aboutsummaryrefslogtreecommitdiffstats
path: root/services/auth/oauth2.go
diff options
context:
space:
mode:
authorGiteabot <teabot@gitea.io>2023-07-12 06:18:27 -0400
committerGitHub <noreply@github.com>2023-07-12 10:18:27 +0000
commit353dcc5ad41586801ad9e02283c58cbf8bf1b774 (patch)
tree1b69dd1082977d695cf3885e1369b62e71daa0a0 /services/auth/oauth2.go
parent7811027ca14af32a222592ad76d38723b97fa93c (diff)
downloadgitea-353dcc5ad41586801ad9e02283c58cbf8bf1b774.tar.gz
gitea-353dcc5ad41586801ad9e02283c58cbf8bf1b774.zip
Fix the error message when the token is incorrect (#25701) (#25836)
Backport #25701 by @CaiCandong we refactored `userIDFromToken` for the token parsing part into a new function `parseToken`. `parseToken` returns the string `token` from request, and a boolean `ok` representing whether the token exists or not. So we can distinguish between token non-existence and token inconsistency in the `verfity` function, thus solving the problem of no proper error message when the token is inconsistent. close #24439 related #22119 Co-authored-by: caicandong <50507092+CaiCandong@users.noreply.github.com> Co-authored-by: Jason Song <i@wolfogre.com>
Diffstat (limited to 'services/auth/oauth2.go')
-rw-r--r--services/auth/oauth2.go50
1 files changed, 28 insertions, 22 deletions
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index b70f84da9b..0dd7a12d2c 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -59,31 +59,32 @@ func (o *OAuth2) Name() string {
return "oauth2"
}
-// userIDFromToken returns the user id corresponding to the OAuth token.
-// It will set 'IsApiToken' to true if the token is an API token and
-// set 'ApiTokenScope' to the scope of the access token
-func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
+// parseToken returns the token from request, and a boolean value
+// representing whether the token exists or not
+func parseToken(req *http.Request) (string, bool) {
_ = req.ParseForm()
-
+ // Check token.
+ if token := req.Form.Get("token"); token != "" {
+ return token, true
+ }
// Check access token.
- tokenSHA := req.Form.Get("token")
- if len(tokenSHA) == 0 {
- tokenSHA = req.Form.Get("access_token")
- }
- if len(tokenSHA) == 0 {
- // Well, check with header again.
- auHead := req.Header.Get("Authorization")
- if len(auHead) > 0 {
- auths := strings.Fields(auHead)
- if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
- tokenSHA = auths[1]
- }
- }
+ if token := req.Form.Get("access_token"); token != "" {
+ return token, true
}
- if len(tokenSHA) == 0 {
- return 0
+ // check header token
+ if auHead := req.Header.Get("Authorization"); auHead != "" {
+ auths := strings.Fields(auHead)
+ if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
+ return auths[1], true
+ }
}
+ return "", false
+}
+// userIDFromToken returns the user id corresponding to the OAuth token.
+// It will set 'IsApiToken' to true if the token is an API token and
+// set 'ApiTokenScope' to the scope of the access token
+func (o *OAuth2) userIDFromToken(tokenSHA string, store DataStore) int64 {
// Let's see if token is valid.
if strings.Contains(tokenSHA, ".") {
uid := CheckOAuthAccessToken(tokenSHA)
@@ -129,10 +130,15 @@ func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStor
return nil, nil
}
- id := o.userIDFromToken(req, store)
+ token, ok := parseToken(req)
+ if !ok {
+ return nil, nil
+ }
+
+ id := o.userIDFromToken(token, store)
if id <= 0 && id != -2 { // -2 means actions, so we need to allow it.
- return nil, nil
+ return nil, user_model.ErrUserNotExist{}
}
log.Trace("OAuth2 Authorization: Found token for user[%d]", id)