Let web and API routes have different auth methods group (#19168)

* remove the global methods but create dynamiclly

* Fix lint

* Fix windows lint

* Fix windows lint

* some improvements

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

4 files changed, 24 insertions, 78 deletions

diff --git a/services/auth/auth.go b/services/auth/auth.go
index bdff777f50..a379cb1013 100644
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@@ -8,7 +8,6 @@ package auth
 import (
 	"fmt"
 	"net/http"
-	"reflect"
 	"regexp"
 	"strings"
 
@@ -21,75 +20,22 @@ import (
 	"code.gitea.io/gitea/modules/web/middleware"
 )
 
-// authMethods contains the list of authentication plugins in the order they are expected to be
-// executed.
-//
-// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
-// in the session (if there is a user id stored in session other plugins might return the user
-// object for that id).
-//
-// The Session plugin is expected to be executed second, in order to skip authentication
-// for users that have already signed in.
-var authMethods = []Method{
-	&OAuth2{},
-	&Basic{},
-	&Session{},
-}
-
 // The purpose of the following three function variables is to let the linter know that
 // those functions are not dead code and are actually being used
 var (
 	_ = handleSignIn
-)
-
-// Methods returns the instances of all registered methods
-func Methods() []Method {
-	return authMethods
-}
 
-// Register adds the specified instance to the list of available methods
-func Register(method Method) {
-	authMethods = append(authMethods, method)
-}
+	// SharedSession the session auth should only be used by web, but now both web and API/v1
+	// will use it. We can remove this after Web removed dependent API/v1
+	SharedSession = &Session{}
+)
 
 // Init should be called exactly once when the application starts to allow plugins
 // to allocate necessary resources
 func Init() {
-	if setting.Service.EnableReverseProxyAuth {
-		Register(&ReverseProxy{})
-	}
-	specialInit()
-	for _, method := range Methods() {
-		initializable, ok := method.(Initializable)
-		if !ok {
-			continue
-		}
-
-		err := initializable.Init()
-		if err != nil {
-			log.Error("Could not initialize '%s' auth method, error: %s", reflect.TypeOf(method).String(), err)
-		}
-	}
-
 	webauthn.Init()
 }
 
-// Free should be called exactly once when the application is terminating to allow Auth plugins
-// to release necessary resources
-func Free() {
-	for _, method := range Methods() {
-		freeable, ok := method.(Freeable)
-		if !ok {
-			continue
-		}
-
-		err := freeable.Free()
-		if err != nil {
-			log.Error("Could not free '%s' auth method, error: %s", reflect.TypeOf(method).String(), err)
-		}
-	}
-}
-
 // isAttachmentDownload check if request is a file download (GET) with URL to an attachment
 func isAttachmentDownload(req *http.Request) bool {
 	return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
diff --git a/services/auth/group.go b/services/auth/group.go
index bf047338bb..0f40e1a76c 100644
--- a/services/auth/group.go
+++ b/services/auth/group.go
@@ -6,6 +6,8 @@ package auth
 
 import (
 	"net/http"
+	"reflect"
+	"strings"
 
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
@@ -30,6 +32,24 @@ func NewGroup(methods ...Method) *Group {
 	}
 }
 
+// Add adds a new method to group
+func (b *Group) Add(method Method) {
+	b.methods = append(b.methods, method)
+}
+
+// Name returns group's methods name
+func (b *Group) Name() string {
+	names := make([]string, 0, len(b.methods))
+	for _, m := range b.methods {
+		if n, ok := m.(Named); ok {
+			names = append(names, n.Name())
+		} else {
+			names = append(names, reflect.TypeOf(m).Elem().Name())
+		}
+	}
+	return strings.Join(names, ",")
+}
+
 // Init does nothing as the Basic implementation does not need to allocate any resources
 func (b *Group) Init() error {
 	for _, method := range b.methods {
diff --git a/services/auth/placeholder.go b/services/auth/placeholder.go
deleted file mode 100644
index d9a0ceae7c..0000000000
--- a/services/auth/placeholder.go
+++ /dev/null
@@ -1,10 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-//go:build !windows
-// +build !windows
-
-package auth
-
-func specialInit() {}
diff --git a/services/auth/sspi_windows.go b/services/auth/sspi_windows.go
index 3a8c8bed44..63e70e61d4 100644
--- a/services/auth/sspi_windows.go
+++ b/services/auth/sspi_windows.go
@@ -244,13 +244,3 @@ func sanitizeUsername(username string, cfg *sspi.Source) string {
 	username = replaceSeparators(username, cfg)
 	return username
 }
-
-// specialInit registers the SSPI auth method as the last method in the list.
-// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
-// fails (or if negotiation should continue), which would prevent other authentication methods
-// to execute at all.
-func specialInit() {
-	if auth.IsSSPIEnabled() {
-		Register(&SSPI{})
-	}
-}