Gitea/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-03 06:52:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor Nuget Auth to reuse Basic Auth Token Validation (#36558)

Browse Source 
* Implicitly handle Actions Task Token for Nuget Api Keys
* Support same tokens as Basic Auth in Nuget Api Key Header

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
ChristopherHX
2026-02-08 15:43:05 +01:00
committed by GitHub
parent daf0483ef2
commit f65df2a69b
2 changed files with 31 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
services/auth/basic.go
View File

@@ -40,25 +40,21 @@ func (b *Basic) Name() string {
return BasicMethodName
}
// Verify extracts and validates Basic data (username and password/token) from the
// "Authorization" header of the request and returns the corresponding user object for that
// name/token on successful validation.
// Returns nil if header is empty or validation fails.
func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
func (b *Basic) parseAuthBasic(req *http.Request) (ret struct{ authToken, uname, passwd string }) {
// Basic authentication should only fire on API, Feed, Download, Archives or on Git or LFSPaths
// Not all feed (rss/atom) clients feature the ability to add cookies or headers, so we need to allow basic auth for feeds
detector := newAuthPathDetector(req)
if !detector.isAPIPath() && !detector.isFeedRequest(req) && !detector.isContainerPath() && !detector.isAttachmentDownload() && !detector.isArchivePath() && !detector.isGitRawOrAttachOrLFSPath() {
return nil, nil
return ret
}
authHeader := req.Header.Get("Authorization")
if authHeader == "" {
return nil, nil
return ret
}
parsed, ok := httpauth.ParseAuthorizationHeader(authHeader)
if !ok || parsed.BasicAuth == nil {
return nil, nil
return ret
}
uname, passwd := parsed.BasicAuth.Username, parsed.BasicAuth.Password
@@ -73,7 +69,12 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
} else {
log.Trace("Basic Authorization: Attempting login with username as token")
}
ret.authToken, ret.uname, ret.passwd = authToken, uname, passwd
return ret
}
// VerifyAuthToken only the access token provided as parameter, used by other auth methods that want to reuse access token verification logic
func (b *Basic) VerifyAuthToken(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore, authToken string) (*user_model.User, error) {
// get oauth2 token's user's ID
_, uid := GetOAuthAccessTokenScopeAndUserID(req.Context(), authToken)
if uid != 0 {
@@ -120,6 +121,23 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
store.GetData()["LoginMethod"] = ActionTokenMethodName
return user_model.NewActionsUserWithTaskID(task.ID), nil
}
return nil, nil
}
// Verify extracts and validates Basic data (username and password/token) from the
// "Authorization" header of the request and returns the corresponding user object for that
// name/token on successful validation.
// Returns nil if header is empty or validation fails.
func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
parseBasicRet := b.parseAuthBasic(req)
authToken, uname, passwd := parseBasicRet.authToken, parseBasicRet.uname, parseBasicRet.passwd
if authToken == "" && uname == "" {
return nil, nil
}
u, err := b.VerifyAuthToken(req, w, store, sess, authToken)
if u != nil || err != nil {
return u, err
}
if !setting.Service.EnableBasicAuth {
return nil, nil