From 543bb4ba3e8d586b8355458b4978806a8218e9d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Fri, 24 Feb 2023 14:24:29 +0100 Subject: [PATCH] [BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP (cherry picked from commit 7b0549cd70aa7cafec853e15b25270847c59850b) (cherry picked from commit 13e10a65d974c7b594681bfa36402a6144862116) (cherry picked from commit 65bdd73cf27895a9fb8db2a95ef4f5b08951481d) (cherry picked from commit 64eba8bb923176b4c286b1d0c83792f3c3005ca8) (cherry picked from commit 4c49b1a759abe3604afc1121e83c9a942016ad6a) (cherry picked from commit 93b4d0640683ea986657453b1fce49a00c861764) (cherry picked from commit e2bc5f36d958f4349160ec145719c302d4023cd0) (cherry picked from commit 2bee76f9dfa998c83ea4fe648997fad0b6224fa9) (cherry picked from commit 3d8a1b4a9fb9dc55bbd62fd8855ea85e58dc263f) (cherry picked from commit 99dd092cd02d7af8374acf454833ce1c05fd4fd9) (cherry picked from commit 0fdbd02204d533f907cd22c83c73bf0156ec4a88) (cherry picked from commit 70b277a183c0d85966fa84e9b054f164ae2d2a44) (cherry picked from commit 3eece7fbb4e67d970d8979d0d60a58ee2a195ea5) (cherry picked from commit 4838fc9e1145a74c56926de68854234604b5e38f) (cherry picked from commit b76ed541cf4d73702a83d6b96f8618b6f8c44393) (cherry picked from commit dcdfb5b65c6fbf50798a0c49d0f879dd1285ee41) (cherry picked from commit 377dc48cdc3b1c2bcc95f86a7bf3602468ac5c39) (cherry picked from commit acc862f411c79f7832c8ba2c182af738f25f4f8b) (cherry picked from commit ac75ef101f89d58442760cec21a3f3f9199d4710) (cherry picked from commit 08f2d9f7c5b0d51358b009b0b38b626b231ec32b) (cherry picked from commit e4096f0b6441ba68719146e5a48ef44233e27a86) (cherry picked from commit bf5876f06224ac90e931f2f47b66a5b9c38b2a87) (cherry picked from commit 7dc60637e5e097b5dbc38e068ee7ba553385b496) (cherry picked from commit ef3101774ba5083e259d84db9997ff0aaddab14c) (cherry picked from commit ecb9e8867c3503387cbaf97df27d8c60a840f4a4) (cherry picked from commit 64f0ae72fec30ea443d73f8566c140682e7b9838) (cherry picked from commit 8dd6ec786294741361f79c08b0c051d2258bda02) (cherry picked from commit b36723e52b975d2e57af363db1d9118f48feade1) Conflicts: modules/context/api.go https://codeberg.org/forgejo/forgejo/pulls/1466 (cherry picked from commit 5c378e0cb823f2bad52224859ca326afb33bfd4b) (cherry picked from commit 1d87602819be9f87bf9d06203c37160568c18e78) (cherry picked from commit 0f72002d667224a75a4924ebb5557eca8bddbe70) (cherry picked from commit da2556eb13a2c976d1630315dbee8c3bc5444a11) --- modules/context/api.go | 11 +++++++++-- modules/context/api_forgejo_test.go | 23 +++++++++++++++++++++++ routers/api/v1/api.go | 2 +- templates/swagger/v1_json.tmpl | 2 +- 4 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 modules/context/api_forgejo_test.go diff --git a/modules/context/api.go b/modules/context/api.go index 044ec51b56..65ceb05c27 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -205,13 +205,20 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) { } } +func getOtpHeader(header http.Header) string { + otpHeader := header.Get("X-Gitea-OTP") + if forgejoHeader := header.Get("X-Forgejo-OTP"); forgejoHeader != "" { + otpHeader = forgejoHeader + } + return otpHeader +} + // CheckForOTP validates OTP func (ctx *APIContext) CheckForOTP() { if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) { return // Skip 2FA } - otpHeader := ctx.Req.Header.Get("X-Gitea-OTP") twofa, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID) if err != nil { if auth.IsErrTwoFactorNotEnrolled(err) { @@ -220,7 +227,7 @@ func (ctx *APIContext) CheckForOTP() { ctx.Error(http.StatusInternalServerError, "GetTwoFactorByUID", err) return } - ok, err := twofa.ValidateTOTP(otpHeader) + ok, err := twofa.ValidateTOTP(getOtpHeader(ctx.Req.Header)) if err != nil { ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err) return diff --git a/modules/context/api_forgejo_test.go b/modules/context/api_forgejo_test.go new file mode 100644 index 0000000000..b85de55904 --- /dev/null +++ b/modules/context/api_forgejo_test.go @@ -0,0 +1,23 @@ +// SPDX-License-Identifier: MIT + +package context + +import ( + "net/http" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetOtpHeader(t *testing.T) { + header := http.Header{} + assert.EqualValues(t, "", getOtpHeader(header)) + // Gitea + giteaOtp := "123456" + header.Set("X-Gitea-OTP", giteaOtp) + assert.EqualValues(t, giteaOtp, getOtpHeader(header)) + // Forgejo has precedence + forgejoOtp := "abcdef" + header.Set("X-Forgejo-OTP", forgejoOtp) + assert.EqualValues(t, forgejoOtp, getOtpHeader(header)) +} diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 07a0ecf64e..a3dbadb6a5 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -56,7 +56,7 @@ // description: Sudo API request as the user provided as the key. Admin privileges are required. // TOTPHeader: // type: apiKey -// name: X-GITEA-OTP +// name: X-FORGEJO-OTP // in: header // description: Must be used in combination with BasicAuth if two-factor authentication is enabled. // diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index b4f0104ab6..c10e863baf 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -24016,7 +24016,7 @@ "TOTPHeader": { "description": "Must be used in combination with BasicAuth if two-factor authentication is enabled.", "type": "apiKey", - "name": "X-GITEA-OTP", + "name": "X-FORGEJO-OTP", "in": "header" }, "Token": {