6 files changed, 22 insertions, 23 deletions

diff --git a/services/auth/basic.go b/services/auth/basic.go
index a208590d7b..b2bd14ef5d 100644
--- a/services/auth/basic.go
+++ b/services/auth/basic.go
@@ -7,12 +7,11 @@ package auth
 import (
 	"errors"
 	"net/http"
-	"strings"
 
 	actions_model "code.gitea.io/gitea/models/actions"
 	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/auth/httpauth"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -54,17 +53,15 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 		return nil, nil
 	}
 
-	baHead := req.Header.Get("Authorization")
-	if len(baHead) == 0 {
+	authHeader := req.Header.Get("Authorization")
+	if authHeader == "" {
 		return nil, nil
 	}
-
-	auths := strings.SplitN(baHead, " ", 2)
-	if len(auths) != 2 || (strings.ToLower(auths[0]) != "basic") {
+	parsed, ok := httpauth.ParseAuthorizationHeader(authHeader)
+	if !ok || parsed.BasicAuth == nil {
 		return nil, nil
 	}
-
-	uname, passwd, _ := base.BasicAuthDecode(auths[1])
+	uname, passwd := parsed.BasicAuth.Username, parsed.BasicAuth.Password
 
 	// Check if username or password is a token
 	isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index 66cc686809..7df6f4638e 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -13,6 +13,7 @@ import (
 	actions_model "code.gitea.io/gitea/models/actions"
 	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/httpauth"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -97,9 +98,9 @@ func parseToken(req *http.Request) (string, bool) {
 
 	// check header token
 	if auHead := req.Header.Get("Authorization"); auHead != "" {
-		auths := strings.Fields(auHead)
-		if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
-			return auths[1], true
+		parsed, ok := httpauth.ParseAuthorizationHeader(auHead)
+		if ok && parsed.BearerToken != nil {
+			return parsed.BearerToken.Token, true
 		}
 	}
 	return "", false
diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go
index a2e8c2b86a..6005a4744a 100644
--- a/services/auth/source/ldap/source_authenticate.go
+++ b/services/auth/source/ldap/source_authenticate.go
@@ -58,7 +58,7 @@ func (source *Source) Authenticate(ctx context.Context, user *user_model.User, u
 			opts := &user_service.UpdateOptions{}
 			if source.AdminFilter != "" && user.IsAdmin != sr.IsAdmin {
 				// Change existing admin flag only if AdminFilter option is set
-				opts.IsAdmin = optional.Some(sr.IsAdmin)
+				opts.IsAdmin = user_service.UpdateOptionFieldFromSync(sr.IsAdmin)
 			}
 			if !sr.IsAdmin && source.RestrictedFilter != "" && user.IsRestricted != sr.IsRestricted {
 				// Change existing restricted flag only if RestrictedFilter option is set
diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index fa2c45ce4a..e6bce04a83 100644
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -117,10 +117,10 @@ func dial(source *Source) (*ldap.Conn, error) {
 	}
 
 	if source.SecurityProtocol == SecurityProtocolLDAPS {
-		return ldap.DialTLS("tcp", net.JoinHostPort(source.Host, strconv.Itoa(source.Port)), tlsConfig) //nolint:staticcheck
+		return ldap.DialTLS("tcp", net.JoinHostPort(source.Host, strconv.Itoa(source.Port)), tlsConfig) //nolint:staticcheck // DialTLS is deprecated
 	}
 
-	conn, err := ldap.Dial("tcp", net.JoinHostPort(source.Host, strconv.Itoa(source.Port))) //nolint:staticcheck
+	conn, err := ldap.Dial("tcp", net.JoinHostPort(source.Host, strconv.Itoa(source.Port))) //nolint:staticcheck // Dial is deprecated
 	if err != nil {
 		return nil, fmt.Errorf("error during Dial: %w", err)
 	}
diff --git a/services/auth/source/ldap/source_sync.go b/services/auth/source/ldap/source_sync.go
index 678b6b2b62..7b401c5c96 100644
--- a/services/auth/source/ldap/source_sync.go
+++ b/services/auth/source/ldap/source_sync.go
@@ -162,7 +162,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 					IsActive: optional.Some(true),
 				}
 				if source.AdminFilter != "" {
-					opts.IsAdmin = optional.Some(su.IsAdmin)
+					opts.IsAdmin = user_service.UpdateOptionFieldFromSync(su.IsAdmin)
 				}
 				// Change existing restricted flag only if RestrictedFilter option is set
 				if !su.IsAdmin && source.RestrictedFilter != "" {
@@ -178,8 +178,9 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 				}
 			}
 
-			if usr.IsUploadAvatarChanged(su.Avatar) {
-				if err == nil && source.AttributeAvatar != "" {
+			if source.AttributeAvatar != "" {
+				if len(su.Avatar) > 0 && usr.IsUploadAvatarChanged(su.Avatar) {
+					log.Trace("SyncExternalUsers[%s]: Uploading new avatar for %s", source.AuthSource.Name, usr.Name)
 					_ = user_service.UploadAvatar(ctx, usr, su.Avatar)
 				}
 			}
diff --git a/services/auth/source/oauth2/urlmapping.go b/services/auth/source/oauth2/urlmapping.go
index d0442d58a8..b9f445caa7 100644
--- a/services/auth/source/oauth2/urlmapping.go
+++ b/services/auth/source/oauth2/urlmapping.go
@@ -14,11 +14,11 @@ type CustomURLMapping struct {
 
 // CustomURLSettings describes the urls values and availability to use when customizing OAuth2 provider URLs
 type CustomURLSettings struct {
-	AuthURL    Attribute `json:",omitempty"`
-	TokenURL   Attribute `json:",omitempty"`
-	ProfileURL Attribute `json:",omitempty"`
-	EmailURL   Attribute `json:",omitempty"`
-	Tenant     Attribute `json:",omitempty"`
+	AuthURL    Attribute
+	TokenURL   Attribute
+	ProfileURL Attribute
+	EmailURL   Attribute
+	Tenant     Attribute
 }
 
 // Attribute describes the availability, and required status for a custom url configuration