peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/routers/api/packages/container/auth.go
forgejo-backport-action a1222ebb5b [v15.0/forgejo] refactor: clarify four different outputs that authentication methods provide (#12468) 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12231

#12202 began a refactor of Forgejo's authentication implementations by providing structured data on an authentication success.  However, error cases were maintained as-is in that refactor, leaving a complex situation: what does returning an error from an authentication method mean?; does it mean that the authentication failed, or that a server error occurred?  Can another authentication still be tried?

This PR changes authentication methods so that they can return one of four things:
- `AuthenticationSuccess` with an authentication result.
- `AuthenticationNotAttempted` which indicates that no credentials relevant for this authentication method were presented.  If every method returned `AuthenticationNotAttempted`, then you would have an unauthenticated access.
- `AuthenticationAttemptedIncorrectCredential` which indicates that credentials were present and failed validation -- a situation indicating a `401 Unauthorized`.
- `AuthenticationError` which indicates that an internal server error occurred and failed authentication -- indicating a `500 Internal Server Error`.

This paves the way for one more refactor coming next: `basic.go` and `oauth2.go` perform 3-4 different authentications each (access tokens, oauth JWTs, actions tokens, actions JWTs, and username/password).  With the capability to return these more precise responses, these authentication methods can be split up into separate logic that isn't intertwined together.

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12468
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-08 07:31:33 +02:00

71 lines
2.1 KiB
Go
Raw Blame History

// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package container
import (
"fmt"
"net/http"
auth_model "forgejo.org/models/auth"
user_model "forgejo.org/models/user"
"forgejo.org/modules/log"
"forgejo.org/modules/optional"
"forgejo.org/services/auth"
"forgejo.org/services/packages"
)
var (
_ auth.Method = &Auth{}
_ auth.AuthenticationResult = &containerAuthenticationResult{}
)
type containerAuthenticationResult struct {
*auth.BaseAuthenticationResult
user *user_model.User
scope optional.Option[auth_model.AccessTokenScope]
}
func (r *containerAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
return r.scope
}
func (r *containerAuthenticationResult) User() *user_model.User {
return r.user
}
type Auth struct{}
func (a *Auth) Name() string {
return "container"
}
// Verify extracts the user from the Bearer token
// If it's an anonymous session a ghost user is returned
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
uid, scope, err := packages.ParseAuthorizationToken(req)
if err != nil {
log.Trace("ParseAuthorizationToken: %v", err)
// Errors from ParseAuthorizationToken are almost all from malformed incoming input, which we'll consider an
// auth failure:
// - `Authorization` header was present for all cases, so it's not `AuthenticationNotAttempted`
// - it's not `AuthenticationError` because malformed headers would cause errors, and this is intended for
// server errors which should cause 500s
return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
} else if uid == 0 {
return &auth.AuthenticationNotAttempted{}
}
// Propagate scope of the authorization token.
authScope := optional.None[auth_model.AccessTokenScope]()
if scope != "" {
authScope = optional.Some(scope)
}
u, err := user_model.GetPossibleUserByID(req.Context(), uid)
if err != nil {
return &auth.AuthenticationError{Error: fmt.Errorf("container auth GetPossibleUserByID: %w", err)}
}
return &auth.AuthenticationSuccess{Result: &containerAuthenticationResult{user: u, scope: authScope}}
}
Reference in a new issue View git blame Copy permalink