Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unify two factor check #27915

Merged
merged 4 commits into from
Nov 6, 2023
Merged

Unify two factor check #27915

merged 4 commits into from
Nov 6, 2023

Conversation

KN4CK3R
Copy link
Member

@KN4CK3R KN4CK3R commented Nov 5, 2023

Fixes #27819

We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.

@KN4CK3R KN4CK3R added type/bug topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 labels Nov 5, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 5, 2023
@pull-request-size pull-request-size bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 5, 2023
@github-actions github-actions bot added the modifies/api This PR adds API routes or modifies them label Nov 5, 2023
Comment on lines -704 to -709
// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
// in the session (if there is a user id stored in session other plugins might return the user
// object for that id).
//
// The Session plugin is expected to be executed second, in order to skip authentication
// for users that have already signed in.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not related but this comment does not make sense because there is no session in api routes.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 5, 2023
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 5, 2023
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 6, 2023
@lunny lunny enabled auto-merge (squash) November 6, 2023 05:40
@GiteaBot
Copy link
Contributor

GiteaBot commented Nov 6, 2023

@KN4CK3R please fix the merge conflicts. 🍵

@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 6, 2023
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 6, 2023
@lunny lunny added this to the 1.22.0 milestone Nov 6, 2023
@lunny lunny merged commit 4f4fea7 into go-gitea:main Nov 6, 2023
25 checks passed
@GiteaBot
Copy link
Contributor

GiteaBot commented Nov 6, 2023

I was unable to create a backport for 1.20. @KN4CK3R, please send one manually. 🍵

go run ./contrib/backport 27915
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Nov 6, 2023
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Nov 6, 2023
Fixes go-gitea#27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 6, 2023
zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 6, 2023
* upstream/main:
  Fix edit topic UI (go-gitea#27925)
  Unify two factor check (go-gitea#27915)
  Revert go-gitea#27870 (go-gitea#27917)
  Fix JS NPE when viewing specific range of PR commits (go-gitea#27912)
  Install poetry dependencies with --no-root (go-gitea#27919)
  Show correct commit sha when viewing single commit diff (go-gitea#27916)
  Fix 500 when deleting a dismissed review (go-gitea#27903)
  Remove action runners on user deletion (go-gitea#27902)
  Remove SSH workaround (go-gitea#27893)
  Remove "tabindex" from some form buttons (go-gitea#27892)
  Refactor the function RemoveOrgUser (go-gitea#27582)
  Fix DownloadFunc when migrating releases (go-gitea#27887)
KN4CK3R added a commit to KN4CK3R/gitea that referenced this pull request Nov 6, 2023
Fixes go-gitea#27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
KN4CK3R added a commit that referenced this pull request Nov 6, 2023
Backport #27915 by @KN4CK3R

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

Co-authored-by: KN4CK3R <[email protected]>
silverwind pushed a commit that referenced this pull request Nov 6, 2023
Backport of #27915

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
@KN4CK3R KN4CK3R deleted the fix-otp branch November 11, 2023 21:43
@lng2020 lng2020 added backport/done All backports for this PR have been created and removed backport/manual No power to the bots! Create your backport yourself! labels Nov 12, 2023
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this pull request Jan 17, 2024
Fixes go-gitea#27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Feb 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them size/L Denotes a PR that changes 100-499 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

docker login seems to succeed with basic auth even when 2FA is enabled
6 participants