mirror of
https://github.com/go-gitea/gitea.git
synced 2025-04-08 17:05:45 +02:00
Merge branch 'main' into feature/bots
This commit is contained in:
Jason Song
commit
c393a9ca93
@ -219,7 +219,13 @@ func (ctx *APIContext) CheckForOTP() {
|
||||
func APIAuth(authMethod auth_service.Method) func(*APIContext) {
|
||||
return func(ctx *APIContext) {
|
||||
// Get user from session if logged in.
|
||||
ctx.Doer = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
var err error
|
||||
ctx.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if err != nil {
|
||||
ctx.Error(http.StatusUnauthorized, "APIAuth", err)
|
||||
return
|
||||
}
|
||||
|
||||
if ctx.Doer != nil {
|
||||
if ctx.Locale.Language() != ctx.Doer.Language {
|
||||
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
|
||||
|
||||
@ -662,7 +662,13 @@ func getCsrfOpts() CsrfOptions {
|
||||
// Auth converts auth.Auth as a middleware
|
||||
func Auth(authMethod auth.Method) func(*Context) {
|
||||
return func(ctx *Context) {
|
||||
ctx.Doer = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
var err error
|
||||
ctx.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if err != nil {
|
||||
log.Error("Failed to verify user %v: %v", ctx.Req.RemoteAddr, err)
|
||||
ctx.Error(http.StatusUnauthorized, "Verify")
|
||||
return
|
||||
}
|
||||
if ctx.Doer != nil {
|
||||
if ctx.Locale.Language() != ctx.Doer.Language {
|
||||
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
|
||||
|
||||
@ -11,6 +11,7 @@ import (
|
||||
|
||||
"code.gitea.io/gitea/models/perm"
|
||||
"code.gitea.io/gitea/modules/context"
|
||||
"code.gitea.io/gitea/modules/log"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
"code.gitea.io/gitea/modules/web"
|
||||
"code.gitea.io/gitea/routers/api/packages/composer"
|
||||
@ -58,7 +59,13 @@ func CommonRoutes(ctx gocontext.Context) *web.Route {
|
||||
|
||||
authGroup := auth.NewGroup(authMethods...)
|
||||
r.Use(func(ctx *context.Context) {
|
||||
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
var err error
|
||||
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if err != nil {
|
||||
log.Error("Verify: %v", err)
|
||||
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
|
||||
return
|
||||
}
|
||||
ctx.IsSigned = ctx.Doer != nil
|
||||
})
|
||||
|
||||
@ -321,7 +328,13 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
|
||||
|
||||
authGroup := auth.NewGroup(authMethods...)
|
||||
r.Use(func(ctx *context.Context) {
|
||||
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
var err error
|
||||
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if err != nil {
|
||||
log.Error("Failed to verify user: %v", err)
|
||||
ctx.Error(http.StatusUnauthorized, "Verify")
|
||||
return
|
||||
}
|
||||
ctx.IsSigned = ctx.Doer != nil
|
||||
})
|
||||
|
||||
|
||||
@ -19,22 +19,22 @@ func (a *Auth) Name() string {
|
||||
}
|
||||
|
||||
// Verify extracts the user from the Bearer token
|
||||
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) *user_model.User {
|
||||
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
|
||||
uid, err := packages.ParseAuthorizationToken(req)
|
||||
if err != nil {
|
||||
log.Trace("ParseAuthorizationToken: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if uid == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
u, err := user_model.GetUserByID(req.Context(), uid)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return u
|
||||
return u, nil
|
||||
}
|
||||
|
||||
@ -20,25 +20,25 @@ func (a *Auth) Name() string {
|
||||
|
||||
// Verify extracts the user from the Bearer token
|
||||
// If it's an anonymous session a ghost user is returned
|
||||
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) *user_model.User {
|
||||
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
|
||||
uid, err := packages.ParseAuthorizationToken(req)
|
||||
if err != nil {
|
||||
log.Trace("ParseAuthorizationToken: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if uid == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
if uid == -1 {
|
||||
return user_model.NewGhostUser()
|
||||
return user_model.NewGhostUser(), nil
|
||||
}
|
||||
|
||||
u, err := user_model.GetUserByID(req.Context(), uid)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return u
|
||||
return u, nil
|
||||
}
|
||||
|
||||
@ -20,19 +20,20 @@ func (a *Auth) Name() string {
|
||||
}
|
||||
|
||||
// https://docs.microsoft.com/en-us/nuget/api/package-publish-resource#request-parameters
