chore: do not pass the full signing key to template (#10967)

A template should not get (easy) access to a full signing key to prevent accidents.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10967
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Nils Goroll <nils.goroll@uplex.de>
Co-committed-by: Nils Goroll <nils.goroll@uplex.de>
This commit is contained in:
Nils Goroll 2026-01-26 14:47:48 +01:00 committed by Gusted
commit b4412c2206
3 changed files with 31 additions and 2 deletions

View file

@ -674,7 +674,7 @@ func OIDCWellKnown(ctx *context.Context) {
return
}
ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
ctx.Data["SigningAlg"] = oauth2.DefaultSigningKey.SigningMethod().Alg()
ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/")
ctx.JSONTemplate("user/auth/oidc_wellknown")
}

View file

@ -4,15 +4,22 @@
package auth
import (
"net/http"
"strings"
"testing"
"forgejo.org/models/auth"
"forgejo.org/models/db"
"forgejo.org/models/unittest"
user_model "forgejo.org/models/user"
"forgejo.org/modules/json"
"forgejo.org/modules/jwtx"
"forgejo.org/modules/setting"
"forgejo.org/modules/templates"
"forgejo.org/modules/test"
"forgejo.org/modules/timeutil"
"forgejo.org/services/auth/source/oauth2"
"forgejo.org/services/contexttest"
"github.com/golang-jwt/jwt/v5"
"github.com/stretchr/testify/assert"
@ -86,3 +93,25 @@ func TestEncodeCodeChallenge(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM", codeChallenge)
}
func TestOIDCWellKnownDisabled(t *testing.T) {
ctx, resp := contexttest.MockContext(t, "/openid-configuration")
defer test.MockVariableValue(&setting.OAuth2.Enabled, false)()
OIDCWellKnown(ctx)
assert.Equal(t, http.StatusNotFound, resp.Code)
}
func TestOIDCWellKnownEnabled(t *testing.T) {
ctx, resp := contexttest.MockContext(t, "/openid-configuration", contexttest.MockContextOption{Render: templates.HTMLRenderer()})
err := oauth2.Init(ctx)
require.NoError(t, err)
OIDCWellKnown(ctx)
assert.Equal(t, http.StatusOK, resp.Code)
oidcjson := make(map[string]any)
require.NoError(t, json.Unmarshal([]byte(resp.Body.String()), &oidcjson))
assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), oidcjson["issuer"])
assert.Equal(t, []any{oauth2.DefaultSigningKey.SigningMethod().Alg()}, oidcjson["id_token_signing_alg_values_supported"])
}

View file

@ -10,7 +10,7 @@
"id_token"
],
"id_token_signing_alg_values_supported": [
"{{.SigningKey.SigningMethod.Alg | JSEscape}}"
"{{.SigningAlg | JSEscape}}"
],
"subject_types_supported": [
"public"