Skip to content

Commit

Permalink
Allow Token API calls be authorized using the reverse-proxy header (#…
Browse files Browse the repository at this point in the history 
…15119)

* API calls authorized with HTTP header

This mod allows API calls to be authorized with HTTP header
when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled. Without
it user authenticated by reverse proxy is able to access
gitea UI but not API which is inconsistent.

Author-Change-Id: IB#1107572

* Fixed API calls authorized with HTTP header

Only reqBasicAuth is modified to allow reverse proxy
auth as alternative and reqToken is left untouched.

Fixes: dc952c0
Author-Change-Id: IB#1107572

* Reverse proxy API auth separated in docs

Related: #15119 (comment)
Author-Change-Id: IB#1107572

* Reverse proxy API auth separated in docs

Related: #15119 (comment)
Author-Change-Id: IB#1107572

* Reverse proxy API auth separated

Related: #15119 (comment)
Author-Change-Id: IB#1107572

* ReverseProxyAuth removed from swagger

ReverseProxyAuth removed from swagger as in upstream's suggestion.

Related: #15119 (review)
Author-Change-Id: IB#1107572

* ReverseProxyAuth API authorization fixed

Related: #15119 (comment)
Author-Change-Id: IB#1107572

* ReverseProxyAuth API authorization fixed

Related: #15119 (comment)
Author-Change-Id: IB#1107572
  • Loading branch information
@pboguslawski
pboguslawski committed Nov 19, 2021
1 parent fc3d082 commit d4e281b
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions routers/api/v1/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,10 +215,13 @@ func reqExploreSignIn() func(ctx *context.APIContext) {
}
}

func reqBasicAuth() func(ctx *context.APIContext) {
func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) {
if ctx.IsSigned && setting.Service.EnableReverseProxyAuth && ctx.Data["AuthedMethod"].(string) == new(auth.ReverseProxy).Name() {
return
}
if !ctx.Context.IsBasicAuth {
ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "basic auth required")
ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required")
return
}
ctx.CheckForOTP()
Expand Down Expand Up @@ -630,7 +633,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
m.Combo("").Get(user.ListAccessTokens).
Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)
m.Combo("/{id}").Delete(user.DeleteAccessToken)
}, reqBasicAuth())
}, reqBasicOrRevProxyAuth())
})
})

Expand Down

0 comments on commit d4e281b

Please sign in to comment.