
-
- if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- ctx.RedirectToFirst(redirectTo)
- return
- }
-
- ctx.Redirect(setting.AppSubURL + "/")
-}
diff --git a/routers/web/user/auth_openid.go b/routers/web/user/auth_openid.go
deleted file mode 100644
index 55dd8f8d09..0000000000
--- a/routers/web/user/auth_openid.go
+++ /dev/null
@@ -1,457 +0,0 @@
-// Copyright 2017 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package user
-
-import (
- "fmt"
- "net/http"
- "net/url"
-
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/auth/openid"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/context"
- "code.gitea.io/gitea/modules/hcaptcha"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/recaptcha"
- "code.gitea.io/gitea/modules/session"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/util"
- "code.gitea.io/gitea/modules/web"
- "code.gitea.io/gitea/modules/web/middleware"
- "code.gitea.io/gitea/services/auth"
- "code.gitea.io/gitea/services/forms"
-)
-
-const (
- tplSignInOpenID base.TplName = "user/auth/signin_openid"
- tplConnectOID base.TplName = "user/auth/signup_openid_connect"
- tplSignUpOID base.TplName = "user/auth/signup_openid_register"
-)
-
-// SignInOpenID render sign in page
-func SignInOpenID(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("sign_in")
-
- if ctx.FormString("openid.return_to") != "" {
- signInOpenIDVerify(ctx)
- return
- }
-
- // Check auto-login.
- isSucceed, err := AutoSignIn(ctx)
- if err != nil {
- ctx.ServerError("AutoSignIn", err)
- return
- }
-
- redirectTo := ctx.FormString("redirect_to")
- if len(redirectTo) > 0 {
- middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
- } else {
- redirectTo = ctx.GetCookie("redirect_to")
- }
-
- if isSucceed {
- middleware.DeleteRedirectToCookie(ctx.Resp)
- ctx.RedirectToFirst(redirectTo)
- return
- }
-
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsLoginOpenID"] = true
- ctx.HTML(http.StatusOK, tplSignInOpenID)
-}
-
-// Check if the given OpenID URI is allowed by blacklist/whitelist
-func allowedOpenIDURI(uri string) (err error) {
-
- // In case a Whitelist is present, URI must be in it
- // in order to be accepted
- if len(setting.Service.OpenIDWhitelist) != 0 {
- for _, pat := range setting.Service.OpenIDWhitelist {
- if pat.MatchString(uri) {
- return nil // pass
- }
- }
- // must match one of this or be refused
- return fmt.Errorf("URI not allowed by whitelist")
- }
-
- // A blacklist match expliclty forbids
- for _, pat := range setting.Service.OpenIDBlacklist {
- if pat.MatchString(uri) {
- return fmt.Errorf("URI forbidden by blacklist")
- }
- }
-
- return nil
-}
-
-// SignInOpenIDPost response for openid sign in request
-func SignInOpenIDPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.SignInOpenIDForm)
- ctx.Data["Title"] = ctx.Tr("sign_in")
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsLoginOpenID"] = true
-
- if ctx.HasError() {
- ctx.HTML(http.StatusOK, tplSignInOpenID)
- return
- }
-
- id, err := openid.Normalize(form.Openid)
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
- return
- }
- form.Openid = id
-
- log.Trace("OpenID uri: " + id)
-
- err = allowedOpenIDURI(id)
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
- return
- }
-
- redirectTo := setting.AppURL + "user/login/openid"
- url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)
- if err != nil {
- log.Error("Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())
- ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)
- return
- }
-
- // Request optional nickname and email info
- // NOTE: change to `openid.sreg.required` to require it
- url += "&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1"
- url += "&openid.sreg.optional=nickname%2Cemail"
-
- log.Trace("Form-passed openid-remember: %t", form.Remember)
-
- if err := ctx.Session.Set("openid_signin_remember", form.Remember); err != nil {
- log.Error("SignInOpenIDPost: Could not set openid_signin_remember in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("SignInOpenIDPost: Unable to save changes to the session: %v", err)
- }
-
- ctx.Redirect(url)
-}
-
-// signInOpenIDVerify handles response from OpenID provider
-func signInOpenIDVerify(ctx *context.Context) {
-
- log.Trace("Incoming call to: %s", ctx.Req.URL.String())
-
- fullURL := setting.AppURL + ctx.Req.URL.String()[1:]
- log.Trace("Full URL: %s", fullURL)
-
- var id, err = openid.Verify(fullURL)
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
- Openid: id,
- })
- return
- }
-
- log.Trace("Verified ID: %s", id)
-
- /* Now we should seek for the user and log him in, or prompt
- * to register if not found */
-
- u, err := user_model.GetUserByOpenID(id)
- if err != nil {
- if !user_model.IsErrUserNotExist(err) {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
- Openid: id,
- })
- return
- }
- log.Error("signInOpenIDVerify: %v", err)
- }
- if u != nil {
- log.Trace("User exists, logging in")
- remember, _ := ctx.Session.Get("openid_signin_remember").(bool)
- log.Trace("Session stored openid-remember: %t", remember)
- handleSignIn(ctx, u, remember)
- return
- }
-
- log.Trace("User with openid: %s does not exist, should connect or register", id)
-
- parsedURL, err := url.Parse(fullURL)
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
- Openid: id,
- })
- return
- }
- values, err := url.ParseQuery(parsedURL.RawQuery)
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
- Openid: id,
- })
- return
- }
- email := values.Get("openid.sreg.email")
- nickname := values.Get("openid.sreg.nickname")
-
- log.Trace("User has email=%s and nickname=%s", email, nickname)
-
- if email != "" {
- u, err = user_model.GetUserByEmail(email)
- if err != nil {
- if !user_model.IsErrUserNotExist(err) {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
- Openid: id,
- })
- return
- }
- log.Error("signInOpenIDVerify: %v", err)
- }
- if u != nil {
- log.Trace("Local user %s has OpenID provided email %s", u.LowerName, email)
- }
- }
-
- if u == nil && nickname != "" {
- u, _ = user_model.GetUserByName(nickname)
- if err != nil {
- if !user_model.IsErrUserNotExist(err) {
- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
- Openid: id,
- })
- return
- }
- }
- if u != nil {
