diff --git a/modules/context/api.go b/modules/context/api.go index f7a3384691..d511a3ba2d 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -188,13 +188,20 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) { } } +func getOtpHeader(header http.Header) string { + otpHeader := header.Get("X-Gitea-OTP") + if forgejoHeader := header.Get("X-Forgejo-OTP"); forgejoHeader != "" { + otpHeader = forgejoHeader + } + return otpHeader +} + // CheckForOTP validates OTP func (ctx *APIContext) CheckForOTP() { if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) { return // Skip 2FA } - otpHeader := ctx.Req.Header.Get("X-Gitea-OTP") twofa, err := auth.GetTwoFactorByUID(ctx.Context.Doer.ID) if err != nil { if auth.IsErrTwoFactorNotEnrolled(err) { @@ -203,7 +210,7 @@ func (ctx *APIContext) CheckForOTP() { ctx.Context.Error(http.StatusInternalServerError) return } - ok, err := twofa.ValidateTOTP(otpHeader) + ok, err := twofa.ValidateTOTP(getOtpHeader(ctx.Req.Header)) if err != nil { ctx.Context.Error(http.StatusInternalServerError) return diff --git a/modules/context/api_forgejo_test.go b/modules/context/api_forgejo_test.go new file mode 100644 index 0000000000..b85de55904 --- /dev/null +++ b/modules/context/api_forgejo_test.go @@ -0,0 +1,23 @@ +// SPDX-License-Identifier: MIT + +package context + +import ( + "net/http" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetOtpHeader(t *testing.T) { + header := http.Header{} + assert.EqualValues(t, "", getOtpHeader(header)) + // Gitea + giteaOtp := "123456" + header.Set("X-Gitea-OTP", giteaOtp) + assert.EqualValues(t, giteaOtp, getOtpHeader(header)) + // Forgejo has precedence + forgejoOtp := "abcdef" + header.Set("X-Forgejo-OTP", forgejoOtp) + assert.EqualValues(t, forgejoOtp, getOtpHeader(header)) +} diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index a8ad218b57..328283141c 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -56,7 +56,7 @@ // description: Sudo API request as the user provided as the key. Admin privileges are required. // TOTPHeader: // type: apiKey -// name: X-GITEA-OTP +// name: X-FORGEJO-OTP // in: header // description: Must be used in combination with BasicAuth if two-factor authentication is enabled. // diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index 83ef11dfdd..46075f19ac 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -21352,7 +21352,7 @@ "TOTPHeader": { "description": "Must be used in combination with BasicAuth if two-factor authentication is enabled.", "type": "apiKey", - "name": "X-GITEA-OTP", + "name": "X-FORGEJO-OTP", "in": "header" }, "Token": {