From b4412c22062bd1f80785e04fd3c48dfb911d1925 Mon Sep 17 00:00:00 2001 From: Nils Goroll Date: Mon, 26 Jan 2026 14:47:48 +0100 Subject: [PATCH] chore: do not pass the full signing key to template (#10967) A template should not get (easy) access to a full signing key to prevent accidents. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10967 Reviewed-by: Gusted Co-authored-by: Nils Goroll Co-committed-by: Nils Goroll --- routers/web/auth/oauth.go | 2 +- routers/web/auth/oauth_test.go | 29 +++++++++++++++++++++++++ templates/user/auth/oidc_wellknown.tmpl | 2 +- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index 739d36ddde..f925a5cbff 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -674,7 +674,7 @@ func OIDCWellKnown(ctx *context.Context) { return } - ctx.Data["SigningKey"] = oauth2.DefaultSigningKey + ctx.Data["SigningAlg"] = oauth2.DefaultSigningKey.SigningMethod().Alg() ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/") ctx.JSONTemplate("user/auth/oidc_wellknown") } diff --git a/routers/web/auth/oauth_test.go b/routers/web/auth/oauth_test.go index cc2020fcda..5cb6020e89 100644 --- a/routers/web/auth/oauth_test.go +++ b/routers/web/auth/oauth_test.go @@ -4,15 +4,22 @@ package auth import ( + "net/http" + "strings" "testing" "forgejo.org/models/auth" "forgejo.org/models/db" "forgejo.org/models/unittest" user_model "forgejo.org/models/user" + "forgejo.org/modules/json" "forgejo.org/modules/jwtx" + "forgejo.org/modules/setting" + "forgejo.org/modules/templates" + "forgejo.org/modules/test" "forgejo.org/modules/timeutil" "forgejo.org/services/auth/source/oauth2" + "forgejo.org/services/contexttest" "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" @@ -86,3 +93,25 @@ func TestEncodeCodeChallenge(t *testing.T) { require.NoError(t, err) assert.Equal(t, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM", codeChallenge) } + +func TestOIDCWellKnownDisabled(t *testing.T) { + ctx, resp := contexttest.MockContext(t, "/openid-configuration") + defer test.MockVariableValue(&setting.OAuth2.Enabled, false)() + OIDCWellKnown(ctx) + assert.Equal(t, http.StatusNotFound, resp.Code) +} + +func TestOIDCWellKnownEnabled(t *testing.T) { + ctx, resp := contexttest.MockContext(t, "/openid-configuration", contexttest.MockContextOption{Render: templates.HTMLRenderer()}) + err := oauth2.Init(ctx) + require.NoError(t, err) + + OIDCWellKnown(ctx) + assert.Equal(t, http.StatusOK, resp.Code) + + oidcjson := make(map[string]any) + require.NoError(t, json.Unmarshal([]byte(resp.Body.String()), &oidcjson)) + + assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), oidcjson["issuer"]) + assert.Equal(t, []any{oauth2.DefaultSigningKey.SigningMethod().Alg()}, oidcjson["id_token_signing_alg_values_supported"]) +} diff --git a/templates/user/auth/oidc_wellknown.tmpl b/templates/user/auth/oidc_wellknown.tmpl index d8edcae41d..a1a50abde2 100644 --- a/templates/user/auth/oidc_wellknown.tmpl +++ b/templates/user/auth/oidc_wellknown.tmpl @@ -10,7 +10,7 @@ "id_token" ], "id_token_signing_alg_values_supported": [ - "{{.SigningKey.SigningMethod.Alg | JSEscape}}" + "{{.SigningAlg | JSEscape}}" ], "subject_types_supported": [ "public"