|
||||
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) *user_model.User {
|
||||
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
|
||||
token, err := auth_model.GetAccessTokenBySHA(req.Header.Get("X-NuGet-ApiKey"))
|
||||
if err != nil {
|
||||
if !(auth_model.IsErrAccessTokenNotExist(err) || auth_model.IsErrAccessTokenEmpty(err)) {
|
||||
log.Error("GetAccessTokenBySHA: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
u, err := user_model.GetUserByID(req.Context(), token.UID)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
token.UpdatedUnix = timeutil.TimeStampNow()
|
||||
@ -40,5 +41,5 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
|
||||
log.Error("UpdateAccessToken: %v", err)
|
||||
}
|
||||
|
||||
return u
|
||||
return u, nil
|
||||
}
|
||||
|
||||
@ -42,20 +42,20 @@ func (b *Basic) Name() string {
|
||||
// "Authorization" header of the request and returns the corresponding user object for that
|
||||
// name/token on successful validation.
|
||||
// Returns nil if header is empty or validation fails.
|
||||
func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User {
|
||||
func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
||||
// Basic authentication should only fire on API, Download or on Git or LFSPaths
|
||||
if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
baHead := req.Header.Get("Authorization")
|
||||
if len(baHead) == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
auths := strings.SplitN(baHead, " ", 2)
|
||||
if len(auths) != 2 || (strings.ToLower(auths[0]) != "basic") {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
uname, passwd, _ := base.BasicAuthDecode(auths[1])
|
||||
@ -80,11 +80,11 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
|
||||
u, err := user_model.GetUserByID(req.Context(), uid)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
store.GetData()["IsApiToken"] = true
|
||||
return u
|
||||
return u, nil
|
||||
}
|
||||
|
||||
// check personal access token
|
||||
@ -94,7 +94,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
|
||||
u, err := user_model.GetUserByID(req.Context(), token.UID)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
token.UpdatedUnix = timeutil.TimeStampNow()
|
||||
@ -103,7 +103,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
|
||||
}
|
||||
|
||||
store.GetData()["IsApiToken"] = true
|
||||
return u
|
||||
return u, nil
|
||||
} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
|
||||
log.Error("GetAccessTokenBySha: %v", err)
|
||||
}
|
||||
@ -120,7 +120,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
|
||||
}
|
||||
|
||||
if !setting.Service.EnableBasicAuth {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
|
||||
@ -129,7 +129,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
|
||||
if !user_model.IsErrUserNotExist(err) {
|
||||
log.Error("UserSignIn: %v", err)
|
||||
}
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if skipper, ok := source.Cfg.(LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
|
||||
@ -138,5 +138,5 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
|
||||
|
||||
log.Trace("Basic Authorization: Logged in user %-v", u)
|
||||
|
||||
return u
|
||||
return u, nil
|
||||
}
|
||||
|
||||
@ -9,7 +9,6 @@ import (
|
||||
"reflect"
|
||||
"strings"
|
||||
|
||||
"code.gitea.io/gitea/models/db"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
)
|
||||
|
||||
@ -80,23 +79,23 @@ func (b *Group) Free() error {
|
||||
}
|
||||
|
||||
// Verify extracts and validates
|
||||
func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User {
|
||||
if !db.HasEngine {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
||||
// Try to sign in with each of the enabled plugins
|
||||
for _, ssoMethod := range b.methods {
|
||||
user := ssoMethod.Verify(req, w, store, sess)
|
||||
user, err := ssoMethod.Verify(req, w, store, sess)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if user != nil {
|
||||
if store.GetData()["AuthedMethod"] == nil {
|
||||
if named, ok := ssoMethod.(Named); ok {
|
||||
store.GetData()["AuthedMethod"] = named.Name()
|
||||
}
|
||||
}
|
||||
return user
|
||||
return user, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
@ -39,10 +39,10 @@ func (h *HTTPSign) Name() string {
|
||||
// Verify extracts and validates HTTPsign from the Signature header of the request and returns
|
||||
// the corresponding user object on successful validation.
