diff options
| author | Paweł Bogusławski <pawel.boguslawski@ib.pl> | 2021-11-19 15:54:44 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-19 22:54:44 +0800 |
| commit | d4e281bc02908f5e1dda3dc4d340e2898048faef (patch) | |
| tree | f6c4909300d7befebce50fe46b8f4a013c480387 /routers | |
| parent | fc3d0826096943b979717ed46c9a4cfd86e06106 (diff) | |
| download | gitea-d4e281bc02908f5e1dda3dc4d340e2898048faef.tar.gz gitea-d4e281bc02908f5e1dda3dc4d340e2898048faef.zip | |
Allow Token API calls be authorized using the reverse-proxy header (#15119)
* API calls authorized with HTTP header
This mod allows API calls to be authorized with HTTP header
when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled. Without
it user authenticated by reverse proxy is able to access
gitea UI but not API which is inconsistent.
Author-Change-Id: IB#1107572
* Fixed API calls authorized with HTTP header
Only reqBasicAuth is modified to allow reverse proxy
auth as alternative and reqToken is left untouched.
Fixes: dc952c063206d11504085ddea966f121e796a04c
Author-Change-Id: IB#1107572
* Reverse proxy API auth separated in docs
Related: https://github.com/go-gitea/gitea/pull/15119#discussion_r621322127
Author-Change-Id: IB#1107572
* Reverse proxy API auth separated in docs
Related: https://github.com/go-gitea/gitea/pull/15119#discussion_r621322127
Author-Change-Id: IB#1107572
* Reverse proxy API auth separated
Related: https://github.com/go-gitea/gitea/pull/15119#discussion_r621322127
Author-Change-Id: IB#1107572
* ReverseProxyAuth removed from swagger
ReverseProxyAuth removed from swagger as in upstream's suggestion.
Related: https://github.com/go-gitea/gitea/pull/15119#pullrequestreview-692180940
Author-Change-Id: IB#1107572
* ReverseProxyAuth API authorization fixed
Related: https://github.com/go-gitea/gitea/pull/15119#issuecomment-868465099
Author-Change-Id: IB#1107572
* ReverseProxyAuth API authorization fixed
Related: https://github.com/go-gitea/gitea/pull/15119#issuecomment-868465099
Author-Change-Id: IB#1107572
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/api/v1/api.go | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index ab8b07d609..67f88cf000 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -215,10 +215,13 @@ func reqExploreSignIn() func(ctx *context.APIContext) { } } -func reqBasicAuth() func(ctx *context.APIContext) { +func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { return func(ctx *context.APIContext) { + if ctx.IsSigned && setting.Service.EnableReverseProxyAuth && ctx.Data["AuthedMethod"].(string) == new(auth.ReverseProxy).Name() { + return + } if !ctx.Context.IsBasicAuth { - ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "basic auth required") + ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required") return } ctx.CheckForOTP() @@ -630,7 +633,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route { m.Combo("").Get(user.ListAccessTokens). Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken) m.Combo("/{id}").Delete(user.DeleteAccessToken) - }, reqBasicAuth()) + }, reqBasicOrRevProxyAuth()) }) }) |