- log.Trace("Local user %s has OpenID provided nickname %s", u.LowerName, nickname)
- }
- }
-
- if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
- ctx.ServerError("RegenerateSession", err)
- return
- }
-
- if err := ctx.Session.Set("openid_verified_uri", id); err != nil {
- log.Error("signInOpenIDVerify: Could not set openid_verified_uri in session: %v", err)
- }
- if err := ctx.Session.Set("openid_determined_email", email); err != nil {
- log.Error("signInOpenIDVerify: Could not set openid_determined_email in session: %v", err)
- }
-
- if u != nil {
- nickname = u.LowerName
- }
-
- if err := ctx.Session.Set("openid_determined_username", nickname); err != nil {
- log.Error("signInOpenIDVerify: Could not set openid_determined_username in session: %v", err)
- }
- if err := ctx.Session.Release(); err != nil {
- log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
- }
-
- if u != nil || !setting.Service.EnableOpenIDSignUp || setting.Service.AllowOnlyInternalRegistration {
- ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
- } else {
- ctx.Redirect(setting.AppSubURL + "/user/openid/register")
- }
-}
-
-// ConnectOpenID shows a form to connect an OpenID URI to an existing account
-func ConnectOpenID(ctx *context.Context) {
- oid, _ := ctx.Session.Get("openid_verified_uri").(string)
- if oid == "" {
- ctx.Redirect(setting.AppSubURL + "/user/login/openid")
- return
- }
- ctx.Data["Title"] = "OpenID connect"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsOpenIDConnect"] = true
- ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
- ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
- ctx.Data["OpenID"] = oid
- userName, _ := ctx.Session.Get("openid_determined_username").(string)
- if userName != "" {
- ctx.Data["user_name"] = userName
- }
- ctx.HTML(http.StatusOK, tplConnectOID)
-}
-
-// ConnectOpenIDPost handles submission of a form to connect an OpenID URI to an existing account
-func ConnectOpenIDPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.ConnectOpenIDForm)
- oid, _ := ctx.Session.Get("openid_verified_uri").(string)
- if oid == "" {
- ctx.Redirect(setting.AppSubURL + "/user/login/openid")
- return
- }
- ctx.Data["Title"] = "OpenID connect"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsOpenIDConnect"] = true
- ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
- ctx.Data["OpenID"] = oid
-
- u, _, err := auth.UserSignIn(form.UserName, form.Password)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)
- } else {
- ctx.ServerError("ConnectOpenIDPost", err)
- }
- return
- }
-
- // add OpenID for the user
- userOID := &user_model.UserOpenID{UID: u.ID, URI: oid}
- if err = user_model.AddUserOpenID(userOID); err != nil {
- if user_model.IsErrOpenIDAlreadyUsed(err) {
- ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplConnectOID, &form)
- return
- }
- ctx.ServerError("AddUserOpenID", err)
- return
- }
-
- ctx.Flash.Success(ctx.Tr("settings.add_openid_success"))
-
- remember, _ := ctx.Session.Get("openid_signin_remember").(bool)
- log.Trace("Session stored openid-remember: %t", remember)
- handleSignIn(ctx, u, remember)
-}
-
-// RegisterOpenID shows a form to create a new user authenticated via an OpenID URI
-func RegisterOpenID(ctx *context.Context) {
- oid, _ := ctx.Session.Get("openid_verified_uri").(string)
- if oid == "" {
- ctx.Redirect(setting.AppSubURL + "/user/login/openid")
- return
- }
- ctx.Data["Title"] = "OpenID signup"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsOpenIDRegister"] = true
- ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
- ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["OpenID"] = oid
- userName, _ := ctx.Session.Get("openid_determined_username").(string)
- if userName != "" {
- ctx.Data["user_name"] = userName
- }
- email, _ := ctx.Session.Get("openid_determined_email").(string)
- if email != "" {
- ctx.Data["email"] = email
- }
- ctx.HTML(http.StatusOK, tplSignUpOID)
-}
-
-// RegisterOpenIDPost handles submission of a form to create a new user authenticated via an OpenID URI
-func RegisterOpenIDPost(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.SignUpOpenIDForm)
- oid, _ := ctx.Session.Get("openid_verified_uri").(string)
- if oid == "" {
- ctx.Redirect(setting.AppSubURL + "/user/login/openid")
- return
- }
-
- ctx.Data["Title"] = "OpenID signup"
- ctx.Data["PageIsSignIn"] = true
- ctx.Data["PageIsOpenIDRegister"] = true
- ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
- ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
- ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
- ctx.Data["Captcha"] = context.GetImageCaptcha()
- ctx.Data["CaptchaType"] = setting.Service.CaptchaType
- ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
- ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
- ctx.Data["OpenID"] = oid
-
- if setting.Service.AllowOnlyInternalRegistration {
- ctx.Error(http.StatusForbidden)
- return
- }
-
- if setting.Service.EnableCaptcha {
- var valid bool
- var err error
- switch setting.Service.CaptchaType {
- case setting.ImageCaptcha:
- valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
- case setting.ReCaptcha:
- if err := ctx.Req.ParseForm(); err != nil {
- ctx.ServerError("", err)
- return
- }
- valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
- case setting.HCaptcha:
- if err := ctx.Req.ParseForm(); err != nil {
- ctx.ServerError("", err)
- return
- }
- valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
- default:
- ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
- return
- }
- if err != nil {
- log.Debug("%s", err.Error())
- }
-
- if !valid {
- ctx.Data["Err_Captcha"] = true
- ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUpOID, &form)
- return
- }
- }
-
- length := setting.MinPasswordLength
- if length < 256 {
- length = 256
- }
- password, err := util.RandomString(int64(length))
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplSignUpOID, form)
- return
- }
-
- u := &user_model.User{
- Name: form.UserName,
- Email: form.Email,
- Passwd: password,
- IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
- }
- if !createUserInContext(ctx, tplSignUpOID, form, u, nil, false) {
- // error already handled
- return
- }
-
- // add OpenID for the user