|
||||
// Returns nil if header is empty or validation fails.
|
||||
func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User {
|
||||
func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
||||
sigHead := req.Header.Get("Signature")
|
||||
if len(sigHead) == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
var (
|
||||
@ -53,14 +53,14 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
|
||||
if len(req.Header.Get("X-Ssh-Certificate")) != 0 {
|
||||
// Handle Signature signed by SSH certificates
|
||||
if len(setting.SSH.TrustedUserCAKeys) == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
publicKey, err = VerifyCert(req)
|
||||
if err != nil {
|
||||
log.Debug("VerifyCert on request from %s: failed: %v", req.RemoteAddr, err)
|
||||
log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
} else {
|
||||
// Handle Signature signed by Public Key
|
||||
@ -68,21 +68,21 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
|
||||
if err != nil {
|
||||
log.Debug("VerifyPubKey on request from %s: failed: %v", req.RemoteAddr, err)
|
||||
log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
}
|
||||
|
||||
u, err := user_model.GetUserByID(req.Context(), publicKey.OwnerID)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
store.GetData()["IsApiToken"] = true
|
||||
|
||||
log.Trace("HTTP Sign: Logged in user %-v", u)
|
||||
|
||||
return u
|
||||
return u, nil
|
||||
}
|
||||
|
||||
func VerifyPubKey(r *http.Request) (*asymkey_model.PublicKey, error) {
|
||||
|
||||
@ -24,8 +24,9 @@ type Method interface {
|
||||
// If verification is successful returns either an existing user object (with id > 0)
|
||||
// or a new user object (with id = 0) populated with the information that was found
|
||||
// in the authentication data (username or email).
|
||||
// Returns nil if verification fails.
|
||||
Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User
|
||||
// Second argument returns err if verification fails, otherwise
|
||||
// First return argument returns nil if no matched verification condition
|
||||
Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error)
|
||||
}
|
||||
|
||||
// Initializable represents a structure that requires initialization
|
||||
|
||||
@ -120,18 +120,14 @@ func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
|
||||
// or the "Authorization" header and returns the corresponding user object for that ID.
|
||||
// If verification is successful returns an existing user object.
|
||||
// Returns nil if verification fails.
|
||||
func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User {
|
||||
if !db.HasEngine {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
||||
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
id := o.userIDFromToken(req, store)
|
||||
if id == -1 || id <= -3 { // -2 means actions, so we need to allow it.
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
log.Trace("OAuth2 Authorization: Found token for user[%d]", id)
|
||||
|
||||
@ -140,11 +136,11 @@ func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStor
|
||||
if !user_model.IsErrUserNotExist(err) {
|
||||
log.Error("GetUserByName: %v", err)
|
||||
}
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
log.Trace("OAuth2 Authorization: Logged in user %-v", user)
|
||||
return user
|
||||
return user, nil
|
||||
}
|
||||
|
||||
func isAuthenticatedTokenRequest(req *http.Request) bool {
|
||||
|
||||
@ -51,10 +51,10 @@ func (r *ReverseProxy) Name() string {
|
||||
// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
|
||||
// user object is returned (populated with username or email found in header).
|
||||
// Returns nil if header is empty.
|
||||
func (r *ReverseProxy) getUserFromAuthUser(req *http.Request) *user_model.User {
|
||||
func (r *ReverseProxy) getUserFromAuthUser(req *http.Request) (*user_model.User, error) {
|
||||
username := r.getUserName(req)
|
||||
if len(username) == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
log.Trace("ReverseProxy Authorization: Found username: %s", username)
|
||||
|
||||
@ -62,11 +62,11 @@ func (r *ReverseProxy) getUserFromAuthUser(req *http.Request) *user_model.User {
|
||||
if err != nil {
|
||||
if !user_model.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
|
||||
log.Error("GetUserByName: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
user = r.newUser(req)
|
||||
}
|
||||
return user
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// getEmail extracts the email from the "setting.ReverseProxyAuthEmail" header
|
||||
@ -106,12 +106,15 @@ func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) *user_model.User
|
||||
// First it will attempt to load it based on the username (see docs for getUserFromAuthUser),
|
||||
// and failing that it will attempt to load it based on the email (see docs for getUserFromAuthEmail).
