Fix session gob (#35128)

wxiaoguang · web-flow · commit 86aafea3fbaa · 2025-07-20T01:49:36.000Z
Fix #35126
diff --git a/modules/session/mem.go b/modules/session/mem.go
@@ -0,0 +1,68 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package session
+
+import (
+	"bytes"
+	"encoding/gob"
+	"net/http"
+
+	"gitea.com/go-chi/session"
+)
+
+type mockMemRawStore struct {
+	s *session.MemStore
+}
+
+var _ session.RawStore = (*mockMemRawStore)(nil)
+
+func (m *mockMemRawStore) Set(k, v any) error {
+	// We need to use gob to encode the value, to make it have the same behavior as other stores and catch abuses.
+	// Because gob needs to "Register" the type before it can encode it, and it's unable to decode a struct to "any" so use a map to help to decode the value.
+	var buf bytes.Buffer
+	if err := gob.NewEncoder(&buf).Encode(map[string]any{"v": v}); err != nil {
+		return err
+	}
+	return m.s.Set(k, buf.Bytes())
+}
+
+func (m *mockMemRawStore) Get(k any) (ret any) {
+	v, ok := m.s.Get(k).([]byte)
+	if !ok {
+		return nil
+	}
+	var w map[string]any
+	_ = gob.NewDecoder(bytes.NewBuffer(v)).Decode(&w)
+	return w["v"]
+}
+
+func (m *mockMemRawStore) Delete(k any) error {
+	return m.s.Delete(k)
+}
+
+func (m *mockMemRawStore) ID() string {
+	return m.s.ID()
+}
+
+func (m *mockMemRawStore) Release() error {
+	return m.s.Release()
+}
+
+func (m *mockMemRawStore) Flush() error {
+	return m.s.Flush()
+}
+
+type mockMemStore struct {
+	*mockMemRawStore
+}
+
+var _ Store = (*mockMemStore)(nil)
+
+func (m mockMemStore) Destroy(writer http.ResponseWriter, request *http.Request) error {
+	return nil
+}
+
+func NewMockMemStore(sid string) Store {
+	return &mockMemStore{&mockMemRawStore{session.NewMemStore(sid)}}
+}
diff --git a/modules/session/mock.go b/modules/session/mock.go
diff --git a/modules/session/store.go b/modules/session/store.go
@@ -11,34 +11,34 @@ import (
 	"gitea.com/go-chi/session"
 )
 
-// Store represents a session store
+type RawStore = session.RawStore
+
 type Store interface {
-	Get(any) any
-	Set(any, any) error
-	Delete(any) error
-	ID() string
-	Release() error
-	Flush() error
+	RawStore
 	Destroy(http.ResponseWriter, *http.Request) error
 }
 
+type mockStoreContextKeyStruct struct{}
+
+var MockStoreContextKey = mockStoreContextKeyStruct{}
+
 // RegenerateSession regenerates the underlying session and returns the new store
 func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, error) {
 	for _, f := range BeforeRegenerateSession {
 		f(resp, req)
 	}
 	if setting.IsInTesting {
-		if store, ok := req.Context().Value(MockStoreContextKey).(*MockStore); ok {
-			return store, nil
+		if store := req.Context().Value(MockStoreContextKey); store != nil {
+			return store.(Store), nil
 		}
 	}
 	return session.RegenerateSession(resp, req)
 }
 
 func GetContextSession(req *http.Request) Store {
 	if setting.IsInTesting {
-		if store, ok := req.Context().Value(MockStoreContextKey).(*MockStore); ok {
-			return store
+		if store := req.Context().Value(MockStoreContextKey); store != nil {
+			return store.(Store)
 		}
 	}
 	return session.GetSession(req)
diff --git a/modules/session/virtual.go b/modules/session/virtual.go
@@ -22,8 +22,8 @@ type VirtualSessionProvider struct {
 	provider session.Provider
 }
 
-// Init initializes the cookie session provider with given root path.
-func (o *VirtualSessionProvider) Init(gclifetime int64, config string) error {
+// Init initializes the cookie session provider with the given config.
+func (o *VirtualSessionProvider) Init(gcLifetime int64, config string) error {
 	var opts session.Options
 	if err := json.Unmarshal([]byte(config), &opts); err != nil {
 		return err
@@ -52,7 +52,7 @@ func (o *VirtualSessionProvider) Init(gclifetime int64, config string) error {
 	default:
 		return fmt.Errorf("VirtualSessionProvider: Unknown Provider: %s", opts.Provider)
 	}
-	return o.provider.Init(gclifetime, opts.ProviderConfig)
+	return o.provider.Init(gcLifetime, opts.ProviderConfig)
 }
 