- userOID := &user_model.UserOpenID{UID: u.ID, URI: oid}
- if err = user_model.AddUserOpenID(userOID); err != nil {
- if user_model.IsErrOpenIDAlreadyUsed(err) {
- ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplSignUpOID, &form)
- return
- }
- ctx.ServerError("AddUserOpenID", err)
- return
- }
-
- if !handleUserCreated(ctx, u, nil) {
- // error already handled
- return
- }
-
- remember, _ := ctx.Session.Get("openid_signin_remember").(bool)
- log.Trace("Session stored openid-remember: %t", remember)
- handleSignIn(ctx, u, remember)
-}
diff --git a/routers/web/user/oauth.go b/routers/web/user/oauth.go
deleted file mode 100644
index 166420221d..0000000000
--- a/routers/web/user/oauth.go
+++ /dev/null
@@ -1,752 +0,0 @@
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package user
-
-import (
- "encoding/base64"
- "fmt"
- "html"
- "net/http"
- "net/url"
- "strings"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/context"
- "code.gitea.io/gitea/modules/json"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/web"
- "code.gitea.io/gitea/services/auth"
- "code.gitea.io/gitea/services/auth/source/oauth2"
- "code.gitea.io/gitea/services/forms"
-
- "gitea.com/go-chi/binding"
- "github.com/golang-jwt/jwt"
-)
-
-const (
- tplGrantAccess base.TplName = "user/auth/grant"
- tplGrantError base.TplName = "user/auth/grant_error"
-)
-
-// TODO move error and responses to SDK or models
-
-// AuthorizeErrorCode represents an error code specified in RFC 6749
-type AuthorizeErrorCode string
-
-const (
- // ErrorCodeInvalidRequest represents the according error in RFC 6749
- ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"
- // ErrorCodeUnauthorizedClient represents the according error in RFC 6749
- ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"
- // ErrorCodeAccessDenied represents the according error in RFC 6749
- ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"
- // ErrorCodeUnsupportedResponseType represents the according error in RFC 6749
- ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"
- // ErrorCodeInvalidScope represents the according error in RFC 6749
- ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"
- // ErrorCodeServerError represents the according error in RFC 6749
- ErrorCodeServerError AuthorizeErrorCode = "server_error"
- // ErrorCodeTemporaryUnavailable represents the according error in RFC 6749
- ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"
-)
-
-// AuthorizeError represents an error type specified in RFC 6749
-type AuthorizeError struct {
- ErrorCode AuthorizeErrorCode `json:"error" form:"error"`
- ErrorDescription string
- State string
-}
-
-// Error returns the error message
-func (err AuthorizeError) Error() string {
- return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
-}
-
-// AccessTokenErrorCode represents an error code specified in RFC 6749
-type AccessTokenErrorCode string
-
-const (
- // AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749
- AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"
- // AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749
- AccessTokenErrorCodeInvalidClient = "invalid_client"
- // AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749
- AccessTokenErrorCodeInvalidGrant = "invalid_grant"
- // AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749
- AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"
- // AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749
- AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"
- // AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749
- AccessTokenErrorCodeInvalidScope = "invalid_scope"
-)
-
-// AccessTokenError represents an error response specified in RFC 6749
-type AccessTokenError struct {
- ErrorCode AccessTokenErrorCode `json:"error" form:"error"`
- ErrorDescription string `json:"error_description"`
-}
-
-// Error returns the error message
-func (err AccessTokenError) Error() string {
- return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
-}
-
-// TokenType specifies the kind of token
-type TokenType string
-
-const (
- // TokenTypeBearer represents a token type specified in RFC 6749
- TokenTypeBearer TokenType = "bearer"
- // TokenTypeMAC represents a token type specified in RFC 6749
- TokenTypeMAC = "mac"
-)
-
-// AccessTokenResponse represents a successful access token response
-type AccessTokenResponse struct {
- AccessToken string `json:"access_token"`
- TokenType TokenType `json:"token_type"`
- ExpiresIn int64 `json:"expires_in"`
- RefreshToken string `json:"refresh_token"`
- IDToken string `json:"id_token,omitempty"`
-}
-
-func newAccessTokenResponse(grant *login.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
- if setting.OAuth2.InvalidateRefreshTokens {
- if err := grant.IncreaseCounter(); err != nil {
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidGrant,
- ErrorDescription: "cannot increase the grant counter",
- }
- }
- }
- // generate access token to access the API
- expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)
- accessToken := &oauth2.Token{
- GrantID: grant.ID,
- Type: oauth2.TypeAccessToken,
- StandardClaims: jwt.StandardClaims{
- ExpiresAt: expirationDate.AsTime().Unix(),
- },
- }
- signedAccessToken, err := accessToken.SignToken(serverKey)
- if err != nil {
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot sign token",
- }
- }
-
- // generate refresh token to request an access token after it expired later
- refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()
- refreshToken := &oauth2.Token{
- GrantID: grant.ID,
- Counter: grant.Counter,
- Type: oauth2.TypeRefreshToken,
- StandardClaims: jwt.StandardClaims{
- ExpiresAt: refreshExpirationDate,
- },
- }
- signedRefreshToken, err := refreshToken.SignToken(serverKey)
- if err != nil {
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot sign token",
- }
- }
-
- // generate OpenID Connect id_token
- signedIDToken := ""
- if grant.ScopeContains("openid") {
- app, err := login.GetOAuth2ApplicationByID(grant.ApplicationID)
- if err != nil {
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot find application",
- }
- }
- user, err := user_model.GetUserByID(grant.UserID)
- if err != nil {
- if user_model.IsErrUserNotExist(err) {
