gitforge/services/auth/method/oauth2.go
Mathieu Fenniak de5f38c4ea feat: enable auth to raw resources, release downloads, & attachments via authorized integrations (#12776)
A handful of routes, described in this PR as "mixed routes", are currently accessible by both web-based sessions and authenticated API users.  The goal of this PR is to allow access to these routes for Authorized Integrations as well, bringing them to full API compatibility (to my knowledge) with other authentication methods.  These routes are impacted:
- `/{username}/{repo}/raw/*`
- `/{username}/{repo}/archive/*`
- `/{username}/{repo}/releases/download/{vTag}/{fileName}`
- `/{username}/{repo}/attachments/{uuid}`
- `/attachments/{uuid}`

The major work in this PR was to refactoring the existing authentication methods so that "path based matching" that they were currently doing was no longer required, as I didn't want to introduce that into Authorized Integrations.  All the path based matching is removed in this PR, and authentication methods are enabled entirely by the middleware applied to their endpoints.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12776
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-29 02:11:43 +02:00

141 lines
4.3 KiB
Go

// Copyright 2014 The Gogs Authors. All rights reserved.
// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package method
import (
"errors"
"fmt"
"net/http"
"slices"
"strings"
"time"
auth_model "forgejo.org/models/auth"
user_model "forgejo.org/models/user"
"forgejo.org/modules/log"
"forgejo.org/modules/optional"
"forgejo.org/modules/setting"
"forgejo.org/services/auth"
"forgejo.org/services/auth/source/oauth2"
)
// Ensure the struct implements the interface.
var (
_ auth.Method = &OAuth2{}
)
// grantAdditionalScopes returns valid scopes coming from grant
func grantAdditionalScopes(grantScopes string) string {
// scopes_supported from templates/user/auth/oidc_wellknown.tmpl
scopesSupported := []string{
"openid",
"profile",
"email",
"groups",
}
var apiTokenScopes []string
for apiTokenScope := range strings.SplitSeq(grantScopes, " ") {
if slices.Index(scopesSupported, apiTokenScope) == -1 {
apiTokenScopes = append(apiTokenScopes, apiTokenScope)
}
}
if len(apiTokenScopes) == 0 {
return ""
}
var additionalGrantScopes []string
allScopes := auth_model.AccessTokenScope("all")
for _, apiTokenScope := range apiTokenScopes {
grantScope := auth_model.AccessTokenScope(apiTokenScope)
if ok, _ := allScopes.HasScope(grantScope); ok {
additionalGrantScopes = append(additionalGrantScopes, apiTokenScope)
} else if apiTokenScope == "public-only" {
additionalGrantScopes = append(additionalGrantScopes, apiTokenScope)
}
}
if len(additionalGrantScopes) > 0 {
return strings.Join(additionalGrantScopes, ",")
}
return ""
}
// OAuth2 implements the Auth interface and authenticates requests (API requests only) by looking for an OAuth token in
// query parameters or the "Authorization" header.
type OAuth2 struct{}
func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
if !setting.OAuth2.Enabled {
return &auth.AuthenticationNotAttempted{}
}
maybeAuthToken := o.getTokenFromRequest(req)
if !maybeAuthToken.Has() {
return &auth.AuthenticationNotAttempted{}
}
_, authToken := maybeAuthToken.Get()
token, err := oauth2.ParseToken(authToken, oauth2.DefaultSigningKey)
if err != nil {
log.Trace("oauth2.ParseToken: %v", err)
return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
}
var grant *auth_model.OAuth2Grant
if grant, err = auth_model.GetOAuth2GrantByID(req.Context(), token.GrantID); err != nil {
return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetOAuth2GrantByID: %w", err)}
} else if grant == nil {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("oauth2 grant not found or revoked")}
}
if token.Type != oauth2.TypeAccessToken {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("token was not an oauth2 access token")}
}
if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("token was expired")}
}
if grant.UserID == 0 {
return &auth.AuthenticationError{Error: errors.New("oauth2 invalid grant user id")}
}
var accessTokenScope optional.Option[auth_model.AccessTokenScope]
grantScopes := grantAdditionalScopes(grant.Scope)
if grantScopes != "" {
accessTokenScope = optional.Some(auth_model.AccessTokenScope(grantScopes))
} else {
accessTokenScope = optional.Some(auth_model.AccessTokenScopeAll) // fallback to all
}
user, err := user_model.GetPossibleUserByID(req.Context(), grant.UserID)
if err != nil {
if !user_model.IsErrUserNotExist(err) {
return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetPossibleUserByID: %w", err)}
}
return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("oauth2 grant owner does not exist")}
}
return &auth.AuthenticationSuccess{
Result: &oAuth2JWTAuthenticationResult{
user: user,
scope: accessTokenScope,
grantScopes: grantScopes,
},
}
}
func (*OAuth2) getTokenFromRequest(req *http.Request) optional.Option[string] {
if has, token := tokenFromForm(req).Get(); has {
return optional.Some(token)
}
if has, token := tokenFromAuthorizationBasic(req).Get(); has {
return optional.Some(token)
}
if has, token := tokenFromAuthorizationBearer(req).Get(); has {
return optional.Some(token)
}
return optional.None[string]()
}