loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add reverseproxy auth for API back with default disabled (#26703)

This feature was removed by #22219 to avoid possible CSRF attack.

This PR takes reverseproxy auth for API back but with default disabled.

To prevent possbile CSRF attack, the responsibility will be the
reverseproxy but not Gitea itself.

For those want to enable this `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`,
they should know what they are doing.

---------

Co-authored-by: Giteabot <teabot@gitea.io>

authored by

Lunny Xiao
Giteabot
and committed by
GitHub
e97e883a 12212215

+14 -3
+2
custom/conf/app.example.ini
··· 759 759 ;; 760 760 ;; More detail: https://github.com/gogits/gogs/issues/165 761 761 ;ENABLE_REVERSE_PROXY_AUTHENTICATION = false 762 + ; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible. 763 + ;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false 762 764 ;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false 763 765 ;ENABLE_REVERSE_PROXY_EMAIL = false 764 766 ;ENABLE_REVERSE_PROXY_FULL_NAME = false
+2 -1
docs/content/administration/config-cheat-sheet.en-us.md
··· 621 621 BASIC and the user's password. Please note if you disable this you will not be able to access the 622 622 tokens API endpoints using a password. Further, this only disables BASIC authentication using the 623 623 password - not tokens or OAuth Basic. 624 - - `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication. 624 + - `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication for web requests 625 + - `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`: **false**: Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible. 625 626 - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration 626 627 for reverse authentication. 627 628 - `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a
+2
modules/setting/service.go
··· 46 46 EnableNotifyMail bool 47 47 EnableBasicAuth bool 48 48 EnableReverseProxyAuth bool 49 + EnableReverseProxyAuthAPI bool 49 50 EnableReverseProxyAutoRegister bool 50 51 EnableReverseProxyEmail bool 51 52 EnableReverseProxyFullName bool ··· 157 158 Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool() 158 159 Service.EnableBasicAuth = sec.Key("ENABLE_BASIC_AUTHENTICATION").MustBool(true) 159 160 Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool() 161 + Service.EnableReverseProxyAuthAPI = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION_API").MustBool() 160 162 Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool() 161 163 Service.EnableReverseProxyEmail = sec.Key("ENABLE_REVERSE_PROXY_EMAIL").MustBool() 162 164 Service.EnableReverseProxyFullName = sec.Key("ENABLE_REVERSE_PROXY_FULL_NAME").MustBool()
+8 -2
routers/api/v1/api.go
··· 333 333 } 334 334 } 335 335 336 - func reqBasicAuth() func(ctx *context.APIContext) { 336 + func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { 337 337 return func(ctx *context.APIContext) { 338 + if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName { 339 + return 340 + } 338 341 if !ctx.IsBasicAuth { 339 342 ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required") 340 343 return ··· 698 701 &auth.HTTPSign{}, 699 702 &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API 700 703 ) 704 + if setting.Service.EnableReverseProxyAuthAPI { 705 + group.Add(&auth.ReverseProxy{}) 706 + } 701 707 specialAdd(group) 702 708 703 709 return group ··· 800 806 m.Combo("").Get(user.ListAccessTokens). 801 807 Post(bind(api.CreateAccessTokenOption{}), reqToken(), user.CreateAccessToken) 802 808 m.Combo("/{id}").Delete(reqToken(), user.DeleteAccessToken) 803 - }, reqBasicAuth()) 809 + }, reqBasicOrRevProxyAuth()) 804 810 805 811 m.Get("/activities/feeds", user.ListUserActivityFeeds) 806 812 }, context_service.UserAssignmentAPI())