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot find user",
- }
- }
- log.Error("Error loading user: %v", err)
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "server error",
- }
- }
-
- idToken := &oauth2.OIDCToken{
- StandardClaims: jwt.StandardClaims{
- ExpiresAt: expirationDate.AsTime().Unix(),
- Issuer: setting.AppURL,
- Audience: app.ClientID,
- Subject: fmt.Sprint(grant.UserID),
- },
- Nonce: grant.Nonce,
- }
- if grant.ScopeContains("profile") {
- idToken.Name = user.FullName
- idToken.PreferredUsername = user.Name
- idToken.Profile = user.HTMLURL()
- idToken.Picture = user.AvatarLink()
- idToken.Website = user.Website
- idToken.Locale = user.Language
- idToken.UpdatedAt = user.UpdatedUnix
- }
- if grant.ScopeContains("email") {
- idToken.Email = user.Email
- idToken.EmailVerified = user.IsActive
- }
- if grant.ScopeContains("groups") {
- groups, err := getOAuthGroupsForUser(user)
- if err != nil {
- log.Error("Error getting groups: %v", err)
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "server error",
- }
- }
- idToken.Groups = groups
- }
-
- signedIDToken, err = idToken.SignToken(clientKey)
- if err != nil {
- return nil, &AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot sign token",
- }
- }
- }
-
- return &AccessTokenResponse{
- AccessToken: signedAccessToken,
- TokenType: TokenTypeBearer,
- ExpiresIn: setting.OAuth2.AccessTokenExpirationTime,
- RefreshToken: signedRefreshToken,
- IDToken: signedIDToken,
- }, nil
-}
-
-type userInfoResponse struct {
- Sub string `json:"sub"`
- Name string `json:"name"`
- Username string `json:"preferred_username"`
- Email string `json:"email"`
- Picture string `json:"picture"`
- Groups []string `json:"groups"`
-}
-
-// InfoOAuth manages request for userinfo endpoint
-func InfoOAuth(ctx *context.Context) {
- if ctx.User == nil || ctx.Data["AuthedMethod"] != (&auth.OAuth2{}).Name() {
- ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
- ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
- return
- }
-
- response := &userInfoResponse{
- Sub: fmt.Sprint(ctx.User.ID),
- Name: ctx.User.FullName,
- Username: ctx.User.Name,
- Email: ctx.User.Email,
- Picture: ctx.User.AvatarLink(),
- }
-
- groups, err := getOAuthGroupsForUser(ctx.User)
- if err != nil {
- ctx.ServerError("Oauth groups for user", err)
- return
- }
- response.Groups = groups
-
- ctx.JSON(http.StatusOK, response)
-}
-
-// returns a list of "org" and "org:team" strings,
-// that the given user is a part of.
-func getOAuthGroupsForUser(user *user_model.User) ([]string, error) {
- orgs, err := models.GetUserOrgsList(user)
- if err != nil {
- return nil, fmt.Errorf("GetUserOrgList: %v", err)
- }
-
- var groups []string
- for _, org := range orgs {
- groups = append(groups, org.Name)
- teams, err := org.LoadTeams()
- if err != nil {
- return nil, fmt.Errorf("LoadTeams: %v", err)
- }
- for _, team := range teams {
- if team.IsMember(user.ID) {
- groups = append(groups, org.Name+":"+team.LowerName)
- }
- }
- }
- return groups, nil
-}
-
-// IntrospectOAuth introspects an oauth token
-func IntrospectOAuth(ctx *context.Context) {
- if ctx.User == nil {
- ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
- ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
- return
- }
-
- var response struct {
- Active bool `json:"active"`
- Scope string `json:"scope,omitempty"`
- jwt.StandardClaims
- }
-
- form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
- token, err := oauth2.ParseToken(form.Token, oauth2.DefaultSigningKey)
- if err == nil {
- if token.Valid() == nil {
- grant, err := login.GetOAuth2GrantByID(token.GrantID)
- if err == nil && grant != nil {
- app, err := login.GetOAuth2ApplicationByID(grant.ApplicationID)
- if err == nil && app != nil {
- response.Active = true
- response.Scope = grant.Scope
- response.Issuer = setting.AppURL
- response.Audience = app.ClientID
- response.Subject = fmt.Sprint(grant.UserID)
- }
- }
- }
- }
-
- ctx.JSON(http.StatusOK, response)
-}
-
-// AuthorizeOAuth manages authorize requests
-func AuthorizeOAuth(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.AuthorizationForm)
- errs := binding.Errors{}
- errs = form.Validate(ctx.Req, errs)
- if len(errs) > 0 {
- errstring := ""
- for _, e := range errs {
- errstring += e.Error() + "\n"
- }
- ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring))
- return
- }
-
- app, err := login.GetOAuth2ApplicationByClientID(form.ClientID)
- if err != nil {
- if login.IsErrOauthClientIDInvalid(err) {
- handleAuthorizeError(ctx, AuthorizeError{
- ErrorCode: ErrorCodeUnauthorizedClient,
- ErrorDescription: "Client ID not registered",
- State: form.State,
- }, "")
- return
- }
- ctx.ServerError("GetOAuth2ApplicationByClientID", err)
- return
- }
-
- user, err := user_model.GetUserByID(app.UID)
- if err != nil {
- ctx.ServerError("GetUserByID", err)
- return
- }
-
- if !app.ContainsRedirectURI(form.RedirectURI) {
- handleAuthorizeError(ctx, AuthorizeError{
- ErrorCode: ErrorCodeInvalidRequest,
- ErrorDescription: "Unregistered Redirect URI",
- State: form.State,
- }, "")
- return
- }
-
- if form.ResponseType != "code" {
- handleAuthorizeError(ctx, AuthorizeError{
- ErrorCode: ErrorCodeUnsupportedResponseType,
- ErrorDescription: "Only code response type is supported.",
- State: form.State,
- }, form.RedirectURI)
- return
- }
-
- // pkce support
- switch form.CodeChallengeMethod {
- case "S256":
- case "plain":
- if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
- handleAuthorizeError(ctx, AuthorizeError{
- ErrorCode: ErrorCodeServerError,
- ErrorDescription: "cannot set code challenge method",
- State: form.State,
- }, form.RedirectURI)
- return
- }
- if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {
- handleAuthorizeError(ctx, AuthorizeError{
- ErrorCode: ErrorCodeServerError,
- ErrorDescription: "cannot set code challenge",
- State: form.State,
- }, form.RedirectURI)
- return
- }
- // Here we're just going to try to release the session early
- if err := ctx.Session.Release(); err != nil {
- // we'll tolerate errors here as they *should* get saved elsewhere
- log.Error("Unable to save changes to the session: %v", err)
- }
- case "":
- break
- default:
