mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16872 Commits
17 Branches
Tree: v1.20.6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.20.6'
${ noResults }
gitea/services/auth/middleware.go

middleware.go 6.9KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229 
  1. // Copyright 2022 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package auth

  5. 

  6. import (

  7. 	"net/http"

  8. 	"strings"

  9. 

  10. 	user_model "code.gitea.io/gitea/models/user"

  11. 	"code.gitea.io/gitea/modules/context"

  12. 	"code.gitea.io/gitea/modules/log"

  13. 	"code.gitea.io/gitea/modules/setting"

  14. 	"code.gitea.io/gitea/modules/web/middleware"

  15. )

  16. 

  17. // Auth is a middleware to authenticate a web user

  18. func Auth(authMethod Method) func(*context.Context) {

  19. 	return func(ctx *context.Context) {

  20. 		ar, err := authShared(ctx.Base, ctx.Session, authMethod)

  21. 		if err != nil {

  22. 			log.Error("Failed to verify user: %v", err)

  23. 			ctx.Error(http.StatusUnauthorized, "Verify")

  24. 			return

  25. 		}

  26. 		ctx.Doer = ar.Doer

  27. 		ctx.IsSigned = ar.Doer != nil

  28. 		ctx.IsBasicAuth = ar.IsBasicAuth

  29. 		if ctx.Doer == nil {

  30. 			// ensure the session uid is deleted

  31. 			_ = ctx.Session.Delete("uid")

  32. 		}

  33. 	}

  34. }

  35. 

  36. // APIAuth is a middleware to authenticate an api user

  37. func APIAuth(authMethod Method) func(*context.APIContext) {

  38. 	return func(ctx *context.APIContext) {

  39. 		ar, err := authShared(ctx.Base, nil, authMethod)

  40. 		if err != nil {

  41. 			ctx.Error(http.StatusUnauthorized, "APIAuth", err)

  42. 			return

  43. 		}

  44. 		ctx.Doer = ar.Doer

  45. 		ctx.IsSigned = ar.Doer != nil

  46. 		ctx.IsBasicAuth = ar.IsBasicAuth

  47. 	}

  48. }

  49. 

  50. type authResult struct {

  51. 	Doer        *user_model.User

  52. 	IsBasicAuth bool

  53. }

  54. 

  55. func authShared(ctx *context.Base, sessionStore SessionStore, authMethod Method) (ar authResult, err error) {

  56. 	ar.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, sessionStore)

  57. 	if err != nil {

  58. 		return ar, err

  59. 	}

  60. 	if ar.Doer != nil {

  61. 		if ctx.Locale.Language() != ar.Doer.Language {

  62. 			ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)

  63. 		}

  64. 		ar.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == BasicMethodName

  65. 

  66. 		ctx.Data["IsSigned"] = true

  67. 		ctx.Data[middleware.ContextDataKeySignedUser] = ar.Doer

  68. 		ctx.Data["SignedUserID"] = ar.Doer.ID

  69. 		ctx.Data["IsAdmin"] = ar.Doer.IsAdmin

  70. 	} else {

  71. 		ctx.Data["SignedUserID"] = int64(0)

  72. 	}

  73. 	return ar, nil

  74. }

  75. 

  76. // VerifyOptions contains required or check options

  77. type VerifyOptions struct {

  78. 	SignInRequired  bool

  79. 	SignOutRequired bool

  80. 	AdminRequired   bool

  81. 	DisableCSRF     bool

  82. }

  83. 

  84. // VerifyAuthWithOptions checks authentication according to options

  85. func VerifyAuthWithOptions(options *VerifyOptions) func(ctx *context.Context) {

  86. 	return func(ctx *context.Context) {

  87. 		// Check prohibit login users.

  88. 		if ctx.IsSigned {

  89. 			if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {

  90. 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")

  91. 				ctx.HTML(http.StatusOK, "user/auth/activate")

  92. 				return

  93. 			}

  94. 			if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {

  95. 				log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())

  96. 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")

  97. 				ctx.HTML(http.StatusOK, "user/auth/prohibit_login")

  98. 				return

  99. 			}

  100. 

