peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: extend basic auth to /v2, always include WWW-Authenticate header (#11393)

Browse source 
Forgejo's OCI container registry did not enable basic authentication for the top-level endpoint `/v2`. Furthermore, it did not include the `WWW-Authenticate` header when returning the status code 401 as mandated by [RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235#section-3.1), "Hypertext Transfer Protocol (HTTP/1.1): Authentication", section 3.1. Those deficiencies made it impossible for Apple's [container](https://github.com/apple/container) to log into Forgejo OCI container registry. This has been rectified.

The problem did not occur with most other tools because they do not include credentials when sending the initial request to `/v2`. Forgejo's reply then included `WWW-Authenticate` as expected.

Enabling basic authentication for `/v2` has the side effect that Apple's container uses username and password for all successive requests and not the bearer token. If that is a problem, it's up to Apple to change container's behaviour.

If invalid credentials are passed to `container registry login`, then container enters an infinite loop. The same happens with quay.io, but not ghcr.io (returns 403) or docker.io (returns 401 but _without_ `WWW-Authenticate`). As this is invalid behaviour on container's side, it's up to Apple to change container. Docker and Podman handle it correctly.

Login and pushing have been tested manually with Docker 29.1.3, Podman 5.7.1, and Apple's container 0.9.0.

Resolves https://codeberg.org/forgejo/forgejo/issues/11297.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11393
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
This commit is contained in:
Andreas Ahlenstorf 2026-03-07 03:19:49 +01:00 committed by Mathieu Fenniak
parent 851356577c
commit 3e849b4b50
6 changed files with 104 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
routers/api/packages/api.go
View file

@ -118,6 +118,7 @@ func verifyAuth(r *web.Route, authMethods []auth.Method) {
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Info("Failed to verify user: %v", err)
container.APIUnauthorizedError(ctx)
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
return
}

9
routers/api/packages/container/container.go
View file

@ -115,15 +115,16 @@ func apiErrorDefined(ctx *context.Context, err *container_service.NamedError) {
})
}
func apiUnauthorizedError(ctx *context.Context) {
ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
func APIUnauthorizedError(ctx *context.Context) {
ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*",`+
`Basic realm="`+setting.AppURL+`v2",service="container_registry",scope="*"`)
apiErrorDefined(ctx, container_service.ErrUnauthorized)
}
// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
func ReqContainerAccess(ctx *context.Context) {
if ctx.Doer == nil || (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) {
apiUnauthorizedError(ctx)
APIUnauthorizedError(ctx)
}
}
@ -148,7 +149,7 @@ func Authenticate(ctx *context.Context) {
u := ctx.Doer
if u == nil {
if setting.Service.RequireSignInView {
apiUnauthorizedError(ctx)
APIUnauthorizedError(ctx)
return
}

4
services/auth/auth.go
View file

@ -33,7 +33,9 @@ func isAttachmentDownload(req *http.Request) bool {
// isContainerPath checks if the request targets the container endpoint
func isContainerPath(req *http.Request) bool {
return strings.HasPrefix(req.URL.Path, "/v2/")
// Go's URL omits trailing slashes from `Path`. That means that `/v2/`, the top-level endpoint, appears as `/v2`.
// strings.HasPrefix(req.URL.Path, "/v2") would be inappropriate because it would match paths like `/v2-abcd`, too.
return req.URL.Path == "/v2" || strings.HasPrefix(req.URL.Path, "/v2/")
}
var (

64
services/auth/auth_test.go
View file

@ -6,9 +6,13 @@ package auth
import (
"net/http"
"net/url"
"testing"
"forgejo.org/modules/setting"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_isGitRawOrLFSPath(t *testing.T) {
@ -132,3 +136,63 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
}
setting.LFS.StartServer = origLFSStartServer
}
func TestAuth_isContainerPath(t *testing.T) {
testCases := []struct {
name string
input string
isContainerPath bool
}{
{
name: "without trailing slash",
input: "https://example.com/v2",
isContainerPath: true,
},
{
name: "with trailing slash",
input: "https://example.com/v2/",
isContainerPath: true,
},
{
name: "with additional path components",
input: "https://example.com/v2/example/blobs/uploads/",
isContainerPath: true,
},
{
name: "without v2",
input: "https://example.com/",
isContainerPath: false,
},
{
name: "v2 not at the beginning",
input: "https://example.com/something/v2/",
isContainerPath: false,
},
{
name: "v2 with prefix",
input: "https://example.com/abcd-v2/",
isContainerPath: false,
},
{
name: "v2 with suffix",
input: "https://example.com/v2-abcd/",
isContainerPath: false,
},
{
name: "v1",
input: "https://example.com/v1/",
isContainerPath: false,
},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
inputURL, err := url.Parse(testCase.input)
require.NoError(t, err)
request := http.Request{URL: inputURL}
assert.Equal(t, testCase.isContainerPath, isContainerPath(&request))
})
}
}

3
tests/integration/api_packages_container_cleanup_sha256_test.go
View file

@ -63,7 +63,8 @@ func TestPackageContainerCleanupSHA256(t *testing.T) {
Token string `json:"token"`
}
authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`}
authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*",` +
`Basic realm="` + setting.AppURL + `v2",service="container_registry",scope="*"`}
t.Run("User", func(t *testing.T) {
req := NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))

30
tests/integration/api_packages_container_test.go
View file

@ -91,7 +91,8 @@ func TestPackageContainer(t *testing.T) {
Token string `json:"token"`
}
authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`}
authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*",` +
`Basic realm="` + setting.AppURL + `v2",service="container_registry",scope="*"`}
t.Run("Anonymous", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
@ -171,6 +172,33 @@ func TestPackageContainer(t *testing.T) {
MakeRequest(t, req, http.StatusOK)
})
})
t.Run("No token issued if credentials are invalid", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
// Setting the header explicitly instead of using AddBasicAuth to supply an invalid password.
req.Request.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("user2:very-invalid")))
resp := MakeRequest(t, req, http.StatusUnauthorized)
assert.Equal(t, authenticate, resp.Header().Values("WWW-Authenticate"))
})
t.Run("Basic authentication", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
req.AddBasicAuth("does-not-exist")
resp := MakeRequest(t, req, http.StatusUnauthorized)
assert.Equal(t, authenticate, resp.Header().Values("WWW-Authenticate"))
req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
req.AddBasicAuth(user.Name)
resp = MakeRequest(t, req, http.StatusOK)
assert.Empty(t, resp.Header().Get("WWW-Authenticate"))
})
})
t.Run("DetermineSupport", func(t *testing.T) {