- handleAuthorizeError(ctx, AuthorizeError{
- ErrorCode: ErrorCodeInvalidRequest,
- ErrorDescription: "unsupported code challenge method",
- State: form.State,
- }, form.RedirectURI)
- return
- }
-
- grant, err := app.GetGrantByUserID(ctx.User.ID)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- return
- }
-
- // Redirect if user already granted access
- if grant != nil {
- code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- return
- }
- redirect, err := code.GenerateRedirectURI(form.State)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- return
- }
- // Update nonce to reflect the new session
- if len(form.Nonce) > 0 {
- err := grant.SetNonce(form.Nonce)
- if err != nil {
- log.Error("Unable to update nonce: %v", err)
- }
- }
- ctx.Redirect(redirect.String(), 302)
- return
- }
-
- // show authorize page to grant access
- ctx.Data["Application"] = app
- ctx.Data["RedirectURI"] = form.RedirectURI
- ctx.Data["State"] = form.State
- ctx.Data["Scope"] = form.Scope
- ctx.Data["Nonce"] = form.Nonce
- ctx.Data["ApplicationUserLink"] = "<a href=\"" + html.EscapeString(user.HTMLURL()) + "\">@" + html.EscapeString(user.Name) + "</a>"
- ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>"
- // TODO document SESSION <=> FORM
- err = ctx.Session.Set("client_id", app.ClientID)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- log.Error(err.Error())
- return
- }
- err = ctx.Session.Set("redirect_uri", form.RedirectURI)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- log.Error(err.Error())
- return
- }
- err = ctx.Session.Set("state", form.State)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- log.Error(err.Error())
- return
- }
- // Here we're just going to try to release the session early
- if err := ctx.Session.Release(); err != nil {
- // we'll tolerate errors here as they *should* get saved elsewhere
- log.Error("Unable to save changes to the session: %v", err)
- }
- ctx.HTML(http.StatusOK, tplGrantAccess)
-}
-
-// GrantApplicationOAuth manages the post request submitted when a user grants access to an application
-func GrantApplicationOAuth(ctx *context.Context) {
- form := web.GetForm(ctx).(*forms.GrantApplicationForm)
- if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
- ctx.Session.Get("redirect_uri") != form.RedirectURI {
- ctx.Error(http.StatusBadRequest)
- return
- }
- app, err := login.GetOAuth2ApplicationByClientID(form.ClientID)
- if err != nil {
- ctx.ServerError("GetOAuth2ApplicationByClientID", err)
- return
- }
- grant, err := app.CreateGrant(ctx.User.ID, form.Scope)
- if err != nil {
- handleAuthorizeError(ctx, AuthorizeError{
- State: form.State,
- ErrorDescription: "cannot create grant for user",
- ErrorCode: ErrorCodeServerError,
- }, form.RedirectURI)
- return
- }
- if len(form.Nonce) > 0 {
- err := grant.SetNonce(form.Nonce)
- if err != nil {
- log.Error("Unable to update nonce: %v", err)
- }
- }
-
- var codeChallenge, codeChallengeMethod string
- codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)
- codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)
-
- code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- return
- }
- redirect, err := code.GenerateRedirectURI(form.State)
- if err != nil {
- handleServerError(ctx, form.State, form.RedirectURI)
- return
- }
- ctx.Redirect(redirect.String(), 302)
-}
-
-// OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities
-func OIDCWellKnown(ctx *context.Context) {
- t := ctx.Render.TemplateLookup("user/auth/oidc_wellknown")
- ctx.Resp.Header().Set("Content-Type", "application/json")
- ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
- if err := t.Execute(ctx.Resp, ctx.Data); err != nil {
- log.Error("%v", err)
- ctx.Error(http.StatusInternalServerError)
- }
-}
-
-// OIDCKeys generates the JSON Web Key Set
-func OIDCKeys(ctx *context.Context) {
- jwk, err := oauth2.DefaultSigningKey.ToJWK()
- if err != nil {
- log.Error("Error converting signing key to JWK: %v", err)
- ctx.Error(http.StatusInternalServerError)
- return
- }
-
- jwk["use"] = "sig"
-
- jwks := map[string][]map[string]string{
- "keys": {
- jwk,
- },
- }
-
- ctx.Resp.Header().Set("Content-Type", "application/json")
- enc := json.NewEncoder(ctx.Resp)
- if err := enc.Encode(jwks); err != nil {
- log.Error("Failed to encode representation as json. Error: %v", err)
- }
-}
-
-// AccessTokenOAuth manages all access token requests by the client
-func AccessTokenOAuth(ctx *context.Context) {
- form := *web.GetForm(ctx).(*forms.AccessTokenForm)
- if form.ClientID == "" {
- authHeader := ctx.Req.Header.Get("Authorization")
- authContent := strings.SplitN(authHeader, " ", 2)
- if len(authContent) == 2 && authContent[0] == "Basic" {
- payload, err := base64.StdEncoding.DecodeString(authContent[1])
- if err != nil {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot parse basic auth header",
- })
- return
- }
- pair := strings.SplitN(string(payload), ":", 2)
- if len(pair) != 2 {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot parse basic auth header",
- })
- return
- }
- form.ClientID = pair[0]
- form.ClientSecret = pair[1]
- }
- }
-
- serverKey := oauth2.DefaultSigningKey
- clientKey := serverKey
- if serverKey.IsSymmetric() {
- var err error
- clientKey, err = oauth2.CreateJWTSigningKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret))
- if err != nil {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "Error creating signing key",
- })
- return
- }
- }
-
- switch form.GrantType {
- case "refresh_token":
- handleRefreshToken(ctx, form, serverKey, clientKey)
- case "authorization_code":
- handleAuthorizationCode(ctx, form, serverKey, clientKey)
- default:
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeUnsupportedGrantType,
- ErrorDescription: "Only refresh_token or authorization_code grant type is supported",
- })
- }
-}
-
-func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
- token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
- if err != nil {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
- })
- return
- }
- // get grant before increasing counter
- grant, err := login.GetOAuth2GrantByID(token.GrantID)
- if err != nil || grant == nil {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidGrant,
