Merged
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/api
wxiaoguang
force-pushed
the
fix-middleware-auth
branch
from
c089c57 to
af4714d
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors the auth middleware to follow the principle of "let the caller decide what it needs." It introduces a new PreMiddlewareProvider concept that executes before other middlewares, allowing routes to declare their own auth options (e.g., whether OAuth2 or Basic auth should be enabled) rather than having the middleware guess based on URL path patterns.
Changes:
- Removes path-based auth detection (
authPathDetectorand related regex logic) fromservices/auth, replacing it with explicit per-route flags (CreateSession,AllowOAuth2,AllowBasic) set by callers. - Introduces
PreMiddlewareProviderinmodules/web/router.goand reworkswrapMiddlewareAndHandlerto execute pre-middlewares before normal middlewares. - Updates
routers/web/web.goto build auth groups dynamically per-request based on context flags set by route-level pre-middlewares.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
services/auth/sspi.go |
Replaces path-based session-creation guard with a CreateSession struct field |
services/auth/reverseproxy.go |
Same CreateSession field added, path detection removed |
services/auth/oauth2.go |
Removes path-based gating; OAuth2 is now always attempted when invoked |
services/auth/basic.go |
Removes path-based gating; Basic auth is now always attempted when invoked |
services/auth/auth_test.go |
Deletes tests for the removed authPathDetector |
services/auth/auth.go |
Removes authPathDetector, regex globals, and related helpers |
routers/web/web.go |
Introduces AuthMiddleware with PreMiddlewareProvider-based flags; updates route registrations |
routers/api/v1/api.go |
Removes SSPI from API auth group; adds clarifying comment |
modules/web/router_test.go |
Refactors test helpers into reusable testRecorder; adds TestPreMiddlewareProvider |
modules/web/router_path.go |
Delegates to executeMiddlewaresHandler; panics on pre-middlewares in path matcher |
modules/web/router.go |
Implements PreMiddlewareProvider, wrapMiddlewareAppendPre/Normal, refactors wrapMiddlewareAndHandler |
modules/web/handler.go |
Introduces middlewareProvider type alias and executeMiddlewaresHandler helper |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
wxiaoguang
force-pushed
the
fix-middleware-auth
branch
from
af4714d to
dc8bb42
Compare
wxiaoguang
force-pushed
the
fix-middleware-auth
branch
5 times, most recently
from
1535443 to
644a0d8
Compare
wxiaoguang
force-pushed
the
fix-middleware-auth
branch
7 times, most recently
from
61f45ae to
c1d78ed
Compare
wxiaoguang
force-pushed
the
fix-middleware-auth
branch
from
c1d78ed to
279efff
Compare
TheFox0x7
approved these changes
Mar 7, 2026
GiteaBot
added
lgtm/need 1
Member
|
Written by Claude. The recovered panic in err := fmt.Errorf("%v\n%s", recovered, log.Stack(2))
RenderPanicErrorPage(respWriter, req, err)Then combinedErr := fmt.Errorf("%w\n%s", err, log.Stack(2))The logged error will contain two stack traces — the useful one from the panic site and a redundant one from the render function. Since it's the same goroutine, the second stack just adds noise. Consider only capturing the stack at the |
Contributor
Author
A design problem due to history reasons. Ideally the panic stack should be handled in the "defer recover", but not in another function. To avoid unrelated changes in this PR, reverted to the old behavior. |
silverwind
approved these changes
Mar 8, 2026
GiteaBot
added
lgtm/done
Member
|
I see this includes a fix for #36859, edited the PR description with both refs. |
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Mar 8, 2026
Principles: let the caller decide what it needs, but not let the framework (middleware) guess what it should do. Then a lot of hacky code can be removed. And some FIXMEs can be fixed. This PR introduces a new kind of middleware: "PreMiddleware", it will be executed before all other middlewares on the same routing level, then a route can declare its options for other middlewares. By the way, allow the workflow badge to be accessed by Basic or OAuth2 auth. Fixes: go-gitea#36830 Fixes: go-gitea#36859
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Mar 8, 2026
* origin/main: Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Mar 8, 2026
* main: (26 commits) Clean up `refreshViewedFilesSummary` (go-gitea#36868) Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867) Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin Fix dbfs error handling (go-gitea#36844) Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797) Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798) Fix non-admins unable to automerge PRs from forks (go-gitea#36833) upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837) Fix dump release asset bug (go-gitea#36799) build(deps): update material-icon-theme v5.32.0 (go-gitea#36832) Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465) Fix forwarded proto handling for public URL detection (go-gitea#36810) Fix artifacts v4 backend upload problems (go-gitea#36805) ... # Conflicts: # pnpm-lock.yaml
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Mar 10, 2026
* giteaofficial/main: Update minimum go version to 1.26.1, golangci-lint to 2.11.2, fix test style (go-gitea#36876) Add render cache for SVG icons (go-gitea#36863) Fix incorrect viewed files counter if reverted change was viewed (go-gitea#36819) [skip ci] Updated translations via Crowdin Clean up `refreshViewedFilesSummary` (go-gitea#36868) Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867) Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin Fix dbfs error handling (go-gitea#36844) Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797) Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Principles: let the caller decide what it needs, but not let the framework (middleware) guess what it should do.
Then a lot of hacky code can be removed. And some FIXMEs can be fixed.
This PR introduces a new kind of middleware: "PreMiddleware", it will be executed before all other middlewares on the same routing level, then a route can declare its options for other middlewares.
By the way, allow the workflow badge to be accessed by Basic or OAuth2 auth.
Fixes: #36830
Fixes: #36859