Skip to content

Allow Token API calls be authorized using the reverse-proxy header #15119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Nov 19, 2021
Merged

Allow Token API calls be authorized using the reverse-proxy header #15119

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
dc952c0
API calls authorized with HTTP header
pboguslawski Mar 18, 2021
0a51fd5
Fixed API calls authorized with HTTP header
pboguslawski Mar 18, 2021
f011fac
Merge master into master-IB#1107572
pboguslawski Mar 23, 2021
d7f2815
Reverse proxy API auth separated in docs
pboguslawski Apr 30, 2021
dcdc8ee
Reverse proxy API auth separated in docs
pboguslawski Apr 30, 2021
38dd9e4
Reverse proxy API auth separated
pboguslawski Apr 30, 2021
30f3a25
Merge branch 'master' into master-IB#1107572
pboguslawski Apr 30, 2021
1b45775
ReverseProxyAuth removed from swagger
pboguslawski Jun 25, 2021
09bc7ff
Merge remote-tracking branch 'master-IB#1107572' into master-IB#1107572
pboguslawski Jun 25, 2021
4bb60af
ReverseProxyAuth API authorization fixed
pboguslawski Jun 25, 2021
d23ef1b
ReverseProxyAuth API authorization fixed
pboguslawski Jun 25, 2021
ac114d4
Merge main into master-IB#1107572
pboguslawski Jun 25, 2021
988b05b
Merge remote/master-IB#1107572 into master-IB#1107572
pboguslawski Jun 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fixed API calls authorized with HTTP header 
Only reqBasicAuth is modified to allow reverse proxy
auth as alternative and reqToken is left untouched.

Fixes: dc952c0
Author-Change-Id: IB#1107572
  • Loading branch information
@pboguslawski
pboguslawski committed Mar 18, 2021
commit 0a51fd538682c2e336c83711bdb0f0c51ea00ac5
22 changes: 11 additions & 11 deletions routers/api/v1/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
// - text/html
//
// Security:
// - BasicAuth :
// - BasicOrReverseProxyAuth :
// - Token :
// - AccessToken :
// - AuthorizationHeaderToken :
Expand All @@ -30,8 +30,9 @@
// - TOTPHeader :
//
// SecurityDefinitions:
// BasicAuth:
// type: basic
// BasicOrReverseProxyAuth:
// type: basicOrReverseProxy
// description: Basic auth or rexerse proxy auth using HTTP header.
// Token:
// type: apiKey
// name: token
Expand Down Expand Up @@ -59,7 +60,7 @@
// type: apiKey
// name: X-GITEA-OTP
// in: header
// description: Must be used in combination with BasicAuth if two-factor authentication is enabled.
// description: Must be used in combination with BasicOrReverseProxyAuth if two-factor authentication is enabled.
//
// swagger:meta
package v1
Expand Down Expand Up @@ -197,21 +198,20 @@ func reqToken() func(ctx *context.APIContext) {
return
}
if ctx.IsSigned {
// Don't require token if already authenticated by reverse proxy.
if setting.Service.EnableReverseProxyAuth {
return
}
ctx.RequireCSRF()
return
}
ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")
}
}

func reqBasicAuth() func(ctx *context.APIContext) {
func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) {
if ctx.IsSigned && setting.Service.EnableReverseProxyAuth {
return
}
if !ctx.Context.IsBasicAuth {
ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "basic auth required")
ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required")
return
}
ctx.CheckForOTP()
Expand Down Expand Up @@ -611,7 +611,7 @@ func Routes() *web.Route {
m.Combo("").Get(user.ListAccessTokens).
Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)
m.Combo("/{id}").Delete(user.DeleteAccessToken)
}, reqBasicAuth())
}, reqBasicOrRevProxyAuth())
})
})

Expand Down