Fix URL related escaping for oauth2#37334
Merged
wxiaoguang merged 3 commits intogo-gitea:mainfrom Apr 21, 2026
Merged
Conversation
GiteaBot
added
the
lgtm/need 2
wxiaoguang
added
backport/v1.26
silverwind
reviewed
Apr 21, 2026
wxiaoguang
force-pushed
the
fix-url-escape
branch
2 times, most recently
from
487767d to
a53c164
Compare
wxiaoguang
force-pushed
the
fix-url-escape
branch
from
a53c164 to
99f568d
Compare
wxiaoguang
force-pushed
the
fix-url-escape
branch
from
99f568d to
97b02e2
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes inconsistent URL escaping for OAuth2 auth source names when used as URL path segments, aligning frontend, templates, and backend routing/lookup behavior and adding tests to cover special-character cases.
Changes:
- Switch OAuth2 provider links/callback URL generation from query-escaping to path-escaping (spaces
%20, consistent handling of+,', etc.). - Add/adjust frontend and backend tests to lock in escaping behavior for query vs path components.
- Treat “OAuth2 source not found” as a not-exist error so it can be handled as a 404 instead of a 500.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| web_src/js/utils/url.ts | Adds urlQueryEscape and pathEscape, and updates pathEscapeSegments to match backend escaping semantics. |
| web_src/js/utils/url.test.ts | Adds unit tests for query/path escaping and segment escaping cases (space/plus). |
| web_src/js/utils.ts | Removes urlQueryEscape from the generic utils module (relocated to utils/url.ts). |
| web_src/js/utils.test.ts | Removes urlQueryEscape test/import now that function moved. |
| web_src/js/features/admin/common.ts | Uses path escaping when showing the OAuth2 callback URL on the admin auth source page. |
| tests/integration/oauth_test.go | Expands integration coverage for OAuth source names with spaces/plus and verifies rendered login links. |
| templates/user/settings/security/accountlinks.tmpl | Path-escapes OAuth2 source names when generating account-link URLs. |
| templates/user/auth/external_auth_methods.tmpl | Path-escapes OAuth2 provider display names in login links. |
| services/context/context_response.go | Adds ErrNotExist→404 handling in ServerError and changes 404 plaintext body behavior. |
| services/context/base_path.go | Adds SetPathParamRaw for pre-escaped route params (primarily useful for tests). |
| routers/web/auth/oauth.go | Decodes provider using PathParam (path-unescape) rather than query-unescape. |
| routers/web/auth/auth_test.go | Updates OAuth2 auth tests for special characters and raw path-param setting. |
| routers/web/auth/auth.go | Uses url.PathEscape for OAuth2 provider path generation during auto-redirect. |
| modules/util/util_test.go | Adds a backend test for PathEscapeSegments behavior (space/plus). |
| modules/templates/helper_test.go | Adds reference tests for Go’s QueryEscape vs PathEscape outputs. |
| models/auth/oauth2.go | Returns util.NewNotExistErrorf when an OAuth2 source name isn’t found. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
Should be 100% correct now. |
wxiaoguang
force-pushed
the
fix-url-escape
branch
from
6035cd7 to
f37d556
Compare
22 tasks
silverwind
reviewed
Apr 21, 2026
silverwind
reviewed
Apr 21, 2026
silverwind
approved these changes
Apr 21, 2026
GiteaBot
added
lgtm/need 1
Member
|
And btw sorry for the invalid reviews from GPT-5.4. This was an experiment. It took like 10 times as long as Claude would and produced shitty results, so I will be more careful reviewing with that model in the future. |
bircni
approved these changes
Apr 21, 2026
GiteaBot
added
lgtm/done
wxiaoguang
added a commit
that referenced
this pull request
Apr 21, 2026
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Apr 22, 2026
* main: (25 commits) Add URL to `Learn more about blocking a user` (go-gitea#37355) fix: use TriggerEvent instead of Event in workflow runs API response for scheduled runs (go-gitea#37288) Add event.schedule context for schedule actions task (go-gitea#37320) Fix typos (go-gitea#37346) Fix an issue where changing an organization’s visibility caused problems when users had forked its repositories. (go-gitea#37324) Fail vite build on rolldown warnings via NODE_ENV=test (go-gitea#37270) Use modern "git update-index --cacheinfo" syntax to support more file names (go-gitea#37338) Fix URL related escaping for oauth2 (go-gitea#37334) When the requested arch rpm is missing fall back to noarch (go-gitea#37236) Fix `relative-time` error and improve global error handler (go-gitea#37241) Enhance styling in actions page (go-gitea#37323) fix(oauth): Error on auth sources with spaces (go-gitea#37327) Fix actions concurrency groups cross-branch leak (go-gitea#37311) Fix bug when accessing user badges (go-gitea#37321) Fix AppFullLink (go-gitea#37325) Update go js dependencies (go-gitea#37312) Update GitHub Actions to latest major versions (go-gitea#37313) Revert "Add WebKit to e2e test matrix (go-gitea#37298)" (go-gitea#37315) Add `form-fetch-action` to some forms, fix "fetch action" resp bug (go-gitea#37305) Move heatmap to first-party code (go-gitea#37262) ...
