peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/services/auth/method/oauth2.go
forgejo-backport-action a1222ebb5b [v15.0/forgejo] refactor: clarify four different outputs that authentication methods provide (#12468) 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12231

#12202 began a refactor of Forgejo's authentication implementations by providing structured data on an authentication success.  However, error cases were maintained as-is in that refactor, leaving a complex situation: what does returning an error from an authentication method mean?; does it mean that the authentication failed, or that a server error occurred?  Can another authentication still be tried?

This PR changes authentication methods so that they can return one of four things:
- `AuthenticationSuccess` with an authentication result.
- `AuthenticationNotAttempted` which indicates that no credentials relevant for this authentication method were presented.  If every method returned `AuthenticationNotAttempted`, then you would have an unauthenticated access.
- `AuthenticationAttemptedIncorrectCredential` which indicates that credentials were present and failed validation -- a situation indicating a `401 Unauthorized`.
- `AuthenticationError` which indicates that an internal server error occurred and failed authentication -- indicating a `500 Internal Server Error`.

This paves the way for one more refactor coming next: `basic.go` and `oauth2.go` perform 3-4 different authentications each (access tokens, oauth JWTs, actions tokens, actions JWTs, and username/password).  With the capability to return these more precise responses, these authentication methods can be split up into separate logic that isn't intertwined together.

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12468
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-08 07:31:33 +02:00