 // Read returns raw session store by session ID.
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
@@ -565,7 +565,7 @@ func createUserInContext(ctx *context.Context, tpl templates.TplName, form any,
 				oauth2LinkAccount(ctx, user, possibleLinkAccountData, true)
 				return false // user is already created here, all redirects are handled
 			case setting.OAuth2AccountLinkingLogin:
-				showLinkingLogin(ctx, &possibleLinkAccountData.AuthSource, possibleLinkAccountData.GothUser)
+				showLinkingLogin(ctx, possibleLinkAccountData.AuthSourceID, possibleLinkAccountData.GothUser)
 				return false // user will be created only after linking login
 			}
 		}
@@ -633,7 +633,7 @@ func handleUserCreated(ctx *context.Context, u *user_model.User, possibleLinkAcc
 
 	// update external user information
 	if possibleLinkAccountData != nil {
-		if err := externalaccount.EnsureLinkExternalToUser(ctx, possibleLinkAccountData.AuthSource.ID, u, possibleLinkAccountData.GothUser); err != nil {
+		if err := externalaccount.EnsureLinkExternalToUser(ctx, possibleLinkAccountData.AuthSourceID, u, possibleLinkAccountData.GothUser); err != nil {
 			log.Error("EnsureLinkExternalToUser failed: %v", err)
 		}
 	}
diff --git a/routers/web/auth/auth_test.go b/routers/web/auth/auth_test.go
@@ -64,13 +64,14 @@ func TestUserLogin(t *testing.T) {
 func TestSignUpOAuth2Login(t *testing.T) {
 	defer test.MockVariableValue(&setting.OAuth2Client.EnableAutoRegistration, true)()
 
+	_ = oauth2.Init(t.Context())
 	addOAuth2Source(t, "dummy-auth-source", oauth2.Source{})
 
 	t.Run("OAuth2MissingField", func(t *testing.T) {
 		defer test.MockVariableValue(&gothic.CompleteUserAuth, func(res http.ResponseWriter, req *http.Request) (goth.User, error) {
 			return goth.User{Provider: "dummy-auth-source", UserID: "dummy-user"}, nil
 		})()
-		mockOpt := contexttest.MockContextOption{SessionStore: session.NewMockStore("dummy-sid")}
+		mockOpt := contexttest.MockContextOption{SessionStore: session.NewMockMemStore("dummy-sid")}
 		ctx, resp := contexttest.MockContext(t, "/user/oauth2/dummy-auth-source/callback?code=dummy-code", mockOpt)
 		ctx.SetPathParam("provider", "dummy-auth-source")
 		SignInOAuthCallback(ctx)
@@ -84,7 +85,7 @@ func TestSignUpOAuth2Login(t *testing.T) {
 	})
 
 	t.Run("OAuth2CallbackError", func(t *testing.T) {
-		mockOpt := contexttest.MockContextOption{SessionStore: session.NewMockStore("dummy-sid")}
+		mockOpt := contexttest.MockContextOption{SessionStore: session.NewMockMemStore("dummy-sid")}
 		ctx, resp := contexttest.MockContext(t, "/user/oauth2/dummy-auth-source/callback", mockOpt)
 		ctx.SetPathParam("provider", "dummy-auth-source")
 		SignInOAuthCallback(ctx)
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
@@ -170,7 +170,7 @@ func LinkAccountPostSignIn(ctx *context.Context) {
 }
 
 func oauth2LinkAccount(ctx *context.Context, u *user_model.User, linkAccountData *LinkAccountData, remember bool) {
-	oauth2SignInSync(ctx, &linkAccountData.AuthSource, u, linkAccountData.GothUser)
+	oauth2SignInSync(ctx, linkAccountData.AuthSourceID, u, linkAccountData.GothUser)
 	if ctx.Written() {
 		return
 	}
@@ -185,7 +185,7 @@ func oauth2LinkAccount(ctx *context.Context, u *user_model.User, linkAccountData
 			return
 		}
 
