From 3d10193be2b4476d1d0d3249a9884fcc0faa64e5 Mon Sep 17 00:00:00 2001
From: Clar Fon <15850505+clarfonthey@users.noreply.github.com>
Date: Sat, 1 Oct 2022 13:26:33 -0400
Subject: Allow specifying SECRET_KEY_URI, similar to INTERNAL_TOKEN_URI
 (#19663)

Only load SECRET_KEY and INTERNAL_TOKEN if they exist.
Never write the config file if the keys do not exist, which was only a fallback for Gitea upgraded from < 1.5

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
---
 routers/private/internal.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'routers')

diff --git a/routers/private/internal.go b/routers/private/internal.go
index 061c7f3c82..e9cc20a77d 100644
--- a/routers/private/internal.go
+++ b/routers/private/internal.go
@@ -24,6 +24,11 @@ func CheckInternalToken(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		tokens := req.Header.Get("Authorization")
 		fields := strings.SplitN(tokens, " ", 2)
+		if setting.InternalToken == "" {
+			log.Warn(`The INTERNAL_TOKEN setting is missing from the configuration file: %q, internal API can't work.`, setting.CustomConf)
+			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+			return
+		}
 		if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken {
 			log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens)
 			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
-- 
cgit v1.2.3