- ErrorDescription: "grant does not exist",
- })
- return
- }
-
- // check if token got already used
- if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "token was already used",
- })
- log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
- return
- }
- accessToken, tokenErr := newAccessTokenResponse(grant, serverKey, clientKey)
- if tokenErr != nil {
- handleAccessTokenError(ctx, *tokenErr)
- return
- }
- ctx.JSON(http.StatusOK, accessToken)
-}
-
-func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
- app, err := login.GetOAuth2ApplicationByClientID(form.ClientID)
- if err != nil {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidClient,
- ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),
- })
- return
- }
- if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
- })
- return
- }
- if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
- })
- return
- }
- authorizationCode, err := login.GetOAuth2AuthorizationByCode(form.Code)
- if err != nil || authorizationCode == nil {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
- })
- return
- }
- // check if code verifier authorizes the client, PKCE support
- if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
- })
- return
- }
- // check if granted for this application
- if authorizationCode.Grant.ApplicationID != app.ID {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidGrant,
- ErrorDescription: "invalid grant",
- })
- return
- }
- // remove token from database to deny duplicate usage
- if err := authorizationCode.Invalidate(); err != nil {
- handleAccessTokenError(ctx, AccessTokenError{
- ErrorCode: AccessTokenErrorCodeInvalidRequest,
- ErrorDescription: "cannot proceed your request",
- })
- }
- resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, serverKey, clientKey)
- if tokenErr != nil {
- handleAccessTokenError(ctx, *tokenErr)
- return
- }
- // send successful response
- ctx.JSON(http.StatusOK, resp)
-}
-
-func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {
- ctx.JSON(http.StatusBadRequest, acErr)
-}
-
-func handleServerError(ctx *context.Context, state, redirectURI string) {
- handleAuthorizeError(ctx, AuthorizeError{
- ErrorCode: ErrorCodeServerError,
- ErrorDescription: "A server error occurred",
- State: state,
- }, redirectURI)
-}
-
-func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {
- if redirectURI == "" {
- log.Warn("Authorization failed: %v", authErr.ErrorDescription)
- ctx.Data["Error"] = authErr
- ctx.HTML(400, tplGrantError)
- return
- }
- redirect, err := url.Parse(redirectURI)
- if err != nil {
- ctx.ServerError("url.Parse", err)
- return
- }
- q := redirect.Query()
- q.Set("error", string(authErr.ErrorCode))
- q.Set("error_description", authErr.ErrorDescription)
- q.Set("state", authErr.State)
- redirect.RawQuery = q.Encode()
- ctx.Redirect(redirect.String(), 302)
-}
diff --git a/routers/web/user/oauth_test.go b/routers/web/user/oauth_test.go
deleted file mode 100644
index e26a42b2fc..0000000000
--- a/routers/web/user/oauth_test.go
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package user
-
-import (
- "testing"
-
- "code.gitea.io/gitea/models/login"
- "code.gitea.io/gitea/models/unittest"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/services/auth/source/oauth2"
-
- "github.com/golang-jwt/jwt"
- "github.com/stretchr/testify/assert"
-)
-
-func createAndParseToken(t *testing.T, grant *login.OAuth2Grant) *oauth2.OIDCToken {
- signingKey, err := oauth2.CreateJWTSigningKey("HS256", make([]byte, 32))
- assert.NoError(t, err)
- assert.NotNil(t, signingKey)
-
- response, terr := newAccessTokenResponse(grant, signingKey, signingKey)
- assert.Nil(t, terr)
- assert.NotNil(t, response)
-
- parsedToken, err := jwt.ParseWithClaims(response.IDToken, &oauth2.OIDCToken{}, func(token *jwt.Token) (interface{}, error) {
- assert.NotNil(t, token.Method)
- assert.Equal(t, signingKey.SigningMethod().Alg(), token.Method.Alg())
- return signingKey.VerifyKey(), nil
- })
- assert.NoError(t, err)
- assert.True(t, parsedToken.Valid)
-
- oidcToken, ok := parsedToken.Claims.(*oauth2.OIDCToken)
- assert.True(t, ok)
- assert.NotNil(t, oidcToken)
-
- return oidcToken
-}
-
-func TestNewAccessTokenResponse_OIDCToken(t *testing.T) {
- assert.NoError(t, unittest.PrepareTestDatabase())
-
- grants, err := login.GetOAuth2GrantsByUserID(3)
- assert.NoError(t, err)
- assert.Len(t, grants, 1)
-
- // Scopes: openid
- oidcToken := createAndParseToken(t, grants[0])
- assert.Empty(t, oidcToken.Name)
- assert.Empty(t, oidcToken.PreferredUsername)
- assert.Empty(t, oidcToken.Profile)
- assert.Empty(t, oidcToken.Picture)
- assert.Empty(t, oidcToken.Website)
- assert.Empty(t, oidcToken.UpdatedAt)
- assert.Empty(t, oidcToken.Email)
- assert.False(t, oidcToken.EmailVerified)
-
- user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User)
- grants, err = login.GetOAuth2GrantsByUserID(user.ID)
- assert.NoError(t, err)
- assert.Len(t, grants, 1)
-
- // Scopes: openid profile email
- oidcToken = createAndParseToken(t, grants[0])
- assert.Equal(t, user.FullName, oidcToken.Name)
- assert.Equal(t, user.Name, oidcToken.PreferredUsername)
- assert.Equal(t, user.HTMLURL(), oidcToken.Profile)
- assert.Equal(t, user.AvatarLink(), oidcToken.Picture)
- assert.Equal(t, user.Website, oidcToken.Website)
- assert.Equal(t, user.UpdatedUnix, oidcToken.UpdatedAt)
- assert.Equal(t, user.Email, oidcToken.Email)
- assert.Equal(t, user.IsActive, oidcToken.EmailVerified)
-}
diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go
index 9976337bfa..20ffdfaf84 100644
--- a/routers/web/user/setting/applications.go
+++ b/routers/web/user/setting/applications.go
@@ -9,7 +9,7 @@ import (
"net/http"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/setting"
@@ -93,12 +93,12 @@ func loadApplicationsData(ctx *context.Context) {
ctx.Data["Tokens"] = tokens
ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable
if setting.OAuth2.Enable {
- ctx.Data["Applications"], err = login.GetOAuth2ApplicationsByUserID(ctx.User.ID)
+ ctx.Data["Applications"], err = auth.GetOAuth2ApplicationsByUserID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetOAuth2ApplicationsByUserID", err)
return
}
- ctx.Data["Grants"], err = login.GetOAuth2GrantsByUserID(ctx.User.ID)
