peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/services/auth/interface.go
Mathieu Fenniak 1ddd5faa5c refactor: change authentication to return structured data (#12202) 
Currently authentication methods return information in two forms: they return who was authenticated as a `*user_model.User`, and then they insert key-values into `ctx.Data` which has critical impact on how the authenticated request is treated.  This PR changes the authentication methods to return structured data in the form of an `AuthenticationResult`, with all the key-value information in `ctx.Data` being moved into methods on the `AuthenticationResult` interface.

Authentication workflows in Forgejo are a real mess.  This is the first step in trying to clean it up and make the code predictable and reasonable, and is both follow-up work that was identified from the repo-specific access tokens (where the `"ApiTokenReducer"` key-value was added), and is pre-requisite work to future JWT enhancements that are [being discussed](https://codeberg.org/forgejo/forgejo/issues/3571#issuecomment-13268004).

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
  - All changes, at least in theory, are refactors of existing logic and are not expected to have functional deviations -- existing regression tests are the only planned testing.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12202
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-04-22 21:00:26 +02:00

105 lines
3.4 KiB
Go
Raw Blame History

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package auth
import (
"context"
"net/http"
auth_model "forgejo.org/models/auth"
user_model "forgejo.org/models/user"
"forgejo.org/modules/optional"
"forgejo.org/modules/session"
"forgejo.org/modules/web/middleware"
"forgejo.org/services/authz"
)
// DataStore represents a data store
type DataStore middleware.ContextDataStore
// SessionStore represents a session store
type SessionStore session.Store
// Method represents an authentication method (plugin) for HTTP requests.
type Method interface {
// Verify tries to verify the authentication data contained in the request. If verification is successful returns an
// AuthenticationResult implementation with details about the authentication, or, may return an
// AnonymousAuthentication if the authentication method doesn't indicate that the request is authenticated. An error
// is only returned if a failure occurred while checking authentication.
Verify(http *http.Request, w http.ResponseWriter, sess SessionStore) (AuthenticationResult, error)
}
// PasswordAuthenticator represents a source of authentication
type PasswordAuthenticator interface {
Authenticate(ctx context.Context, user *user_model.User, login, password string) (*user_model.User, error)
}
// LocalTwoFASkipper represents a source of authentication that can skip local 2fa
type LocalTwoFASkipper interface {
IsSkipLocalTwoFA() bool
}
// SynchronizableSource represents a source that can synchronize users
type SynchronizableSource interface {
Sync(ctx context.Context, updateExisting bool) error
}
type AuthenticationResult interface {
// May return `nil` to represent an anonymous, unauthenticated user.
User() *user_model.User
// Optional permission scope indicated by the authentication method
Scope() optional.Option[auth_model.AccessTokenScope]
// Optional authorization reducer indicated by the authentication method
Reducer() authz.AuthorizationReducer
// Identifies if the authentication involved the user's password. If so, and the user has 2FA enabled, some
// restrictions may be applied.
IsPasswordAuthentication() bool
// Identifies if the authentication was performed by a reverse proxy.
IsReverseProxyAuthentication() bool
// Identifies specifically that the OAuth2 JWT authentication method was used. If so, some related OAuth2 API
// endpoints may be accessible that otherwise wouldn't be.
IsOAuth2JWTAuthentication() bool
// If authenticated as an Actions task (using ${{ forgejo.token }}), then indicates the specific task that performed
// the authentication.
ActionsTaskID() optional.Option[int64]
}
type BaseAuthenticationResult struct{}
func (*BaseAuthenticationResult) IsOAuth2JWTAuthentication() bool {
return false
}
func (*BaseAuthenticationResult) IsPasswordAuthentication() bool {
return false
}
func (*BaseAuthenticationResult) IsReverseProxyAuthentication() bool {
return false
}
func (*BaseAuthenticationResult) ActionsTaskID() optional.Option[int64] {
return optional.None[int64]()
}
func (*BaseAuthenticationResult) Reducer() authz.AuthorizationReducer {
return nil
}
func (*BaseAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
return optional.None[auth_model.AccessTokenScope]()
}
type UnauthenticatedResult struct {
*BaseAuthenticationResult
}
func (*UnauthenticatedResult) User() *user_model.User {
return nil
}
Reference in a new issue View git blame Copy permalink