peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/services/auth/method/group.go
forgejo-backport-action a1222ebb5b [v15.0/forgejo] refactor: clarify four different outputs that authentication methods provide (#12468) 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12231

#12202 began a refactor of Forgejo's authentication implementations by providing structured data on an authentication success.  However, error cases were maintained as-is in that refactor, leaving a complex situation: what does returning an error from an authentication method mean?; does it mean that the authentication failed, or that a server error occurred?  Can another authentication still be tried?

This PR changes authentication methods so that they can return one of four things:
- `AuthenticationSuccess` with an authentication result.
- `AuthenticationNotAttempted` which indicates that no credentials relevant for this authentication method were presented.  If every method returned `AuthenticationNotAttempted`, then you would have an unauthenticated access.
- `AuthenticationAttemptedIncorrectCredential` which indicates that credentials were present and failed validation -- a situation indicating a `401 Unauthorized`.
- `AuthenticationError` which indicates that an internal server error occurred and failed authentication -- indicating a `500 Internal Server Error`.

This paves the way for one more refactor coming next: `basic.go` and `oauth2.go` perform 3-4 different authentications each (access tokens, oauth JWTs, actions tokens, actions JWTs, and username/password).  With the capability to return these more precise responses, these authentication methods can be split up into separate logic that isn't intertwined together.

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12468
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-08 07:31:33 +02:00

66 lines
1.7 KiB
Go
Raw Blame History

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package method
import (
"errors"
"fmt"
"net/http"
"forgejo.org/services/auth"
)
// Ensure the struct implements the interface.
var (
_ auth.Method = &Group{}
)
// Group implements the Auth interface with serval Auth.
type Group struct {
methods []auth.Method
}
// NewGroup creates a new auth group
func NewGroup(methods ...auth.Method) *Group {
return &Group{
methods: methods,
}
}
// Add adds a new method to group
func (b *Group) Add(method auth.Method) {
b.methods = append(b.methods, method)
}
func (b *Group) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
var incorrectCredentials []error
for _, m := range b.methods {
output := m.Verify(req, w, sess)
switch v := output.(type) {
case *auth.AuthenticationSuccess, *auth.AuthenticationError:
return v
case *auth.AuthenticationNotAttempted:
// Move on to the next supported authentication method.
continue
case *auth.AuthenticationAttemptedIncorrectCredential:
// Move on to the next supported authentication method, but keep a record of this error. If none of the
// other methods are able to authenticate the user, we'll report this as an incorrect credential (401) case.
incorrectCredentials = append(incorrectCredentials, v.Error)
continue
default:
return &auth.AuthenticationError{Error: fmt.Errorf("unexpected result from Method.Verify on method %v: %v", m, v)}
}
}
if len(incorrectCredentials) != 0 {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.Join(incorrectCredentials...)}
}
return &auth.AuthenticationNotAttempted{}
}
Reference in a new issue View git blame Copy permalink