Oauth2 consumer (#679)

* initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
author: Willem van Dreumel <willemvd@users.noreply.github.com> 2017-02-22 08:14:37 +0100
committer: Kim "BKC" Carlbäcker <kim.carlbacker@gmail.com> 2017-02-22 08:14:37 +0100
commit: 01d957677f160e4b5e43ce043b05e246493b34ea (patch)
tree: e06e3849d874ce37f02b29666ada6069b78decd9 /routers
parent: fd941db246e66244ec81f43d74b8358c06173fd6 (diff)
download: gitea-01d957677f160e4b5e43ce043b05e246493b34ea.tar.gz
gitea-01d957677f160e4b5e43ce043b05e246493b34ea.zip
5 files changed, 430 insertions, 16 deletions
diff --git a/routers/admin/auths.go b/routers/admin/auths.go
index d437dc4b80..345494b4f6 100644
--- a/routers/admin/auths.go
+++ b/routers/admin/auths.go
@@ -53,6 +53,7 @@ var (
 		{models.LoginNames[models.LoginDLDAP], models.LoginDLDAP},
 		{models.LoginNames[models.LoginSMTP], models.LoginSMTP},
 		{models.LoginNames[models.LoginPAM], models.LoginPAM},
+		{models.LoginNames[models.LoginOAuth2], models.LoginOAuth2},
 	}
 	securityProtocols = []dropdownItem{
 		{models.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted], ldap.SecurityProtocolUnencrypted},
@@ -75,6 +76,14 @@ func NewAuthSource(ctx *context.Context) {
 	ctx.Data["AuthSources"] = authSources
 	ctx.Data["SecurityProtocols"] = securityProtocols
 	ctx.Data["SMTPAuths"] = models.SMTPAuths
+	ctx.Data["OAuth2Providers"] = models.OAuth2Providers
+
+	// only the first as default
+	for key := range models.OAuth2Providers {
+		ctx.Data["oauth2_provider"] = key
+		break
+	}
+
 	ctx.HTML(200, tplAuthNew)
 }
 
@@ -113,6 +122,14 @@ func parseSMTPConfig(form auth.AuthenticationForm) *models.SMTPConfig {
 	}
 }
 
+func parseOAuth2Config(form auth.AuthenticationForm) *models.OAuth2Config {
+	return &models.OAuth2Config{
+		Provider:     form.Oauth2Provider,
+		ClientID:     form.Oauth2Key,
+		ClientSecret: form.Oauth2Secret,
+	}
+}
+
 // NewAuthSourcePost response for adding an auth source
 func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 	ctx.Data["Title"] = ctx.Tr("admin.auths.new")
@@ -124,6 +141,7 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 	ctx.Data["AuthSources"] = authSources
 	ctx.Data["SecurityProtocols"] = securityProtocols
 	ctx.Data["SMTPAuths"] = models.SMTPAuths
+	ctx.Data["OAuth2Providers"] = models.OAuth2Providers
 
 	hasTLS := false
 	var config core.Conversion
@@ -138,6 +156,8 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 		config = &models.PAMConfig{
 			ServiceName: form.PAMServiceName,
 		}
+	case models.LoginOAuth2:
+		config = parseOAuth2Config(form)
 	default:
 		ctx.Error(400)
 		return
@@ -178,6 +198,7 @@ func EditAuthSource(ctx *context.Context) {
 
 	ctx.Data["SecurityProtocols"] = securityProtocols
 	ctx.Data["SMTPAuths"] = models.SMTPAuths
+	ctx.Data["OAuth2Providers"] = models.OAuth2Providers
 
 	source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid"))
 	if err != nil {
@@ -187,16 +208,20 @@ func EditAuthSource(ctx *context.Context) {
 	ctx.Data["Source"] = source
 	ctx.Data["HasTLS"] = source.HasTLS()
 
+	if source.IsOAuth2() {
+		ctx.Data["CurrentOAuth2Provider"] = models.OAuth2Providers[source.OAuth2().Provider]
+	}
 	ctx.HTML(200, tplAuthEdit)
 }
 