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 23, 2026
* origin/main: (32 commits) fix: commit status reporting (go-gitea#37372) Support for Custom URI Schemes in OAuth2 Redirect URIs (go-gitea#37356) Fix cmd tests by mocking builtin paths (go-gitea#37369) chore: upgrade Go version in devcontainer image to 1.26 (go-gitea#37374) Fix button layout shift when collapsing file tree in editor (go-gitea#37363) Update `Block a user` form (go-gitea#37359) Remove IsValidExternalURL/IsAPIURL and use IsValidURL at call sites (go-gitea#37364) Add URL to `Learn more about blocking a user` (go-gitea#37355) fix: use TriggerEvent instead of Event in workflow runs API response for scheduled runs (go-gitea#37288) Add event.schedule context for schedule actions task (go-gitea#37320) Fix typos (go-gitea#37346) Fix an issue where changing an organization’s visibility caused problems when users had forked its repositories. (go-gitea#37324) Fail vite build on rolldown warnings via NODE_ENV=test (go-gitea#37270) Use modern "git update-index --cacheinfo" syntax to support more file names (go-gitea#37338) Fix URL related escaping for oauth2 (go-gitea#37334) When the requested arch rpm is missing fall back to noarch (go-gitea#37236) Fix `relative-time` error and improve global error handler (go-gitea#37241) Enhance styling in actions page (go-gitea#37323) fix(oauth): Error on auth sources with spaces (go-gitea#37327) Fix actions concurrency groups cross-branch leak (go-gitea#37311) ... # Conflicts: # services/actions/commit_status.go
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 23, 2026
* origin/main: (204 commits) fix: commit status reporting (go-gitea#37372) Support for Custom URI Schemes in OAuth2 Redirect URIs (go-gitea#37356) Fix cmd tests by mocking builtin paths (go-gitea#37369) chore: upgrade Go version in devcontainer image to 1.26 (go-gitea#37374) Fix button layout shift when collapsing file tree in editor (go-gitea#37363) Update `Block a user` form (go-gitea#37359) Remove IsValidExternalURL/IsAPIURL and use IsValidURL at call sites (go-gitea#37364) Add URL to `Learn more about blocking a user` (go-gitea#37355) fix: use TriggerEvent instead of Event in workflow runs API response for scheduled runs (go-gitea#37288) Add event.schedule context for schedule actions task (go-gitea#37320) Fix typos (go-gitea#37346) Fix an issue where changing an organization’s visibility caused problems when users had forked its repositories. (go-gitea#37324) Fail vite build on rolldown warnings via NODE_ENV=test (go-gitea#37270) Use modern "git update-index --cacheinfo" syntax to support more file names (go-gitea#37338) Fix URL related escaping for oauth2 (go-gitea#37334) When the requested arch rpm is missing fall back to noarch (go-gitea#37236) Fix `relative-time` error and improve global error handler (go-gitea#37241) Enhance styling in actions page (go-gitea#37323) fix(oauth): Error on auth sources with spaces (go-gitea#37327) Fix actions concurrency groups cross-branch leak (go-gitea#37311) ... # Conflicts: # web_src/js/index-domready.ts # web_src/js/markup/content.ts # web_src/js/markup/refissue.ts
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 23, 2026
* origin/main: (204 commits) fix: commit status reporting (go-gitea#37372) Support for Custom URI Schemes in OAuth2 Redirect URIs (go-gitea#37356) Fix cmd tests by mocking builtin paths (go-gitea#37369) chore: upgrade Go version in devcontainer image to 1.26 (go-gitea#37374) Fix button layout shift when collapsing file tree in editor (go-gitea#37363) Update `Block a user` form (go-gitea#37359) Remove IsValidExternalURL/IsAPIURL and use IsValidURL at call sites (go-gitea#37364) Add URL to `Learn more about blocking a user` (go-gitea#37355) fix: use TriggerEvent instead of Event in workflow runs API response for scheduled runs (go-gitea#37288) Add event.schedule context for schedule actions task (go-gitea#37320) Fix typos (go-gitea#37346) Fix an issue where changing an organization’s visibility caused problems when users had forked its repositories. (go-gitea#37324) Fail vite build on rolldown warnings via NODE_ENV=test (go-gitea#37270) Use modern "git update-index --cacheinfo" syntax to support more file names (go-gitea#37338) Fix URL related escaping for oauth2 (go-gitea#37334) When the requested arch rpm is missing fall back to noarch (go-gitea#37236) Fix `relative-time` error and improve global error handler (go-gitea#37241) Enhance styling in actions page (go-gitea#37323) fix(oauth): Error on auth sources with spaces (go-gitea#37327) Fix actions concurrency groups cross-branch leak (go-gitea#37311) ... Co-Authored-By: Claude (Opus 4.7) <noreply@anthropic.com> # Conflicts: # web_src/js/index-domready.ts # web_src/js/markup/content.ts # web_src/js/markup/refissue.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow up #37327. See the comments.
Now, frontend "pathEscape" and "pathEscapeSegments" generate exactly the same result as backend.