  101. 			if ctx.Doer.MustChangePassword {

  102. 				if ctx.Req.URL.Path != "/user/settings/change_password" {

  103. 					if strings.HasPrefix(ctx.Req.UserAgent(), "git") {

  104. 						ctx.Error(http.StatusUnauthorized, ctx.Tr("auth.must_change_password"))

  105. 						return

  106. 					}

  107. 					ctx.Data["Title"] = ctx.Tr("auth.must_change_password")

  108. 					ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"

  109. 					if ctx.Req.URL.Path != "/user/events" {

  110. 						middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())

  111. 					}

  112. 					ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")

  113. 					return

  114. 				}

  115. 			} else if ctx.Req.URL.Path == "/user/settings/change_password" {

  116. 				// make sure that the form cannot be accessed by users who don't need this

  117. 				ctx.Redirect(setting.AppSubURL + "/")

  118. 				return

  119. 			}

  120. 		}

  121. 

  122. 		// Redirect to dashboard if user tries to visit any non-login page.

  123. 		if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {

  124. 			ctx.Redirect(setting.AppSubURL + "/")

  125. 			return

  126. 		}

  127. 

  128. 		if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {

  129. 			ctx.Csrf.Validate(ctx)

  130. 			if ctx.Written() {

  131. 				return

  132. 			}

  133. 		}

  134. 

  135. 		if options.SignInRequired {

  136. 			if !ctx.IsSigned {

  137. 				if ctx.Req.URL.Path != "/user/events" {

  138. 					middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())

  139. 				}

  140. 				ctx.Redirect(setting.AppSubURL + "/user/login")

  141. 				return

  142. 			} else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {

  143. 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")

  144. 				ctx.HTML(http.StatusOK, "user/auth/activate")

  145. 				return

  146. 			}

  147. 		}

  148. 

  149. 		// Redirect to log in page if auto-signin info is provided and has not signed in.

  150. 		if !options.SignOutRequired && !ctx.IsSigned &&

  151. 			len(ctx.GetSiteCookie(setting.CookieUserName)) > 0 {

  152. 			if ctx.Req.URL.Path != "/user/events" {

  153. 				middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())

  154. 			}

  155. 			ctx.Redirect(setting.AppSubURL + "/user/login")

  156. 			return

  157. 		}

  158. 

  159. 		if options.AdminRequired {

  160. 			if !ctx.Doer.IsAdmin {

  161. 				ctx.Error(http.StatusForbidden)

  162. 				return

  163. 			}

  164. 			ctx.Data["PageIsAdmin"] = true

  165. 		}

  166. 	}

  167. }

  168. 

  169. // VerifyAuthWithOptionsAPI checks authentication according to options

  170. func VerifyAuthWithOptionsAPI(options *VerifyOptions) func(ctx *context.APIContext) {

  171. 	return func(ctx *context.APIContext) {

  172. 		// Check prohibit login users.

  173. 		if ctx.IsSigned {

  174. 			if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {

  175. 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")

  176. 				ctx.JSON(http.StatusForbidden, map[string]string{

  177. 					"message": "This account is not activated.",

  178. 				})

  179. 				return

  180. 			}

  181. 			if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {

  182. 				log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())

  183. 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")

  184. 				ctx.JSON(http.StatusForbidden, map[string]string{

  185. 					"message": "This account is prohibited from signing in, please contact your site administrator.",

  186. 				})

  187. 				return

  188. 			}

  189. 

  190. 			if ctx.Doer.MustChangePassword {

  191. 				ctx.JSON(http.StatusForbidden, map[string]string{

  192. 					"message": "You must change your password. Change it at: " + setting.AppURL + "/user/change_password",

  193. 				})

  194. 				return

  195. 			}

  196. 		}

  197. 

  198. 		// Redirect to dashboard if user tries to visit any non-login page.

  199. 		if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {

  200. 			ctx.Redirect(setting.AppSubURL + "/")

  201. 			return

  202. 		}

  203. 

  204. 		if options.SignInRequired {

  205. 			if !ctx.IsSigned {

  206. 				// Restrict API calls with error message.

  207. 				ctx.JSON(http.StatusForbidden, map[string]string{

  208. 					"message": "Only signed in user is allowed to call APIs.",

  209. 				})

  210. 				return

  211. 			} else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {

  212. 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")

  213. 				ctx.JSON(http.StatusForbidden, map[string]string{

  214. 					"message": "This account is not activated.",

  215. 				})

  216. 				return

  217. 			}

  218. 		}

  219. 

  220. 		if options.AdminRequired {

  221. 			if !ctx.Doer.IsAdmin {

  222. 				ctx.JSON(http.StatusForbidden, map[string]string{

  223. 					"message": "You have no permission to request for this.",

  224. 				})

  225. 				return

  226. 			}

  227. 		}

  228. 	}

  229. }