-// EditAuthSourcePost resposne for editing auth source
+// EditAuthSourcePost response for editing auth source
 func EditAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 	ctx.Data["Title"] = ctx.Tr("admin.auths.edit")
 	ctx.Data["PageIsAdmin"] = true
 	ctx.Data["PageIsAdminAuthentications"] = true
 
 	ctx.Data["SMTPAuths"] = models.SMTPAuths
+	ctx.Data["OAuth2Providers"] = models.OAuth2Providers
 
 	source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid"))
 	if err != nil {
@@ -221,6 +246,8 @@ func EditAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 		config = &models.PAMConfig{
 			ServiceName: form.PAMServiceName,
 		}
+	case models.LoginOAuth2:
+		config = parseOAuth2Config(form)
 	default:
 		ctx.Error(400)
 		return
diff --git a/routers/init.go b/routers/init.go
index c56f0be1dd..3b1618a383 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -54,6 +54,7 @@ func GlobalInit() {
 			log.Fatal(4, "Failed to initialize ORM engine: %v", err)
 		}
 		models.HasEngine = true
+		models.InitOAuth2()
 
 		models.LoadRepoConfig()
 		models.NewRepoContext()
diff --git a/routers/repo/http.go b/routers/repo/http.go
index 780babd40d..4c143f66d0 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -59,7 +59,7 @@ func HTTP(ctx *context.Context) {
 	isWiki := false
 	if strings.HasSuffix(reponame, ".wiki") {
 		isWiki = true
-		reponame = reponame[:len(reponame)-5]
+		reponame = reponame[:len(reponame) - 5]
 	}
 
 	repoUser, err := models.GetUserByName(username)
@@ -191,9 +191,9 @@ func HTTP(ctx *context.Context) {
 
 		var lastLine int64
 		for {
-			head := input[lastLine : lastLine+2]
+			head := input[lastLine: lastLine + 2]
 			if head[0] == '0' && head[1] == '0' {
-				size, err := strconv.ParseInt(string(input[lastLine+2:lastLine+4]), 16, 32)
+				size, err := strconv.ParseInt(string(input[lastLine + 2:lastLine + 4]), 16, 32)
 				if err != nil {
 					log.Error(4, "%v", err)
 					return
@@ -204,7 +204,7 @@ func HTTP(ctx *context.Context) {
 					break
 				}
 
-				line := input[lastLine : lastLine+size]
+				line := input[lastLine: lastLine + size]
 				idx := bytes.IndexRune(line, '\000')
 				if idx > -1 {
 					line = line[:idx]
@@ -370,7 +370,7 @@ func gitCommand(dir string, args ...string) []byte {
 
 func getGitConfig(option, dir string) string {
 	out := string(gitCommand(dir, "config", option))
-	return out[0 : len(out)-1]
+	return out[0: len(out) - 1]
 }
 
 func getConfigSetting(service, dir string) bool {
@@ -501,7 +501,7 @@ func updateServerInfo(dir string) []byte {
 }
 
 func packetWrite(str string) []byte {
-	s := strconv.FormatInt(int64(len(str)+4), 16)
+	s := strconv.FormatInt(int64(len(str) + 4), 16)
 	if len(s)%4 != 0 {
 		s = strings.Repeat("0", 4-len(s)%4) + s
 	}
diff --git a/routers/user/auth.go b/routers/user/auth.go
index 85a51620ea..5b9297d349 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -17,6 +17,10 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"net/http"
+	"code.gitea.io/gitea/modules/auth/oauth2"
+	"github.com/markbates/goth"
+	"strings"
 )
 
 const (
@@ -30,6 +34,7 @@ const (
 	tplResetPassword  base.TplName = "user/auth/reset_passwd"
 	tplTwofa          base.TplName = "user/auth/twofa"
 	tplTwofaScratch   base.TplName = "user/auth/twofa_scratch"
+	tplLinkAccount    base.TplName = "user/auth/link_account"
 )
 