|
||||
// Returns nil if the headers are empty or the user is not found.
|
||||
func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User {
|
||||
user := r.getUserFromAuthUser(req)
|
||||
func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
||||
user, err := r.getUserFromAuthUser(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if user == nil {
|
||||
user = r.getUserFromAuthEmail(req)
|
||||
if user == nil {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
}
|
||||
|
||||
@ -124,7 +127,7 @@ func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store Da
|
||||
store.GetData()["IsReverseProxy"] = true
|
||||
|
||||
log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
|
||||
return user
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
|
||||
|
||||
@ -29,12 +29,12 @@ func (s *Session) Name() string {
|
||||
// Verify checks if there is a user uid stored in the session and returns the user
|
||||
// object for that uid.
|
||||
// Returns nil if there is no user uid stored in the session.
|
||||
func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User {
|
||||
func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
||||
user := SessionUser(sess)
|
||||
if user != nil {
|
||||
return user
|
||||
return user, nil
|
||||
}
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// SessionUser returns the user object corresponding to the "uid" session variable.
|
||||
|
||||
@ -77,15 +77,15 @@ func (s *SSPI) Free() error {
|
||||
// If authentication is successful, returns the corresponding user object.
|
||||
// If negotiation should continue or authentication fails, immediately returns a 401 HTTP
|
||||
// response code, as required by the SPNEGO protocol.
|
||||
func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User {
|
||||
func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
|
||||
if !s.shouldAuthenticate(req) {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
cfg, err := s.getConfig()
|
||||
if err != nil {
|
||||
log.Error("could not get SSPI config: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
log.Trace("SSPI Authorization: Attempting to authenticate")
|
||||
@ -108,7 +108,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore,
|
||||
log.Error("%v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
if outToken != "" {
|
||||
sspiAuth.AppendAuthenticateHeader(w, outToken)
|
||||
@ -116,7 +116,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore,
|
||||
|
||||
username := sanitizeUsername(userInfo.Username, cfg)
|
||||
if len(username) == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
log.Info("Authenticated as %s\n", username)
|
||||
|
||||
@ -124,16 +124,16 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore,
|
||||
if err != nil {
|
||||
if !user_model.IsErrUserNotExist(err) {
|
||||
log.Error("GetUserByName: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
if !cfg.AutoCreateUsers {
|
||||
log.Error("User '%s' not found", username)
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
user, err = s.newUser(username, cfg)
|
||||
if err != nil {
|
||||
log.Error("CreateUser: %v", err)
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
@ -143,7 +143,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore,
|
||||
}
|
||||
|
||||
log.Trace("SSPI Authorization: Logged in user %-v", user)
|
||||
return user
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// getConfig retrieves the SSPI configuration from login sources
|
||||
|
||||
@ -10,6 +10,7 @@ import (
|
||||
"time"
|
||||
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
"code.gitea.io/gitea/modules/log"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
@ -41,9 +42,15 @@ func CreateAuthorizationToken(u *user_model.User) (string, error) {
|
||||
}
|
||||
|
||||
func ParseAuthorizationToken(req *http.Request) (int64, error) {
|
||||
parts := strings.SplitN(req.Header.Get("Authorization"), " ", 2)
|
||||
h := req.Header.Get("Authorization")
|
||||
if h == "" {
|
||||
return 0, nil
|
||||
}
|
||||
|
||||
parts := strings.SplitN(h, " ", 2)
|
||||
if len(parts) != 2 {
|
||||
return 0, fmt.Errorf("no token")
|
||||
log.Error("split token failed: %s", h)
|
||||
return 0, fmt.Errorf("split token failed")
|
||||
}
|
||||
|
||||
token, err := jwt.ParseWithClaims(parts[1], &packageClaims{}, func(t *jwt.Token) (interface{}, error) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user