-		err = externalaccount.LinkAccountToUser(ctx, linkAccountData.AuthSource.ID, u, linkAccountData.GothUser)
+		err = externalaccount.LinkAccountToUser(ctx, linkAccountData.AuthSourceID, u, linkAccountData.GothUser)
 		if err != nil {
 			ctx.ServerError("UserLinkAccount", err)
 			return
@@ -295,7 +295,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		Email:       form.Email,
 		Passwd:      form.Password,
 		LoginType:   auth.OAuth2,
-		LoginSource: linkAccountData.AuthSource.ID,
+		LoginSource: linkAccountData.AuthSourceID,
 		LoginName:   linkAccountData.GothUser.UserID,
 	}
 
@@ -304,7 +304,12 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		return
 	}
 
-	source := linkAccountData.AuthSource.Cfg.(*oauth2.Source)
+	authSource, err := auth.GetSourceByID(ctx, linkAccountData.AuthSourceID)
+	if err != nil {
+		ctx.ServerError("GetSourceByID", err)
+		return
+	}
+	source := authSource.Cfg.(*oauth2.Source)
 	if err := syncGroupsToTeams(ctx, source, &linkAccountData.GothUser, u); err != nil {
 		ctx.ServerError("SyncGroupsToTeams", err)
 		return
@@ -318,5 +323,5 @@ func linkAccountFromContext(ctx *context.Context, user *user_model.User) error {
 	if linkAccountData == nil {
 		return errors.New("not in LinkAccount session")
 	}
-	return externalaccount.LinkAccountToUser(ctx, linkAccountData.AuthSource.ID, user, linkAccountData.GothUser)
+	return externalaccount.LinkAccountToUser(ctx, linkAccountData.AuthSourceID, user, linkAccountData.GothUser)
 }
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
@@ -4,6 +4,7 @@
 package auth
 
 import (
+	"encoding/gob"
 	"errors"
 	"fmt"
 	"html"
@@ -171,7 +172,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 					gothUser.RawData = make(map[string]any)
 				}
 				gothUser.RawData["__giteaAutoRegMissingFields"] = missingFields
-				showLinkingLogin(ctx, authSource, gothUser)
+				showLinkingLogin(ctx, authSource.ID, gothUser)
 				return
 			}
 			u = &user_model.User{
@@ -192,7 +193,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 			u.IsAdmin = isAdmin.ValueOrDefault(user_service.UpdateOptionField[bool]{FieldValue: false}).FieldValue
 			u.IsRestricted = isRestricted.ValueOrDefault(setting.Service.DefaultUserIsRestricted)
 
-			linkAccountData := &LinkAccountData{*authSource, gothUser}
+			linkAccountData := &LinkAccountData{authSource.ID, gothUser}
 			if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingDisabled {
 				linkAccountData = nil
 			}
@@ -207,7 +208,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 			}
 		} else {
 			// no existing user is found, request attach or new account
-			showLinkingLogin(ctx, authSource, gothUser)
+			showLinkingLogin(ctx, authSource.ID, gothUser)
 			return
 		}
 	}
@@ -272,23 +273,29 @@ func getUserAdminAndRestrictedFromGroupClaims(source *oauth2.Source, gothUser *g
 }
 
 type LinkAccountData struct {
-	AuthSource auth.Source
-	GothUser   goth.User
+	AuthSourceID int64
+	GothUser     goth.User
 }
 
 func oauth2GetLinkAccountData(ctx *context.Context) *LinkAccountData {
+	gob.Register(LinkAccountData{})
 	v, ok := ctx.Session.Get("linkAccountData").(LinkAccountData)
 	if !ok {
 		return nil
 	}
 	return &v
 }
 
-func showLinkingLogin(ctx *context.Context, authSource *auth.Source, gothUser goth.User) {
-	if err := updateSession(ctx, nil, map[string]any{
-		"linkAccountData": LinkAccountData{*authSource, gothUser},
-	}); err != nil {
-		ctx.ServerError("updateSession", err)
+func Oauth2SetLinkAccountData(ctx *context.Context, linkAccountData LinkAccountData) error {
+	gob.Register(LinkAccountData{})
+	return updateSession(ctx, nil, map[string]any{
+		"linkAccountData": linkAccountData,
+	})
+}
+
+func showLinkingLogin(ctx *context.Context, authSourceID int64, gothUser goth.User) {
+	if err := Oauth2SetLinkAccountData(ctx, LinkAccountData{authSourceID, gothUser}); err != nil {
+		ctx.ServerError("Oauth2SetLinkAccountData", err)
 		return
 	}
 	ctx.Redirect(setting.AppSubURL + "/user/link_account")
@@ -313,7 +320,7 @@ func oauth2UpdateAvatarIfNeed(ctx *context.Context, url string, u *user_model.Us
 }
 
 func handleOAuth2SignIn(ctx *context.Context, authSource *auth.Source, u *user_model.User, gothUser goth.User) {
-	oauth2SignInSync(ctx, authSource, u, gothUser)
+	oauth2SignInSync(ctx, authSource.ID, u, gothUser)
 	if ctx.Written() {
 		return
 	}
diff --git a/routers/web/auth/oauth_signin_sync.go b/routers/web/auth/oauth_signin_sync.go
@@ -18,9 +18,14 @@ import (
 	"github.com/markbates/goth"
 )
 