 // AutoSignIn reads cookie and try to auto-login.
@@ -61,7 +66,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 	}
 
 	if val, _ := ctx.GetSuperSecureCookie(
-		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
+		base.EncodeMD5(u.Rands + u.Passwd), setting.CookieRememberName); val != u.Name {
 		return false, nil
 	}
 
@@ -109,6 +114,13 @@ func SignIn(ctx *context.Context) {
 		return
 	}
 
+	oauth2Providers, err := models.GetActiveOAuth2Providers()
+	if err != nil {
+		ctx.Handle(500, "UserSignIn", err)
+		return
+	}
+	ctx.Data["OAuth2Providers"] = oauth2Providers
+
 	ctx.HTML(200, tplSignIn)
 }
 
@@ -116,6 +128,13 @@ func SignIn(ctx *context.Context) {
 func SignInPost(ctx *context.Context, form auth.SignInForm) {
 	ctx.Data["Title"] = ctx.Tr("sign_in")
 
+	oauth2Providers, err := models.GetActiveOAuth2Providers()
+	if err != nil {
+		ctx.Handle(500, "UserSignIn", err)
+		return
+	}
+	ctx.Data["OAuth2Providers"] = oauth2Providers
+
 	if ctx.HasError() {
 		ctx.HTML(200, tplSignIn)
 		return
@@ -277,7 +296,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	if remember {
 		days := 86400 * setting.LogInRememberDays
 		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL)
-		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
+		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands + u.Passwd),
 			setting.CookieRememberName, u.Name, days, setting.AppSubURL)
 	}
 
