diff options
author | Giteabot <teabot@gitea.io> | 2023-07-12 06:18:27 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-12 10:18:27 +0000 |
commit | 353dcc5ad41586801ad9e02283c58cbf8bf1b774 (patch) | |
tree | 1b69dd1082977d695cf3885e1369b62e71daa0a0 /services/auth/oauth2.go | |
parent | 7811027ca14af32a222592ad76d38723b97fa93c (diff) | |
download | gitea-353dcc5ad41586801ad9e02283c58cbf8bf1b774.tar.gz gitea-353dcc5ad41586801ad9e02283c58cbf8bf1b774.zip |
Fix the error message when the token is incorrect (#25701) (#25836)
Backport #25701 by @CaiCandong
we refactored `userIDFromToken` for the token parsing part into a new
function `parseToken`. `parseToken` returns the string `token` from
request, and a boolean `ok` representing whether the token exists or
not. So we can distinguish between token non-existence and token
inconsistency in the `verfity` function, thus solving the problem of no
proper error message when the token is inconsistent.
close #24439
related #22119
Co-authored-by: caicandong <50507092+CaiCandong@users.noreply.github.com>
Co-authored-by: Jason Song <i@wolfogre.com>
Diffstat (limited to 'services/auth/oauth2.go')
-rw-r--r-- | services/auth/oauth2.go | 50 |
1 files changed, 28 insertions, 22 deletions
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index b70f84da9b..0dd7a12d2c 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -59,31 +59,32 @@ func (o *OAuth2) Name() string { return "oauth2" } -// userIDFromToken returns the user id corresponding to the OAuth token. -// It will set 'IsApiToken' to true if the token is an API token and -// set 'ApiTokenScope' to the scope of the access token -func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 { +// parseToken returns the token from request, and a boolean value +// representing whether the token exists or not +func parseToken(req *http.Request) (string, bool) { _ = req.ParseForm() - + // Check token. + if token := req.Form.Get("token"); token != "" { + return token, true + } // Check access token. - tokenSHA := req.Form.Get("token") - if len(tokenSHA) == 0 { - tokenSHA = req.Form.Get("access_token") - } - if len(tokenSHA) == 0 { - // Well, check with header again. - auHead := req.Header.Get("Authorization") - if len(auHead) > 0 { - auths := strings.Fields(auHead) - if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") { - tokenSHA = auths[1] - } - } + if token := req.Form.Get("access_token"); token != "" { + return token, true } - if len(tokenSHA) == 0 { - return 0 + // check header token + if auHead := req.Header.Get("Authorization"); auHead != "" { + auths := strings.Fields(auHead) + if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") { + return auths[1], true + } } + return "", false +} +// userIDFromToken returns the user id corresponding to the OAuth token. +// It will set 'IsApiToken' to true if the token is an API token and +// set 'ApiTokenScope' to the scope of the access token +func (o *OAuth2) userIDFromToken(tokenSHA string, store DataStore) int64 { // Let's see if token is valid. if strings.Contains(tokenSHA, ".") { uid := CheckOAuthAccessToken(tokenSHA) @@ -129,10 +130,15 @@ func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStor return nil, nil } - id := o.userIDFromToken(req, store) + token, ok := parseToken(req) + if !ok { + return nil, nil + } + + id := o.userIDFromToken(token, store) if id <= 0 && id != -2 { // -2 means actions, so we need to allow it. - return nil, nil + return nil, user_model.ErrUserNotExist{} } log.Trace("OAuth2 Authorization: Found token for user[%d]", id) |