+ ctx.Data["Grants"], err = auth.GetOAuth2GrantsByUserID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetOAuth2GrantsByUserID", err)
return
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 8274f8b1b3..26bbf7c195 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -216,7 +216,6 @@ func KeysPost(ctx *context.Context) {
// DeleteKey response for delete user's SSH/GPG key
func DeleteKey(ctx *context.Context) {
-
switch ctx.FormString("type") {
case "gpg":
if err := asymkey_model.DeleteGPGKey(ctx.User, ctx.FormInt64("id")); err != nil {
diff --git a/routers/web/user/setting/oauth2.go b/routers/web/user/setting/oauth2.go
index 0f338ab5d1..65d0924da0 100644
--- a/routers/web/user/setting/oauth2.go
+++ b/routers/web/user/setting/oauth2.go
@@ -8,7 +8,7 @@ import (
"fmt"
"net/http"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
@@ -34,7 +34,7 @@ func OAuthApplicationsPost(ctx *context.Context) {
return
}
// TODO validate redirect URI
- app, err := login.CreateOAuth2Application(login.CreateOAuth2ApplicationOptions{
+ app, err := auth.CreateOAuth2Application(auth.CreateOAuth2ApplicationOptions{
Name: form.Name,
RedirectURIs: []string{form.RedirectURI},
UserID: ctx.User.ID,
@@ -67,7 +67,7 @@ func OAuthApplicationsEdit(ctx *context.Context) {
}
// TODO validate redirect URI
var err error
- if ctx.Data["App"], err = login.UpdateOAuth2Application(login.UpdateOAuth2ApplicationOptions{
+ if ctx.Data["App"], err = auth.UpdateOAuth2Application(auth.UpdateOAuth2ApplicationOptions{
ID: ctx.ParamsInt64("id"),
Name: form.Name,
RedirectURIs: []string{form.RedirectURI},
@@ -85,9 +85,9 @@ func OAuthApplicationsRegenerateSecret(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsApplications"] = true
- app, err := login.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
+ app, err := auth.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
if err != nil {
- if login.IsErrOAuthApplicationNotFound(err) {
+ if auth.IsErrOAuthApplicationNotFound(err) {
ctx.NotFound("Application not found", err)
return
}
@@ -110,9 +110,9 @@ func OAuthApplicationsRegenerateSecret(ctx *context.Context) {
// OAuth2ApplicationShow displays the given application
func OAuth2ApplicationShow(ctx *context.Context) {
- app, err := login.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
+ app, err := auth.GetOAuth2ApplicationByID(ctx.ParamsInt64("id"))
if err != nil {
- if login.IsErrOAuthApplicationNotFound(err) {
+ if auth.IsErrOAuthApplicationNotFound(err) {
ctx.NotFound("Application not found", err)
return
}
@@ -129,7 +129,7 @@ func OAuth2ApplicationShow(ctx *context.Context) {
// DeleteOAuth2Application deletes the given oauth2 application
func DeleteOAuth2Application(ctx *context.Context) {
- if err := login.DeleteOAuth2Application(ctx.FormInt64("id"), ctx.User.ID); err != nil {
+ if err := auth.DeleteOAuth2Application(ctx.FormInt64("id"), ctx.User.ID); err != nil {
ctx.ServerError("DeleteOAuth2Application", err)
return
}
@@ -147,7 +147,7 @@ func RevokeOAuth2Grant(ctx *context.Context) {
ctx.ServerError("RevokeOAuth2Grant", fmt.Errorf("user id or grant id is zero"))
return
}
- if err := login.RevokeOAuth2Grant(ctx.FormInt64("id"), ctx.User.ID); err != nil {
+ if err := auth.RevokeOAuth2Grant(ctx.FormInt64("id"), ctx.User.ID); err != nil {
ctx.ServerError("RevokeOAuth2Grant", err)
return
}
diff --git a/routers/web/user/setting/security_twofa.go b/routers/web/user/setting/security/2fa.go
index 94f975f9fe..98e1f9b083 100644
--- a/routers/web/user/setting/security_twofa.go
+++ b/routers/web/user/setting/security/2fa.go
@@ -3,7 +3,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"bytes"
@@ -13,7 +13,7 @@ import (
"net/http"
"strings"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -29,9 +29,9 @@ func RegenerateScratchTwoFactor(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
}
@@ -45,7 +45,7 @@ func RegenerateScratchTwoFactor(ctx *context.Context) {
return
}
- if err = login.UpdateTwoFactor(t); err != nil {
+ if err = auth.UpdateTwoFactor(t); err != nil {
ctx.ServerError("SettingsTwoFactor: Failed to UpdateTwoFactor", err)
return
}
@@ -59,9 +59,9 @@ func DisableTwoFactor(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
}
@@ -69,8 +69,8 @@ func DisableTwoFactor(ctx *context.Context) {
return
}
- if err = login.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
+ if err = auth.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil {
+ if auth.IsErrTwoFactorNotEnrolled(err) {
// There is a potential DB race here - we must have been disabled by another request in the intervening period
ctx.Flash.Success(ctx.Tr("settings.twofa_disabled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
@@ -146,7 +146,7 @@ func EnrollTwoFactor(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if t != nil {
// already enrolled - we should redirect back!
log.Warn("Trying to re-enroll %-v in twofa when already enrolled", ctx.User)
@@ -154,7 +154,7 @@ func EnrollTwoFactor(ctx *context.Context) {
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
return
}
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("SettingsTwoFactor: GetTwoFactorByUID", err)
return
}
@@ -172,14 +172,14 @@ func EnrollTwoFactorPost(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsSecurity"] = true
- t, err := login.GetTwoFactorByUID(ctx.User.ID)
+ t, err := auth.GetTwoFactorByUID(ctx.User.ID)
if t != nil {
// already enrolled
ctx.Flash.Error(ctx.Tr("settings.twofa_is_enrolled"))
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
return
}
- if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
+ if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("SettingsTwoFactor: Failed to check if already enrolled with GetTwoFactorByUID", err)
return
}
@@ -209,7 +209,7 @@ func EnrollTwoFactorPost(ctx *context.Context) {
return
}
- t = &login.TwoFactor{
+ t = &auth.TwoFactor{
UID: ctx.User.ID,
}
err = t.SetSecret(secret)
@@ -238,7 +238,7 @@ func EnrollTwoFactorPost(ctx *context.Context) {
log.Error("Unable to save changes to the session: %v", err)
}
- if err = login.NewTwoFactor(t); err != nil {
+ if err = auth.NewTwoFactor(t); err != nil {
// FIXME: We need to handle a unique constraint fail here it's entirely possible that another request has beaten us.