@@ -309,6 +328,333 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	}
 }
 
+// SignInOAuth handles the OAuth2 login buttons
+func SignInOAuth(ctx *context.Context) {
+	provider := ctx.Params(":provider")
+
+	loginSource, err := models.GetActiveOAuth2LoginSourceByName(provider)
+	if err != nil {
+		ctx.Handle(500, "SignIn", err)
+		return
+	}
+
+	// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
+	user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
+	if err == nil && user != nil {
+		// we got the user without going through the whole OAuth2 authentication flow again
+		handleOAuth2SignIn(user, gothUser, ctx, err)
+		return
+	}
+
+	err = oauth2.Auth(loginSource.Name, ctx.Req.Request, ctx.Resp)
+	if err != nil {
+		ctx.Handle(500, "SignIn", err)
+	}
+	// redirect is done in oauth2.Auth
+}
+
+// SignInOAuthCallback handles the callback from the given provider
+func SignInOAuthCallback(ctx *context.Context) {
+	provider := ctx.Params(":provider")
+
+	// first look if the provider is still active
+	loginSource, err := models.GetActiveOAuth2LoginSourceByName(provider)
+	if err != nil {
+		ctx.Handle(500, "SignIn", err)
+		return
+	}
+
+	if loginSource == nil {
+		ctx.Handle(500, "SignIn", errors.New("No valid provider found, check configured callback url in provider"))
+		return
+	}
+
+	u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
+
+	handleOAuth2SignIn(u, gothUser, ctx, err)
+}
+
+func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context, err error) {
+	if err != nil {
+		ctx.Handle(500, "UserSignIn", err)
+		return
+	}
+
+	if u == nil {
+		// no existing user is found, request attach or new account
+		ctx.Session.Set("linkAccountGothUser", gothUser)
+		ctx.Redirect(setting.AppSubURL + "/user/link_account")
+		return
+	}
+
+	// If this user is enrolled in 2FA, we can't sign the user in just yet.
+	// Instead, redirect them to the 2FA authentication page.
+	_, err = models.GetTwoFactorByUID(u.ID)
+	if err != nil {
+		if models.IsErrTwoFactorNotEnrolled(err) {
+			ctx.Session.Set("uid", u.ID)
+			ctx.Session.Set("uname", u.Name)
+
+			// Clear whatever CSRF has right now, force to generate a new one
+			ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)
+
+			// Register last login
+			u.SetLastLogin()
+			if err := models.UpdateUser(u); err != nil {
+				ctx.Handle(500, "UpdateUser", err)
+				return
+			}
+
+			if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
+				ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
+				ctx.Redirect(redirectTo)
+				return
+			}
+
+			ctx.Redirect(setting.AppSubURL + "/")
+		} else {
+			ctx.Handle(500, "UserSignIn", err)
+		}
+		return
+	}
+
+	// User needs to use 2FA, save data and redirect to 2FA page.
+	ctx.Session.Set("twofaUid", u.ID)
+	ctx.Session.Set("twofaRemember", false)
+	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
+// login the user
+func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) {
+	gothUser, err := oauth2.ProviderCallback(loginSource.Name, request, response)
+
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+
+	user := &models.User{
+		LoginName:   gothUser.UserID,
+		LoginType:   models.LoginOAuth2,
+		LoginSource: loginSource.ID,
+	}
+
+	hasUser, err := models.GetUser(user)
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+
+	if hasUser {
+		return user, goth.User{}, nil
+	}
+
+	// search in external linked users
+	externalLoginUser := &models.ExternalLoginUser{
+		ExternalID:    gothUser.UserID,
+		LoginSourceID: loginSource.ID,
+	}
+	hasUser, err = models.GetExternalLogin(externalLoginUser)
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+	if hasUser {
+		user, err = models.GetUserByID(externalLoginUser.UserID)
+		return user, goth.User{}, err
+	}
+
+	// no user found to login
+	return nil, gothUser, nil
+
+}
+
+// LinkAccount shows the page where the user can decide to login or create a new account
+func LinkAccount(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("link_account")
+	ctx.Data["LinkAccountMode"] = true
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+	ctx.Data["ShowRegistrationButton"] = false
+
+	// use this to set the right link into the signIn and signUp templates in the link_account template
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+	gothUser := ctx.Session.Get("linkAccountGothUser")
+	if gothUser == nil {
+		ctx.Handle(500, "UserSignIn", errors.New("not in LinkAccount session"))
+		return
+	}
+
+	ctx.Data["user_name"] = gothUser.(goth.User).NickName
+	ctx.Data["email"] = gothUser.(goth.User).Email
+
+	ctx.HTML(200, tplLinkAccount)
+}
+
+// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
+func LinkAccountPostSignIn(ctx *context.Context, signInForm auth.SignInForm) {
+	ctx.Data["Title"] = ctx.Tr("link_account")
+	ctx.Data["LinkAccountMode"] = true
