From 4dcd3ea783b963f26bee5539466d539a152726ea Mon Sep 17 00:00:00 2001 From: Christopher Homberger Date: Sun, 8 Feb 2026 17:56:16 +0100 Subject: [PATCH 1/2] Refactor merge conan and container Auth preserve Actions taskID * Remove duplicated code * Allow further ActionsUser package permission checks --- routers/api/packages/api.go | 4 +- routers/api/packages/{container => }/auth.go | 18 +++++--- routers/api/packages/conan/auth.go | 45 -------------------- services/packages/auth.go | 11 +++-- 4 files changed, 21 insertions(+), 57 deletions(-) rename routers/api/packages/{container => }/auth.go (70%) delete mode 100644 routers/api/packages/conan/auth.go diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index f6ee5958b5bb9..3b657dda507c5 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -117,7 +117,7 @@ func CommonRoutes() *web.Router { &auth.OAuth2{}, &auth.Basic{}, &nuget.Auth{}, - &conan.Auth{}, + &Auth{}, &chef.Auth{}, }) @@ -537,7 +537,7 @@ func ContainerRoutes() *web.Router { verifyAuth(r, []auth.Method{ &auth.Basic{}, - &container.Auth{}, + &Auth{}, }) // TODO: Content Discovery / References (not implemented yet) diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/auth.go similarity index 70% rename from routers/api/packages/container/auth.go rename to routers/api/packages/auth.go index 19a931c4057c3..7887a43c7ca5a 100644 --- a/routers/api/packages/container/auth.go +++ b/routers/api/packages/auth.go @@ -1,7 +1,7 @@ -// Copyright 2022 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT -package container +package packages import ( "net/http" @@ -14,10 +14,11 @@ import ( var _ auth.Method = &Auth{} +// conan and container auth type Auth struct{} func (a *Auth) Name() string { - return "container" + return "packages" } // Verify extracts the user from the Bearer token @@ -33,9 +34,14 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS return nil, nil } - u, err := user_model.GetPossibleUserByID(req.Context(), packageMeta.UserID) - if err != nil { - return nil, err + var u *user_model.User + if packageMeta.UserID == user_model.ActionsUserID { + u = user_model.NewActionsUserWithTaskID(packageMeta.ActionsUserTaskID) + } else { + u, err = user_model.GetPossibleUserByID(req.Context(), packageMeta.UserID) + if err != nil { + return nil, err + } } if packageMeta.Scope != "" { diff --git a/routers/api/packages/conan/auth.go b/routers/api/packages/conan/auth.go deleted file mode 100644 index bce3235a2eaf4..0000000000000 --- a/routers/api/packages/conan/auth.go +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright 2022 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT - -package conan - -import ( - "net/http" - - user_model "code.gitea.io/gitea/models/user" - "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/services/auth" - "code.gitea.io/gitea/services/packages" -) - -var _ auth.Method = &Auth{} - -type Auth struct{} - -func (a *Auth) Name() string { - return "conan" -} - -// Verify extracts the user from the Bearer token -func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) { - packageMeta, err := packages.ParseAuthorizationRequest(req) - if err != nil { - log.Trace("ParseAuthorizationToken: %v", err) - return nil, err - } - - if packageMeta == nil || packageMeta.UserID == 0 { - return nil, nil - } - - u, err := user_model.GetUserByID(req.Context(), packageMeta.UserID) - if err != nil { - return nil, err - } - if packageMeta.Scope != "" { - store.GetData()["IsApiToken"] = true - store.GetData()["ApiTokenScope"] = packageMeta.Scope - } - - return u, nil -} diff --git a/services/packages/auth.go b/services/packages/auth.go index 6e87643e29b38..6fcc408adc407 100644 --- a/services/packages/auth.go +++ b/services/packages/auth.go @@ -23,21 +23,24 @@ type packageClaims struct { PackageMeta } type PackageMeta struct { - UserID int64 - Scope auth_model.AccessTokenScope + UserID int64 + Scope auth_model.AccessTokenScope + ActionsUserTaskID int64 } func CreateAuthorizationToken(u *user_model.User, packageScope auth_model.AccessTokenScope) (string, error) { now := time.Now() + actionsUserTaskID, _ := user_model.GetActionsUserTaskID(u) claims := packageClaims{ RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)), NotBefore: jwt.NewNumericDate(now), }, PackageMeta: PackageMeta{ - UserID: u.ID, - Scope: packageScope, + UserID: u.ID, + Scope: packageScope, + ActionsUserTaskID: actionsUserTaskID, }, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) From 72d29d825db504b6f402d735fd492e432f623f64 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Mon, 9 Feb 2026 05:37:38 +0800 Subject: [PATCH 2/2] fix comments --- routers/api/packages/api.go | 3 ++- routers/api/packages/auth.go | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index 3b657dda507c5..71fee23c920f2 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -537,7 +537,8 @@ func ContainerRoutes() *web.Router { verifyAuth(r, []auth.Method{ &auth.Basic{}, - &Auth{}, + // container auth requires an token, so container.Authenticate issues a Ghost user token for anonymous access + &Auth{AllowGhostUser: true}, }) // TODO: Content Discovery / References (not implemented yet) diff --git a/routers/api/packages/auth.go b/routers/api/packages/auth.go index 7887a43c7ca5a..b7bf3812413df 100644 --- a/routers/api/packages/auth.go +++ b/routers/api/packages/auth.go @@ -14,15 +14,16 @@ import ( var _ auth.Method = &Auth{} -// conan and container auth -type Auth struct{} +// Auth is for conan and container +type Auth struct { + AllowGhostUser bool +} func (a *Auth) Name() string { return "packages" } // Verify extracts the user from the Bearer token -// If it's an anonymous session, a ghost user is returned func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) { packageMeta, err := packages.ParseAuthorizationRequest(req) if err != nil { @@ -35,10 +36,16 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS } var u *user_model.User - if packageMeta.UserID == user_model.ActionsUserID { + switch packageMeta.UserID { + case user_model.GhostUserID: + if !a.AllowGhostUser { + return nil, nil + } + u = user_model.NewGhostUser() + case user_model.ActionsUserID: u = user_model.NewActionsUserWithTaskID(packageMeta.ActionsUserTaskID) - } else { - u, err = user_model.GetPossibleUserByID(req.Context(), packageMeta.UserID) + default: + u, err = user_model.GetUserByID(req.Context(), packageMeta.UserID) if err != nil { return nil, err }