Skip to content

Move reverproxyauth before session so the header will not be ignored even if user has login #27821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 11, 2024
Merged

Move reverproxyauth before session so the header will not be ignored even if user has login #27821

merged 4 commits into from
May 11, 2024

Conversation

lunny
Copy link
Member

@lunny lunny commented Oct 28, 2023

When a user logout and then login another user, the reverseproxy auth should be checked before session otherwise the old user is still login.

@lunny lunny added type/bug backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 labels Oct 28, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 28, 2023
@KN4CK3R
Copy link
Member

KN4CK3R commented Oct 29, 2023

Isn't that handled by that code?

gitea/services/auth/reverseproxy.go

Lines 119 to 124 in b36e2ca

// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
handleSignIn(w, req, sess, user)
}
}

@lunny
Copy link
Member Author

lunny commented Oct 30, 2023

Isn't that handled by that code?

gitea/services/auth/reverseproxy.go

Lines 119 to 124 in b36e2ca

// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
handleSignIn(w, req, sess, user)
}
}

Not yet. When user hasn't been log out and the reverseproxy send a new user's header. In previous code, Gitea think it has login when checking session and will not check the header any more.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 2, 2023
@lunny lunny added this to the 1.23.0 milestone Apr 9, 2024
@lunny lunny added backport/v1.22 This PR should be backported to Gitea 1.22 and removed backport/v1.20 This PR should be backported to Gitea 1.20 labels Apr 9, 2024
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 11, 2024
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label May 11, 2024
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label May 11, 2024
@lunny lunny enabled auto-merge (squash) May 11, 2024 14:17
@lunny lunny merged commit 26ae592 into go-gitea:main May 11, 2024
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request May 11, 2024
@lunny @GiteaBot
Move reverproxyauth before session so the header will not be ignored …
af9d97f 
…even if user has login (go-gitea#27821)

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.
@GiteaBot GiteaBot mentioned this pull request May 11, 2024
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request May 11, 2024
@lunny @GiteaBot
Move reverproxyauth before session so the header will not be ignored …
a5f10c5 
…even if user has login (go-gitea#27821)

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.
@GiteaBot GiteaBot mentioned this pull request May 11, 2024
Merged
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label May 11, 2024
lunny added a commit that referenced this pull request May 12, 2024
@GiteaBot @lunny
Move reverproxyauth before session so the header will not be ignored …
14dc00a 
…even if user has login (#27821) (#30948)

Backport #27821 by @lunny

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.

Co-authored-by: Lunny Xiao <[email protected]>
lunny added a commit that referenced this pull request May 12, 2024
@GiteaBot @lunny
Move reverproxyauth before session so the header will not be ignored …
33d4d32 
…even if user has login (#27821) (#30947)

Backport #27821 by @lunny

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.

Co-authored-by: Lunny Xiao <[email protected]>
zjjhot added a commit to zjjhot/gitea that referenced this pull request May 13, 2024
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
ad89474 
* giteaofficial/main:
  [skip ci] Updated licenses and gitignores
  Fix file path width in repo non-homepage view (go-gitea#30951)
  Enable `declaration-block-no-redundant-longhand-properties` (go-gitea#30950)
  [skip ci] Updated translations via Crowdin
  Move reverproxyauth before session so the header will not be ignored even if user has login (go-gitea#27821)
  Use CSS `inset` shorthand (go-gitea#30939)
  Remove If Exist check on migration for mssql because that syntax required SQL server 2016 (go-gitea#30894)
  Update JS dependencies, add new eslint rules (go-gitea#30840)
  Fix some UI regressions for commit list (go-gitea#30920)
  Forbid deprecated `break-word` in CSS (go-gitea#30934)
  Check if reverse proxy is correctly configured (go-gitea#30890)
  Remove deprecated stuff for runners (go-gitea#30930)
@yardenshoham yardenshoham added the backport/done All backports for this PR have been created label May 17, 2024
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Aug 9, 2024
@wxiaoguang wxiaoguang deleted the lunny/move_reverproxy_before_session branch April 10, 2025 14:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@silverwind silverwind silverwind approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/v1.21 This PR should be backported to Gitea 1.21 backport/v1.22 This PR should be backported to Gitea 1.22 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code type/bug
Projects
None yet
Milestone
1.23.0
Development

Successfully merging this pull request may close these issues.
6 participants
@lunny @KN4CK3R @silverwind @wxiaoguang @yardenshoham @GiteaBot