+	ctx.Data["LinkAccountModeSignIn"] = true
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+	ctx.Data["ShowRegistrationButton"] = false
+
+	// use this to set the right link into the signIn and signUp templates in the link_account template
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+	gothUser := ctx.Session.Get("linkAccountGothUser")
+	if gothUser == nil {
+		ctx.Handle(500, "UserSignIn", errors.New("not in LinkAccount session"))
+		return
+	}
+
+	if ctx.HasError() {
+		ctx.HTML(200, tplLinkAccount)
+		return
+	}
+
+	u, err := models.UserSignIn(signInForm.UserName, signInForm.Password)
+	if err != nil {
+		if models.IsErrUserNotExist(err) {
+			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
+		} else {
+			ctx.Handle(500, "UserLinkAccount", err)
+		}
+		return
+	}
+
+	// If this user is enrolled in 2FA, we can't sign the user in just yet.
+	// Instead, redirect them to the 2FA authentication page.
+	_, err = models.GetTwoFactorByUID(u.ID)
+	if err != nil {
+		if models.IsErrTwoFactorNotEnrolled(err) {
+			models.LinkAccountToUser(u, gothUser.(goth.User))
+			handleSignIn(ctx, u, signInForm.Remember)
+		} else {
+			ctx.Handle(500, "UserLinkAccount", err)
+		}
+		return
+	}
+
+	// User needs to use 2FA, save data and redirect to 2FA page.
+	ctx.Session.Set("twofaUid", u.ID)
+	ctx.Session.Set("twofaRemember", signInForm.Remember)
+	ctx.Session.Set("linkAccount", true)
+
+	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// LinkAccountPostRegister handle the creation of a new account for an external account using signUp
+func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterForm) {
+	ctx.Data["Title"] = ctx.Tr("link_account")
+	ctx.Data["LinkAccountMode"] = true
+	ctx.Data["LinkAccountModeRegister"] = true
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+	ctx.Data["ShowRegistrationButton"] = false
+
+	// use this to set the right link into the signIn and signUp templates in the link_account template
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+	gothUser := ctx.Session.Get("linkAccountGothUser")
+	if gothUser == nil {
+		ctx.Handle(500, "UserSignUp", errors.New("not in LinkAccount session"))
+		return
+	}
+
+	if ctx.HasError() {
+		ctx.HTML(200, tplLinkAccount)
+		return
+	}
+
+	if setting.Service.DisableRegistration {
+		ctx.Error(403)
+		return
+	}
+
+	if setting.Service.EnableCaptcha && !cpt.VerifyReq(ctx.Req) {
+		ctx.Data["Err_Captcha"] = true
+		ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)
+		return
+	}
+
+	if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form)
+		return
+	}
+	if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form)
+		return
+	}
+
+	loginSource, err := models.GetActiveOAuth2LoginSourceByName(gothUser.(goth.User).Provider)
+	if err != nil {
+		ctx.Handle(500, "CreateUser", err)
+	}
+
+	u := &models.User{
+		Name:        form.UserName,
+		Email:       form.Email,
+		Passwd:      form.Password,
+		IsActive:    !setting.Service.RegisterEmailConfirm,
+		LoginType:   models.LoginOAuth2,
+		LoginSource: loginSource.ID,
+		LoginName:   gothUser.(goth.User).UserID,
+	}
+
+	if err := models.CreateUser(u); err != nil {
+		switch {
+		case models.IsErrUserAlreadyExist(err):
+			ctx.Data["Err_UserName"] = true
+			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplLinkAccount, &form)
+		case models.IsErrEmailAlreadyUsed(err):
+			ctx.Data["Err_Email"] = true
+			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplLinkAccount, &form)
+		case models.IsErrNameReserved(err):
+			ctx.Data["Err_UserName"] = true
+			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplLinkAccount, &form)
+		case models.IsErrNamePatternNotAllowed(err):
+			ctx.Data["Err_UserName"] = true
+			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplLinkAccount, &form)
+		default:
+			ctx.Handle(500, "CreateUser", err)
+		}
+		return
+	}
+	log.Trace("Account created: %s", u.Name)
+
+	// Auto-set admin for the only user.
+	if models.CountUsers() == 1 {
+		u.IsAdmin = true
+		u.IsActive = true
+		if err := models.UpdateUser(u); err != nil {
+			ctx.Handle(500, "UpdateUser", err)
+			return
+		}
+	}
+
+	// Send confirmation email
+	if setting.Service.RegisterEmailConfirm && u.ID > 1 {
+		models.SendActivateAccountMail(ctx.Context, u)
+		ctx.Data["IsSendRegisterMail"] = true
+		ctx.Data["Email"] = u.Email
+		ctx.Data["Hours"] = setting.Service.ActiveCodeLives / 60
+		ctx.HTML(200, TplActivate)
+
+		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
+			log.Error(4, "Set cache(MailResendLimit) fail: %v", err)
+		}
+		return
+	}
+
+	ctx.Redirect(setting.AppSubURL + "/user/login")
+}
+
 // SignOut sign out from login status
 func SignOut(ctx *context.Context) {
 	ctx.Session.Delete("uid")
@@ -328,11 +674,7 @@ func SignUp(ctx *context.Context) {
 