-func oauth2SignInSync(ctx *context.Context, authSource *auth.Source, u *user_model.User, gothUser goth.User) {
+func oauth2SignInSync(ctx *context.Context, authSourceID int64, u *user_model.User, gothUser goth.User) {
 	oauth2UpdateAvatarIfNeed(ctx, gothUser.AvatarURL, u)
 
+	authSource, err := auth.GetSourceByID(ctx, authSourceID)
+	if err != nil {
+		ctx.ServerError("GetSourceByID", err)
+		return
+	}
 	oauth2Source, _ := authSource.Cfg.(*oauth2.Source)
 	if !authSource.IsOAuth2() || oauth2Source == nil {
 		ctx.ServerError("oauth2SignInSync", fmt.Errorf("source %s is not an OAuth2 source", gothUser.Provider))
@@ -45,7 +50,7 @@ func oauth2SignInSync(ctx *context.Context, authSource *auth.Source, u *user_mod
 		}
 	}
 
-	err := oauth2UpdateSSHPubIfNeed(ctx, authSource, &gothUser, u)
+	err = oauth2UpdateSSHPubIfNeed(ctx, authSource, &gothUser, u)
 	if err != nil {
 		log.Error("Unable to sync OAuth2 SSH public key %s: %v", gothUser.Provider, err)
 	}
diff --git a/services/auth/source/oauth2/store.go b/services/auth/source/oauth2/store.go
diff --git a/services/contexttest/context_tests.go b/services/contexttest/context_tests.go
diff --git a/tests/integration/signin_test.go b/tests/integration/signin_test.go