243 lines
7.9 KiB
Go
Raw Blame History

// Copyright 2014 The Gogs Authors. All rights reserved.
// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package method
import (
"context"
"fmt"
"net/http"
"slices"
"strings"
"time"
actions_model "forgejo.org/models/actions"
auth_model "forgejo.org/models/auth"
user_model "forgejo.org/models/user"
"forgejo.org/modules/log"
"forgejo.org/modules/optional"
"forgejo.org/modules/setting"
"forgejo.org/modules/util"
"forgejo.org/modules/web/middleware"
"forgejo.org/services/actions"
"forgejo.org/services/auth"
"forgejo.org/services/auth/source/oauth2"
"forgejo.org/services/authz"
)
// Ensure the struct implements the interface.
var (
_ auth.Method = &OAuth2{}
)
// grantAdditionalScopes returns valid scopes coming from grant
func grantAdditionalScopes(grantScopes string) string {
// scopes_supported from templates/user/auth/oidc_wellknown.tmpl
scopesSupported := []string{
"openid",
"profile",
"email",
"groups",
}
var apiTokenScopes []string
for apiTokenScope := range strings.SplitSeq(grantScopes, " ") {
if slices.Index(scopesSupported, apiTokenScope) == -1 {
apiTokenScopes = append(apiTokenScopes, apiTokenScope)
}
}
if len(apiTokenScopes) == 0 {
return ""
}
var additionalGrantScopes []string
allScopes := auth_model.AccessTokenScope("all")
for _, apiTokenScope := range apiTokenScopes {
grantScope := auth_model.AccessTokenScope(apiTokenScope)
if ok, _ := allScopes.HasScope(grantScope); ok {
additionalGrantScopes = append(additionalGrantScopes, apiTokenScope)
} else if apiTokenScope == "public-only" {
additionalGrantScopes = append(additionalGrantScopes, apiTokenScope)
}
}
if len(additionalGrantScopes) > 0 {
return strings.Join(additionalGrantScopes, ",")
}
return ""
}
// CheckOAuthAccessToken returns uid of user from oauth token
// + non default openid scopes requested
func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) {
if !setting.OAuth2.Enabled {
return 0, ""
}
// JWT tokens require a "."
if !strings.Contains(accessToken, ".") {
return 0, ""
}
token, err := oauth2.ParseToken(accessToken, oauth2.DefaultSigningKey)
if err != nil {
log.Trace("oauth2.ParseToken: %v", err)
return 0, ""
}
var grant *auth_model.OAuth2Grant
if grant, err = auth_model.GetOAuth2GrantByID(ctx, token.GrantID); err != nil || grant == nil {
return 0, ""
}
if token.Type != oauth2.TypeAccessToken {
return 0, ""
}
if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {
return 0, ""
}
grantScopes := grantAdditionalScopes(grant.Scope)
return grant.UserID, grantScopes
}
// CheckTaskIsRunning verifies that the TaskID corresponds to a running task
func CheckTaskIsRunning(ctx context.Context, taskID int64) bool {
// Verify the task exists
task, err := actions_model.GetTaskByID(ctx, taskID)
if err != nil {
return false
}
// Verify that it's running
return task.Status == actions_model.StatusRunning
}
// OAuth2 implements the Auth interface and authenticates requests
// (API requests only) by looking for an OAuth token in query parameters or the
// "Authorization" header.
type OAuth2 struct{}
// parseToken returns the token from request, and a boolean value
// representing whether the token exists or not
func parseToken(req *http.Request) (string, bool) {
_ = req.ParseForm()
if !setting.DisableQueryAuthToken {
// Check token.
if token := req.Form.Get("token"); token != "" {
return token, true
}
// Check access token.
if token := req.Form.Get("access_token"); token != "" {
return token, true
}
} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
}
// check header token
if auHead := req.Header.Get("Authorization"); auHead != "" {
auths := strings.Fields(auHead)
if len(auths) == 2 && (util.ASCIIEqualFold(auths[0], "token") || util.ASCIIEqualFold(auths[0], "bearer")) {
return auths[1], true
}
}
return "", false
}
// userIDFromToken returns the user id corresponding to the OAuth token.
// It will set 'IsApiToken' to true if the token is an API token and
// set 'ApiTokenScope' to the scope of the access token
func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) auth.MethodOutput {
if tokenSHA == "" {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: auth_model.ErrAccessTokenEmpty{}}
}
// Let's see if token is valid.
if strings.Contains(tokenSHA, ".") {
// First attempt to decode an actions JWT, returning the actions user
if taskID, err := actions.TokenToTaskID(tokenSHA); err == nil {
if CheckTaskIsRunning(ctx, taskID) {
return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: taskID}}
}
}
// Otherwise, check if this is an OAuth access token
uid, grantScopes := CheckOAuthAccessToken(ctx, tokenSHA)
var accessTokenScope optional.Option[auth_model.AccessTokenScope]
if uid != 0 {
if grantScopes != "" {
accessTokenScope = optional.Some(auth_model.AccessTokenScope(grantScopes))
} else {
accessTokenScope = optional.Some(auth_model.AccessTokenScopeAll) // fallback to all
}
}
user, err := user_model.GetPossibleUserByID(ctx, uid)
if err != nil {
if user_model.IsErrUserNotExist(err) {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
}
return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetPossibleUserByID: %w", err)}
}
return &auth.AuthenticationSuccess{Result: &oAuth2JWTAuthenticationResult{user: user, scope: accessTokenScope}}
}
t, err := auth_model.GetAccessTokenBySHA(ctx, tokenSHA)
if err != nil {
if auth_model.IsErrAccessTokenNotExist(err) {
// check task token
task, err := actions_model.GetRunningTaskByToken(ctx, tokenSHA)
if err == nil && task != nil {
log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}}
}
} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetAccessTokenBySHA: %w", err)}
}
return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
}
if err := t.UpdateLastUsed(ctx); err != nil {
log.Error("UpdateLastUsed: %v", err)
}
if t.UID == 0 {
return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
}
reducer, err := authz.GetAuthorizationReducerForAccessToken(ctx, t)
if err != nil {
return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetAuthorizationReducerForAccessToken: %w", err)}
}
u, err := user_model.GetUserByID(ctx, t.UID)
if err != nil {
return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetUserByID: %w", err)}
}
return &auth.AuthenticationSuccess{Result: &accessTokenAuthenticationResult{user: u, scope: t.Scope, reducer: reducer}}
}
// Verify extracts the user ID from the OAuth token in the query parameters
// or the "Authorization" header and returns the corresponding user object for that ID.
// If verification is successful returns an existing user object.
// Returns nil if verification fails.
func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
!isGitRawOrAttachPath(req) && !isArchivePath(req) {
return &auth.AuthenticationNotAttempted{}
}
token, ok := parseToken(req)
if !ok {
return &auth.AuthenticationNotAttempted{}
}
return o.userIDFromToken(req.Context(), token)
}
func isAuthenticatedTokenRequest(req *http.Request) bool {
switch req.URL.Path {
case "/login/oauth/userinfo":
fallthrough
case "/login/oauth/introspect":
return true
}
return false
}
Reference in a new issue View git blame Copy permalink