[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP

(cherry picked from commit 7b0549cd70) (cherry picked from commit 13e10a65d9) (cherry picked from commit 89982e6c4a) (cherry picked from commit a4acf6343d) (cherry picked from commit 9886aec9f8) (cherry picked from commit 1ee9bd7549) (cherry picked from commit f343cf5597)
2026-05-18 16:56:35 +00:00 · 2023-02-24 14:24:29 +01:00 · 2023-02-24 14:24:29 +01:00 · eaca81faf4
commit eaca81faf4
parent 0545142833
4 changed files with 34 additions and 4 deletions
--- a/modules/context/api.go
+++ b/modules/context/api.go
@ -188,13 +188,20 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }

+func getOtpHeader(header http.Header) string {
+	otpHeader := header.Get("X-Gitea-OTP")
+	if forgejoHeader := header.Get("X-Forgejo-OTP"); forgejoHeader != "" {
+		otpHeader = forgejoHeader
+	}
+	return otpHeader
+}
+
 // CheckForOTP validates OTP
 func (ctx *APIContext) CheckForOTP() {
 	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
 		return // Skip 2FA
 	}

-	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
 	twofa, err := auth.GetTwoFactorByUID(ctx.Context.Doer.ID)
 	if err != nil {
 		if auth.IsErrTwoFactorNotEnrolled(err) {
@ -203,7 +210,7 @@ func (ctx *APIContext) CheckForOTP() {
 		ctx.Context.Error(http.StatusInternalServerError)
 		return
 	}
-	ok, err := twofa.ValidateTOTP(otpHeader)
+	ok, err := twofa.ValidateTOTP(getOtpHeader(ctx.Req.Header))
 	if err != nil {
 		ctx.Context.Error(http.StatusInternalServerError)
 		return
--- a/modules/context/api_forgejo_test.go
+++ b/modules/context/api_forgejo_test.go
@ -0,0 +1,23 @@
+// SPDX-License-Identifier: MIT
+
+package context
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOtpHeader(t *testing.T) {
+	header := http.Header{}
+	assert.EqualValues(t, "", getOtpHeader(header))
+	// Gitea
+	giteaOtp := "123456"
+	header.Set("X-Gitea-OTP", giteaOtp)
+	assert.EqualValues(t, giteaOtp, getOtpHeader(header))
+	// Forgejo has precedence
+	forgejoOtp := "abcdef"
+	header.Set("X-Forgejo-OTP", forgejoOtp)
+	assert.EqualValues(t, forgejoOtp, getOtpHeader(header))
+}
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -56,7 +56,7 @@
 //	     description: Sudo API request as the user provided as the key. Admin privileges are required.
 //	TOTPHeader:
 //	     type: apiKey
-//	     name: X-GITEA-OTP
+//	     name: X-FORGEJO-OTP
 //	     in: header
 //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.
 //
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -21018,7 +21018,7 @@
    "TOTPHeader": {
      "description": "Must be used in combination with BasicAuth if two-factor authentication is enabled.",
      "type": "apiKey",
-      "name": "X-GITEA-OTP",
+      "name": "X-FORGEJO-OTP",
      "in": "header"
    },
    "Token": {