Original file line number	Diff line number	Diff line change
`@@ -11,34 +11,34 @@ import (`
`11`	`11`	`"gitea.com/go-chi/session"`
`12`	`12`	`)`
`13`	`13`
`14`		`-// Store represents a session store`
	`14`	`+type RawStore = session.RawStore`
	`15`	`+`
`15`	`16`	`type Store interface {`
`16`		`- Get(any) any`
`17`		`- Set(any, any) error`
`18`		`- Delete(any) error`
`19`		`- ID() string`
`20`		`- Release() error`
`21`		`- Flush() error`
	`17`	`+ RawStore`
`22`	`18`	`Destroy(http.ResponseWriter, *http.Request) error`
`23`	`19`	`}`
`24`	`20`
	`21`	`+type mockStoreContextKeyStruct struct{}`
	`22`	`+`
	`23`	`+var MockStoreContextKey = mockStoreContextKeyStruct{}`
	`24`	`+`
`25`	`25`	`// RegenerateSession regenerates the underlying session and returns the new store`
`26`	`26`	`func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, error) {`
`27`	`27`	`for _, f := range BeforeRegenerateSession {`
`28`	`28`	`f(resp, req)`
`29`	`29`	`}`
`30`	`30`	`if setting.IsInTesting {`
`31`		`- if store, ok := req.Context().Value(MockStoreContextKey).(*MockStore); ok {`
`32`		`- return store, nil`
	`31`	`+ if store := req.Context().Value(MockStoreContextKey); store != nil {`
	`32`	`+ return store.(Store), nil`
`33`	`33`	`}`
`34`	`34`	`}`
`35`	`35`	`return session.RegenerateSession(resp, req)`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`func GetContextSession(req *http.Request) Store {`
`39`	`39`	`if setting.IsInTesting {`
`40`		`- if store, ok := req.Context().Value(MockStoreContextKey).(*MockStore); ok {`
`41`		`- return store`
	`40`	`+ if store := req.Context().Value(MockStoreContextKey); store != nil {`
	`41`	`+ return store.(Store)`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`	`return session.GetSession(req)`
Original file line number	Diff line number	Diff line change
`@@ -22,8 +22,8 @@ type VirtualSessionProvider struct {`
`22`	`22`	`provider session.Provider`
`23`	`23`	`}`
`24`	`24`
`25`		`-// Init initializes the cookie session provider with given root path.`
`26`		`-func (o *VirtualSessionProvider) Init(gclifetime int64, config string) error {`
	`25`	`+// Init initializes the cookie session provider with the given config.`
	`26`	`+func (o *VirtualSessionProvider) Init(gcLifetime int64, config string) error {`
`27`	`27`	`var opts session.Options`
`28`	`28`	`if err := json.Unmarshal([]byte(config), &opts); err != nil {`
`29`	`29`	`return err`
`@@ -52,7 +52,7 @@ func (o *VirtualSessionProvider) Init(gclifetime int64, config string) error {`
`52`	`52`	`default:`
`53`	`53`	`return fmt.Errorf("VirtualSessionProvider: Unknown Provider: %s", opts.Provider)`
`54`	`54`	`}`
`55`		`- return o.provider.Init(gclifetime, opts.ProviderConfig)`
	`55`	`+ return o.provider.Init(gcLifetime, opts.ProviderConfig)`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`// Read returns raw session store by session ID.`
Original file line number	Diff line number	Diff line change
`@@ -565,7 +565,7 @@ func createUserInContext(ctx *context.Context, tpl templates.TplName, form any,`
`565`	`565`	`oauth2LinkAccount(ctx, user, possibleLinkAccountData, true)`
`566`	`566`	`return false // user is already created here, all redirects are handled`
`567`	`567`	`case setting.OAuth2AccountLinkingLogin:`
`568`		`- showLinkingLogin(ctx, &possibleLinkAccountData.AuthSource, possibleLinkAccountData.GothUser)`
	`568`	`+ showLinkingLogin(ctx, possibleLinkAccountData.AuthSourceID, possibleLinkAccountData.GothUser)`
`569`	`569`	`return false // user will be created only after linking login`
`570`	`570`	`}`
`571`	`571`	`}`
`@@ -633,7 +633,7 @@ func handleUserCreated(ctx context.Context, u user_model.User, possibleLinkAcc`
`633`	`633`
`634`	`634`	`// update external user information`
`635`	`635`	`if possibleLinkAccountData != nil {`
`636`		`- if err := externalaccount.EnsureLinkExternalToUser(ctx, possibleLinkAccountData.AuthSource.ID, u, possibleLinkAccountData.GothUser); err != nil {`
	`636`	`+ if err := externalaccount.EnsureLinkExternalToUser(ctx, possibleLinkAccountData.AuthSourceID, u, possibleLinkAccountData.GothUser); err != nil {`
`637`	`637`	`log.Error("EnsureLinkExternalToUser failed: %v", err)`
`638`	`638`	`}`
`639`	`639`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,9 +18,14 @@ import (`
`18`	`18`	`"github.com/markbates/goth"`
`19`	`19`	`)`
`20`	`20`
`21`		`-func oauth2SignInSync(ctx context.Context, authSource auth.Source, u *user_model.User, gothUser goth.User) {`
	`21`	`+func oauth2SignInSync(ctx context.Context, authSourceID int64, u user_model.User, gothUser goth.User) {`
`22`	`22`	`oauth2UpdateAvatarIfNeed(ctx, gothUser.AvatarURL, u)`
`23`	`23`
	`24`	`+ authSource, err := auth.GetSourceByID(ctx, authSourceID)`
	`25`	`+ if err != nil {`
	`26`	`+ ctx.ServerError("GetSourceByID", err)`
	`27`	`+ return`
	`28`	`+ }`
`24`	`29`	`oauth2Source, _ := authSource.Cfg.(*oauth2.Source)`
`25`	`30`	`if !authSource.IsOAuth2() \|\| oauth2Source == nil {`
`26`	`31`	`ctx.ServerError("oauth2SignInSync", fmt.Errorf("source %s is not an OAuth2 source", gothUser.Provider))`
`@@ -45,7 +50,7 @@ func oauth2SignInSync(ctx context.Context, authSource auth.Source, u *user_mod`
`45`	`50`	`}`
`46`	`51`	`}`
`47`	`52`
`48`		`- err := oauth2UpdateSSHPubIfNeed(ctx, authSource, &gothUser, u)`
	`53`	`+ err = oauth2UpdateSSHPubIfNeed(ctx, authSource, &gothUser, u)`
`49`	`54`	`if err != nil {`
`50`	`55`	`log.Error("Unable to sync OAuth2 SSH public key %s: %v", gothUser.Provider, err)`
`51`	`56`	`}`