 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
 
-	if setting.Service.DisableRegistration {
-		ctx.Data["DisableRegistration"] = true
-		ctx.HTML(200, tplSignUp)
-		return
-	}
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
 
 	ctx.HTML(200, tplSignUp)
 }
@@ -540,7 +882,7 @@ func ForgotPasswdPost(ctx *context.Context) {
 		return
 	}
 
-	if !u.IsLocal() {
+	if !u.IsLocal() && !u.IsOAuth2() {
 		ctx.Data["Err_Email"] = true
 		ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil)
 		return
diff --git a/routers/user/setting.go b/routers/user/setting.go
index 8fc2be0ce4..de5a1baca4 100644
--- a/routers/user/setting.go
+++ b/routers/user/setting.go
@@ -37,6 +37,7 @@ const (
 	tplSettingsApplications base.TplName = "user/settings/applications"
 	tplSettingsTwofa        base.TplName = "user/settings/twofa"
 	tplSettingsTwofaEnroll  base.TplName = "user/settings/twofa_enroll"
+	tplSettingsAccountLink  base.TplName = "user/settings/account_link"
 	tplSettingsDelete       base.TplName = "user/settings/delete"
 	tplSecurity             base.TplName = "user/security"
 )
@@ -200,7 +201,7 @@ func SettingsPasswordPost(ctx *context.Context, form auth.ChangePasswordForm) {
 		return
 	}
 
-	if !ctx.User.ValidatePassword(form.OldPassword) {
+	if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(form.OldPassword) {
 		ctx.Flash.Error(ctx.Tr("settings.password_incorrect"))
 	} else if form.Password != form.Retype {
 		ctx.Flash.Error(ctx.Tr("form.password_not_match"))
@@ -631,6 +632,49 @@ func SettingsTwoFactorEnrollPost(ctx *context.Context, form auth.TwoFactorAuthFo
 	ctx.Redirect(setting.AppSubURL + "/user/settings/two_factor")
 }
 
+// SettingsAccountLinks render the account links settings page
+func SettingsAccountLinks(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["PageIsSettingsAccountLink"] = true
+
+	accountLinks, err := models.ListAccountLinks(ctx.User)
+	if err != nil {
+		ctx.Handle(500, "ListAccountLinks", err)
+		return
+	}
+
+	// map the provider display name with the LoginSource
+	sources := make(map[*models.LoginSource]string)
+	for _, externalAccount := range accountLinks {
+		if loginSource, err := models.GetLoginSourceByID(externalAccount.LoginSourceID); err == nil {
+			var providerDisplayName string
+			if loginSource.IsOAuth2() {
+				providerTechnicalName := loginSource.OAuth2().Provider
+				providerDisplayName = models.OAuth2Providers[providerTechnicalName].DisplayName
+			} else {
+				providerDisplayName = loginSource.Name
+			}
+			sources[loginSource] = providerDisplayName
+		}
+	}
+	ctx.Data["AccountLinks"] = sources
+
+	ctx.HTML(200, tplSettingsAccountLink)
+}
+
+// SettingsDeleteAccountLink delete a single account link
+func SettingsDeleteAccountLink(ctx *context.Context) {
+	if _, err := models.RemoveAccountLink(ctx.User, ctx.QueryInt64("loginSourceID")); err != nil {
+		ctx.Flash.Error("RemoveAccountLink: " + err.Error())
+	} else {
+		ctx.Flash.Success(ctx.Tr("settings.remove_account_link_success"))
+	}
+
+	ctx.JSON(200, map[string]interface{}{
+		"redirect": setting.AppSubURL + "/user/settings/account_link",
+	})
+}
+
 // SettingsDelete render user suicide page and response for delete user himself
 func SettingsDelete(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("settings")
author	Willem van Dreumel <willemvd@users.noreply.github.com>	2017-02-22 08:14:37 +0100
committer	Kim "BKC" Carlbäcker <kim.carlbacker@gmail.com>	2017-02-22 08:14:37 +0100
commit	01d957677f160e4b5e43ce043b05e246493b34ea (patch)
tree	e06e3849d874ce37f02b29666ada6069b78decd9 /routers
parent	fd941db246e66244ec81f43d74b8358c06173fd6 (diff)
download	gitea-01d957677f160e4b5e43ce043b05e246493b34ea.tar.gz gitea-01d957677f160e4b5e43ce043b05e246493b34ea.zip