peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-14 06:50:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
jojo/services/auth/method/group.go
Mathieu Fenniak 9f7533c1f1 refactor: clarify four different outputs that authentication methods provide (#12231) 
#12202 began a refactor of Forgejo's authentication implementations by providing structured data on an authentication success.  However, error cases were maintained as-is in that refactor, leaving a complex situation: what does returning an error from an authentication method mean?; does it mean that the authentication failed, or that a server error occurred?  Can another authentication still be tried?

This PR changes authentication methods so that they can return one of four things:
- `AuthenticationSuccess` with an authentication result.
- `AuthenticationNotAttempted` which indicates that no credentials relevant for this authentication method were presented.  If every method returned `AuthenticationNotAttempted`, then you would have an unauthenticated access.
- `AuthenticationAttemptedIncorrectCredential` which indicates that credentials were present and failed validation -- a situation indicating a `401 Unauthorized`.
- `AuthenticationError` which indicates that an internal server error occurred and failed authentication -- indicating a `500 Internal Server Error`.

This paves the way for one more refactor coming next: `basic.go` and `oauth2.go` perform 3-4 different authentications each (access tokens, oauth JWTs, actions tokens, actions JWTs, and username/password).  With the capability to return these more precise responses, these authentication methods can be split up into separate logic that isn't intertwined together.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
  - Relying on existing test suite, with changes for any compile errors -- the next refactor will simplify the auth methods so that they can be unit tested easily.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12231
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-04-23 02:30:41 +02:00

66 lines
1.7 KiB
Go
Raw Permalink Blame History

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package method
import (
"errors"
"fmt"
"net/http"
"forgejo.org/services/auth"
)
// Ensure the struct implements the interface.
var (
_ auth.Method = &Group{}
)
// Group implements the Auth interface with serval Auth.
type Group struct {
methods []auth.Method
}
// NewGroup creates a new auth group
func NewGroup(methods ...auth.Method) *Group {
return &Group{
methods: methods,
}
}
// Add adds a new method to group
func (b *Group) Add(method auth.Method) {
b.methods = append(b.methods, method)
}
func (b *Group) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
var incorrectCredentials []error
for _, m := range b.methods {
output := m.Verify(req, w, sess)
switch v := output.(type) {
case *auth.AuthenticationSuccess, *auth.AuthenticationError:
return v
case *auth.AuthenticationNotAttempted:
// Move on to the next supported authentication method.
continue
case *auth.AuthenticationAttemptedIncorrectCredential:
// Move on to the next supported authentication method, but keep a record of this error. If none of the
// other methods are able to authenticate the user, we'll report this as an incorrect credential (401) case.
incorrectCredentials = append(incorrectCredentials, v.Error)
continue
default:
return &auth.AuthenticationError{Error: fmt.Errorf("unexpected result from Method.Verify on method %v: %v", m, v)}
}
}
if len(incorrectCredentials) != 0 {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.Join(incorrectCredentials...)}
}
return &auth.AuthenticationNotAttempted{}
}
Reference in a new issue View git blame Copy permalink