From 99dd092cd02d7af8374acf454833ce1c05fd4fd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Fri, 24 Feb 2023 14:24:29 +0100 Subject: [PATCH] [BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP (cherry picked from commit 7b0549cd70aa7cafec853e15b25270847c59850b) (cherry picked from commit 13e10a65d974c7b594681bfa36402a6144862116) (cherry picked from commit 65bdd73cf27895a9fb8db2a95ef4f5b08951481d) (cherry picked from commit 64eba8bb923176b4c286b1d0c83792f3c3005ca8) (cherry picked from commit 4c49b1a759abe3604afc1121e83c9a942016ad6a) (cherry picked from commit 93b4d0640683ea986657453b1fce49a00c861764) (cherry picked from commit e2bc5f36d958f4349160ec145719c302d4023cd0) (cherry picked from commit 2bee76f9dfa998c83ea4fe648997fad0b6224fa9) (cherry picked from commit 3d8a1b4a9fb9dc55bbd62fd8855ea85e58dc263f) --- modules/context/api.go | 11 +++++++++-- modules/context/api_forgejo_test.go | 23 +++++++++++++++++++++++ routers/api/v1/api.go | 2 +- templates/swagger/v1_json.tmpl | 2 +- 4 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 modules/context/api_forgejo_test.go diff --git a/modules/context/api.go b/modules/context/api.go index e263dcbe8d..dee52f01d9 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -188,13 +188,20 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) { } } +func getOtpHeader(header http.Header) string { + otpHeader := header.Get("X-Gitea-OTP") + if forgejoHeader := header.Get("X-Forgejo-OTP"); forgejoHeader != "" { + otpHeader = forgejoHeader + } + return otpHeader +} + // CheckForOTP validates OTP func (ctx *APIContext) CheckForOTP() { if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) { return // Skip 2FA } - otpHeader := ctx.Req.Header.Get("X-Gitea-OTP") twofa, err := auth.GetTwoFactorByUID(ctx.Context.Doer.ID) if err != nil { if auth.IsErrTwoFactorNotEnrolled(err) { @@ -203,7 +210,7 @@ func (ctx *APIContext) CheckForOTP() { ctx.Context.Error(http.StatusInternalServerError) return } - ok, err := twofa.ValidateTOTP(otpHeader) + ok, err := twofa.ValidateTOTP(getOtpHeader(ctx.Req.Header)) if err != nil { ctx.Context.Error(http.StatusInternalServerError) return diff --git a/modules/context/api_forgejo_test.go b/modules/context/api_forgejo_test.go new file mode 100644 index 0000000000..b85de55904 --- /dev/null +++ b/modules/context/api_forgejo_test.go @@ -0,0 +1,23 @@ +// SPDX-License-Identifier: MIT + +package context + +import ( + "net/http" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetOtpHeader(t *testing.T) { + header := http.Header{} + assert.EqualValues(t, "", getOtpHeader(header)) + // Gitea + giteaOtp := "123456" + header.Set("X-Gitea-OTP", giteaOtp) + assert.EqualValues(t, giteaOtp, getOtpHeader(header)) + // Forgejo has precedence + forgejoOtp := "abcdef" + header.Set("X-Forgejo-OTP", forgejoOtp) + assert.EqualValues(t, forgejoOtp, getOtpHeader(header)) +} diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 0f7a5e7eb3..2a92b0b28b 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -56,7 +56,7 @@ // description: Sudo API request as the user provided as the key. Admin privileges are required. // TOTPHeader: // type: apiKey -// name: X-GITEA-OTP +// name: X-FORGEJO-OTP // in: header // description: Must be used in combination with BasicAuth if two-factor authentication is enabled. // diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index eb6cb448d0..2945681a3e 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -22360,7 +22360,7 @@ "TOTPHeader": { "description": "Must be used in combination with BasicAuth if two-factor authentication is enabled.", "type": "apiKey", - "name": "X-GITEA-OTP", + "name": "X-FORGEJO-OTP", "in": "header" }, "Token": {