Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require repo scope for PATs for private repos and basic authentication #24362

Merged
merged 6 commits into from
Apr 27, 2023

Conversation

jolheiser
Copy link
Member

The scoped token PR just checked all API routes but in fact, some web routes like LFS, git HTTP, container, and attachments supports basic auth. This PR added scoped token check for them.

@jolheiser jolheiser added type/bug outdated/backport/v1.19 This PR should be backported to Gitea 1.19 labels Apr 26, 2023
@jolheiser jolheiser added this to the 1.20.0 milestone Apr 26, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 26, 2023
@pull-request-size pull-request-size bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 26, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 26, 2023
Signed-off-by: jolheiser <john.olheiser@gmail.com>
}

var err error
scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
Copy link
Contributor

@wxiaoguang wxiaoguang Apr 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If no test covers it, it is very fragile.

Maybe next refactoring changes the key "ApiTokenScope", then this "check" will become a noop, the accesses just pass it.

Signed-off-by: jolheiser <john.olheiser@gmail.com>
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 26, 2023
@delvh delvh added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 26, 2023
Signed-off-by: jolheiser <john.olheiser@gmail.com>
@jolheiser jolheiser merged commit 5e36024 into go-gitea:main Apr 27, 2023
@jolheiser jolheiser deleted the scoped-token-web-route branch April 27, 2023 00:24
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Apr 27, 2023
go-gitea#24362)

> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.

---------

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@GiteaBot GiteaBot added backport/done All backports for this PR have been created and removed reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Apr 27, 2023
techknowlogick pushed a commit that referenced this pull request Apr 27, 2023
#24362) (#24364)

Backport #24362 by @jolheiser

> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Apr 27, 2023

This PR breaks my LFS client.

Reverting these 2 "lfs/*.go" files , then my client works again.

The error logs:


gitea-app_1     | 2023/04/27 20:37:14 ...rvices/lfs/server.go:547:authenticate() [W] [644a6c7a-2] Authentication failure for provided token with Error: invalid token claim
gitea-app_1     | 2023/04/27 20:37:14 [644a6c7a-2] router: completed GET /org/repo.git/info/lfs/objects/xxxxxxxxxxxxxxxxxxxxxxxxxx for 1.2.3.4:0, 401 Unauthorized in 5.9ms @ lfs/server.go:80(lfs.DownloadHandler)

@wxiaoguang wxiaoguang mentioned this pull request Apr 27, 2023
@@ -86,6 +86,11 @@ func DownloadHandler(ctx *context.Context) {
return
}

repository := getAuthenticatedRepository(ctx, rc, true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DownloadHandler: getAuthenticatedRepository(requireWrite=true) ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lines should be removed.

zjjhot added a commit to zjjhot/gitea that referenced this pull request Apr 28, 2023
* giteaofficial/main: (26 commits)
  Refactor docs (go-gitea#23752)
  Fix layouts of admin table / adapt repo / email test  (go-gitea#24370)
  Move secrets and runners settings to actions settings (go-gitea#24200)
  Gitea Actions add `base_ref`, `head_ref`, `api_url`, `ref_type` fields (go-gitea#24356)
  Fix auth check bug (go-gitea#24382)
  Display 'Unknown' when runner.version is empty (go-gitea#24378)
  Fix incorrect last online time in runner_edit.tmpl (go-gitea#24376)
  Refactor "route" related code, fix Safari cookie bug (go-gitea#24330)
  Add custom helm repo name generated from url (go-gitea#24363)
  Add API for gitignore templates (go-gitea#22783)
  Add eslint-plugin-regexp (go-gitea#24361)
  Support uploading file to empty repo by API (go-gitea#24357)
  [skip ci] Updated translations via Crowdin
  Require repo scope for PATs for private repos and basic authentication (go-gitea#24362)
  Alert error message if open dependencies are included in the issues that try to batch close (go-gitea#24329)
  Fix 404 error when leaving the last private org team (go-gitea#24322)
  Modify width of ui container, fine tune css for settings pages and org header (go-gitea#24315)
  Add .livemd as a markdown extension (go-gitea#22730)
  Display when a repo was archived (go-gitea#22664)
  Fix wrong error info in RepoRefForAPI (go-gitea#24344)
  ...
silverwind pushed a commit that referenced this pull request May 31, 2023
Caused by #24362

Co-authored-by: Giteabot <teabot@gitea.io>
GiteaBot added a commit to GiteaBot/gitea that referenced this pull request May 31, 2023
Caused by go-gitea#24362

Co-authored-by: Giteabot <teabot@gitea.io>
silverwind pushed a commit that referenced this pull request Jun 1, 2023
Backport #25019 by @lunny

Caused by #24362

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Codeberg-org pushed a commit to Codeberg-org/gitea that referenced this pull request Jun 7, 2023
…a#25027)

Backport go-gitea#25019 by @lunny

Caused by go-gitea#24362

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
(cherry picked from commit 73ae6b2)
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. outdated/backport/v1.19 This PR should be backported to Gitea 1.19 size/L Denotes a PR that changes 100-499 lines, ignoring generated files. type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants