2024-07-17 15:54:57 +02:00
|
|
|
// Copyright 2024 The Forgejo Authors. All rights reserved.
|
|
|
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
|
|
refactor: change authentication to return structured data (#12202)
Currently authentication methods return information in two forms: they return who was authenticated as a `*user_model.User`, and then they insert key-values into `ctx.Data` which has critical impact on how the authenticated request is treated. This PR changes the authentication methods to return structured data in the form of an `AuthenticationResult`, with all the key-value information in `ctx.Data` being moved into methods on the `AuthenticationResult` interface.
Authentication workflows in Forgejo are a real mess. This is the first step in trying to clean it up and make the code predictable and reasonable, and is both follow-up work that was identified from the repo-specific access tokens (where the `"ApiTokenReducer"` key-value was added), and is pre-requisite work to future JWT enhancements that are [being discussed](https://codeberg.org/forgejo/forgejo/issues/3571#issuecomment-13268004).
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests for Go changes
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- All changes, at least in theory, are refactors of existing logic and are not expected to have functional deviations -- existing regression tests are the only planned testing.
- I ran...
- [x] `make pr-go` before pushing
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12202
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-04-22 21:00:26 +02:00
|
|
|
package method
|
2024-07-17 15:54:57 +02:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"net/http"
|
|
|
|
|
"testing"
|
|
|
|
|
|
2025-03-27 19:40:14 +00:00
|
|
|
"forgejo.org/models/db"
|
|
|
|
|
"forgejo.org/models/unittest"
|
|
|
|
|
user_model "forgejo.org/models/user"
|
|
|
|
|
"forgejo.org/modules/setting"
|
|
|
|
|
"forgejo.org/modules/test"
|
2024-07-17 15:54:57 +02:00
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestReverseProxyAuth(t *testing.T) {
|
|
|
|
|
defer test.MockVariableValue(&setting.Service.EnableReverseProxyEmail, true)()
|
|
|
|
|
defer test.MockVariableValue(&setting.Service.EnableReverseProxyFullName, true)()
|
|
|
|
|
defer test.MockVariableValue(&setting.Service.EnableReverseProxyFullName, true)()
|
|
|
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
|
|
2025-10-15 20:26:41 +02:00
|
|
|
require.NoError(t, db.TruncateBeansCascade(db.DefaultContext, &user_model.User{}))
|
2024-07-17 15:54:57 +02:00
|
|
|
require.EqualValues(t, 0, user_model.CountUsers(db.DefaultContext, nil))
|
|
|
|
|
|
|
|
|
|
t.Run("First user should be admin", func(t *testing.T) {
|
|
|
|
|
req, err := http.NewRequest("GET", "/", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
req.Header.Add(setting.ReverseProxyAuthUser, "Edgar")
|
|
|
|
|
req.Header.Add(setting.ReverseProxyAuthFullName, "Edgar Allan Poe")
|
|
|
|
|
req.Header.Add(setting.ReverseProxyAuthEmail, "edgar@example.org")
|
|
|
|
|
|
|
|
|
|
rp := &ReverseProxy{}
|
|
|
|
|
user := rp.newUser(req)
|
|
|
|
|
|
|
|
|
|
require.EqualValues(t, 1, user_model.CountUsers(db.DefaultContext, nil))
|
|
|
|
|
unittest.AssertExistsAndLoadBean(t, &user_model.User{Email: "edgar@example.org", Name: "Edgar", LowerName: "edgar", FullName: "Edgar Allan Poe", IsAdmin: true})
|
2025-03-28 22:22:21 +00:00
|
|
|
require.Equal(t, "edgar@example.org", user.Email)
|
|
|
|
|
require.Equal(t, "Edgar", user.Name)
|
|
|
|
|
require.Equal(t, "edgar", user.LowerName)
|
|
|
|
|
require.Equal(t, "Edgar Allan Poe", user.FullName)
|
2024-07-17 15:54:57 +02:00
|
|
|
require.True(t, user.IsAdmin)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
t.Run("Second user shouldn't be admin", func(t *testing.T) {
|
|
|
|
|
req, err := http.NewRequest("GET", "/", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
req.Header.Add(setting.ReverseProxyAuthUser, " Gusted ")
|
|
|
|
|
req.Header.Add(setting.ReverseProxyAuthFullName, "❤‿❤")
|
|
|
|
|
req.Header.Add(setting.ReverseProxyAuthEmail, "gusted@example.org")
|
|
|
|
|
|
|
|
|
|
rp := &ReverseProxy{}
|
|
|
|
|
user := rp.newUser(req)
|
|
|
|
|
|
|
|
|
|
require.EqualValues(t, 2, user_model.CountUsers(db.DefaultContext, nil))
|
|
|
|
|
unittest.AssertExistsAndLoadBean(t, &user_model.User{Email: "gusted@example.org", Name: "Gusted", LowerName: "gusted", FullName: "❤‿❤"}, "is_admin = false")
|
2025-03-28 22:22:21 +00:00
|
|
|
require.Equal(t, "gusted@example.org", user.Email)
|
|
|
|
|
require.Equal(t, "Gusted", user.Name)
|
|
|
|
|
require.Equal(t, "gusted", user.LowerName)
|
|
|
|
|
require.Equal(t, "❤‿❤", user.FullName)
|
2024-07-17 15:54:57 +02:00
|
|
|
require.False(t, user.IsAdmin)
|
|
|
|
|
})
|
|
|
|
|
}
|