// If there is a unique constraint fail we should just tolerate the error
ctx.ServerError("SettingsTwoFactor: Failed to save two factor", err)
diff --git a/routers/web/user/setting/security_openid.go b/routers/web/user/setting/security/openid.go
index 9cdda79b92..1a15a2414c 100644
--- a/routers/web/user/setting/security_openid.go
+++ b/routers/web/user/setting/security/openid.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"net/http"
diff --git a/routers/web/user/setting/security.go b/routers/web/user/setting/security/security.go
index d34de519b7..0ca6503f05 100644
--- a/routers/web/user/setting/security.go
+++ b/routers/web/user/setting/security/security.go
@@ -3,13 +3,13 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"net/http"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
@@ -17,8 +17,8 @@ import (
)
const (
- tplSettingsSecurity base.TplName = "user/settings/security"
- tplSettingsTwofaEnroll base.TplName = "user/settings/twofa_enroll"
+ tplSettingsSecurity base.TplName = "user/settings/security/security"
+ tplSettingsTwofaEnroll base.TplName = "user/settings/security/twofa_enroll"
)
// Security render change user's password page and 2FA
@@ -56,14 +56,14 @@ func DeleteAccountLink(ctx *context.Context) {
}
func loadSecurityData(ctx *context.Context) {
- enrolled, err := login.HasTwoFactorByUID(ctx.User.ID)
+ enrolled, err := auth.HasTwoFactorByUID(ctx.User.ID)
if err != nil {
ctx.ServerError("SettingsTwoFactor", err)
return
}
ctx.Data["TOTPEnrolled"] = enrolled
- ctx.Data["U2FRegistrations"], err = login.GetU2FRegistrationsByUID(ctx.User.ID)
+ ctx.Data["U2FRegistrations"], err = auth.GetU2FRegistrationsByUID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetU2FRegistrationsByUID", err)
return
@@ -82,10 +82,10 @@ func loadSecurityData(ctx *context.Context) {
return
}
- // map the provider display name with the LoginSource
- sources := make(map[*login.Source]string)
+ // map the provider display name with the AuthSource
+ sources := make(map[*auth.Source]string)
for _, externalAccount := range accountLinks {
- if loginSource, err := login.GetSourceByID(externalAccount.LoginSourceID); err == nil {
+ if authSource, err := auth.GetSourceByID(externalAccount.LoginSourceID); err == nil {
var providerDisplayName string
type DisplayNamed interface {
@@ -96,14 +96,14 @@ func loadSecurityData(ctx *context.Context) {
Name() string
}
- if displayNamed, ok := loginSource.Cfg.(DisplayNamed); ok {
+ if displayNamed, ok := authSource.Cfg.(DisplayNamed); ok {
providerDisplayName = displayNamed.DisplayName()
- } else if named, ok := loginSource.Cfg.(Named); ok {
+ } else if named, ok := authSource.Cfg.(Named); ok {
providerDisplayName = named.Name()
} else {
- providerDisplayName = loginSource.Name
+ providerDisplayName = authSource.Name
}
- sources[loginSource] = providerDisplayName
+ sources[authSource] = providerDisplayName
}
}
ctx.Data["AccountLinks"] = sources
diff --git a/routers/web/user/setting/security_u2f.go b/routers/web/user/setting/security/u2f.go
index d1d6d1e8ca..dd35a893f4 100644
--- a/routers/web/user/setting/security_u2f.go
+++ b/routers/web/user/setting/security/u2f.go
@@ -2,13 +2,13 @@
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
-package setting
+package security
import (
"errors"
"net/http"
- "code.gitea.io/gitea/models/login"
+ "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -34,7 +34,7 @@ func U2FRegister(ctx *context.Context) {
ctx.ServerError("Unable to set session key for u2fChallenge", err)
return
}
- regs, err := login.GetU2FRegistrationsByUID(ctx.User.ID)
+ regs, err := auth.GetU2FRegistrationsByUID(ctx.User.ID)
if err != nil {
ctx.ServerError("GetU2FRegistrationsByUID", err)
return
@@ -78,7 +78,7 @@ func U2FRegisterPost(ctx *context.Context) {
ctx.ServerError("u2f.Register", err)
return
}
- if _, err = login.CreateRegistration(ctx.User.ID, name, reg); err != nil {
+ if _, err = auth.CreateRegistration(ctx.User.ID, name, reg); err != nil {
ctx.ServerError("u2f.Register", err)
return
}
@@ -88,9 +88,9 @@ func U2FRegisterPost(ctx *context.Context) {
// U2FDelete deletes an security key by id
func U2FDelete(ctx *context.Context) {
form := web.GetForm(ctx).(*forms.U2FDeleteForm)
- reg, err := login.GetU2FRegistrationByID(form.ID)
+ reg, err := auth.GetU2FRegistrationByID(form.ID)
if err != nil {
- if login.IsErrU2FRegistrationNotExist(err) {
+ if auth.IsErrU2FRegistrationNotExist(err) {
ctx.Status(200)
return
}
@@ -101,7 +101,7 @@ func U2FDelete(ctx *context.Context) {
ctx.Status(401)
return
}
- if err := login.DeleteRegistration(reg); err != nil {
+ if err := auth.DeleteRegistration(reg); err != nil {
ctx.ServerError("DeleteRegistration", err)
return
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-02 09:35:40 +0000