From 51ea53359c69175e0cea3608db17cbb404bb1f4a Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Thu, 18 Apr 2019 18:15:00 -0400
Subject: [PATCH 01/10] API OTP Context
---
modules/context/api.go | 22 ++++++++++++++++++++++
routers/api/v1/api.go | 9 ++++++---
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/modules/context/api.go b/modules/context/api.go
index 7e43d1f6bcac2..9987dcef6aad5 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -114,6 +114,28 @@ func (ctx *APIContext) RequireCSRF() {
}
}
+// RequireCSRF requires a validated a CSRF token
+func (ctx *APIContext) CheckForOTP() {
+ otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
+ twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
+ if err != nil {
+ if models.IsErrTwoFactorNotEnrolled(err) {
+ return // No 2FA enrollment for this user
+ }
+ ctx.Context.Error(500)
+ return
+ }
+ ok, err := twofa.ValidateTOTP(otpHeader)
+ if err != nil {
+ ctx.Context.Error(500)
+ return
+ }
+ if !ok {
+ ctx.Context.Error(401)
+ return
+ }
+}
+
// APIContexter returns apicontext as macaron middleware
func APIContexter() macaron.Handler {
return func(c *Context) {
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 8418ab94a1d89..b3339d00bc398 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -170,10 +170,12 @@ func repoAssignment() macaron.Handler {
func reqToken() macaron.Handler {
return func(ctx *context.APIContext) {
if true == ctx.Data["IsApiToken"] {
+ ctx.CheckForOTP()
return
}
if ctx.IsSigned {
ctx.RequireCSRF()
+ ctx.CheckForOTP()
return
}
ctx.Context.Error(401)
@@ -181,11 +183,12 @@ func reqToken() macaron.Handler {
}
func reqBasicAuth() macaron.Handler {
- return func(ctx *context.Context) {
- if !ctx.IsBasicAuth {
- ctx.Error(401)
+ return func(ctx *context.APIContext) {
+ if !ctx.Context.IsBasicAuth {
+ ctx.Context.Error(401)
return
}
+ ctx.CheckForOTP()
}
}
From 4a32ce7ab0bd4c9cb3dc8b613915ab635783345e Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 18 Apr 2019 18:19:06 -0400
Subject: [PATCH 02/10] Update api.go
---
modules/context/api.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/context/api.go b/modules/context/api.go
index 9987dcef6aad5..cbabfe40e1865 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -114,7 +114,7 @@ func (ctx *APIContext) RequireCSRF() {
}
}
-// RequireCSRF requires a validated a CSRF token
+// CheckForOTP validateds OTP
func (ctx *APIContext) CheckForOTP() {
otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
From fd82b2c013826ebacd8809ec7024b597c70e9bb4 Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Thu, 18 Apr 2019 18:35:10 -0400
Subject: [PATCH 03/10] token
---
modules/auth/auth.go | 1 -
modules/context/api.go | 3 +++
routers/api/v1/api.go | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index c9e5c44da55b4..4d43c69eb9b91 100644
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -216,7 +216,6 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
}
}
- ctx.Data["IsApiToken"] = true
return u, true
}
}
diff --git a/modules/context/api.go b/modules/context/api.go
index cbabfe40e1865..ef5ceab7dbadc 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -116,6 +116,9 @@ func (ctx *APIContext) RequireCSRF() {
// CheckForOTP validateds OTP
func (ctx *APIContext) CheckForOTP() {
+ if ctx.Data["IsApiToken"] == true {
+ return
+ }
otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
if err != nil {
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index b3339d00bc398..c4eb73980be4d 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -169,7 +169,7 @@ func repoAssignment() macaron.Handler {
// Contexter middleware already checks token for user sign in process.
func reqToken() macaron.Handler {
return func(ctx *context.APIContext) {
- if true == ctx.Data["IsApiToken"] {
+ if true == ctx.Data["IsApiToken"] || ctx.Context.IsBasicAuth {
ctx.CheckForOTP()
return
}
From ec0b076ff32dbd257355a04fd279bc58013c2f11 Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Thu, 18 Apr 2019 18:50:52 -0400
Subject: [PATCH 04/10] token
---
modules/auth/auth.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index 4d43c69eb9b91..5f6ff75dd8a07 100644
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -214,6 +214,8 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
}
return nil, false
}
+ } else {
+ ctx.Data["IsApiToken"] = true
}
return u, true
From bb406ac8c16a4c99bf574da1347309e0ba01b2c5 Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Thu, 18 Apr 2019 22:26:07 -0400
Subject: [PATCH 05/10] fix per discord
---
modules/context/auth.go | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/modules/context/auth.go b/modules/context/auth.go
index ca897de6edfc0..4f8bb7aa368e2 100644
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -5,6 +5,7 @@
package context
import (
+ "code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/auth"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -88,6 +89,28 @@ func Toggle(options *ToggleOptions) macaron.Handler {
ctx.HTML(200, "user/auth/activate")
return
}
+ if ctx.IsSigned && auth.IsAPIPath(ctx.Req.URL.Path) && ctx.IsBasicAuth {
+ twofa, err := models.GetTwoFactorByUID(ctx.User.ID)
+ if err != nil {
+ if models.IsErrTwoFactorNotEnrolled(err) {
+ return // No 2FA enrollment for this user
+ }
+ ctx.Error(500)
+ return
+ }
+ otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
+ ok, err := twofa.ValidateTOTP(otpHeader)
+ if err != nil {
+ ctx.Error(500)
+ return
+ }
+ if !ok {
+ ctx.JSON(403, map[string]string{
+ "message": "Only signed in user is allowed to call APIs.",
+ })
+ return
+ }
+ }
}
// Redirect to log in page if auto-signin info is provided and has not signed in.
From 2d44b8b32f202c3fbcfac1ad603b637744f15ea3 Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Thu, 18 Apr 2019 22:27:59 -0400
Subject: [PATCH 06/10] copyright header
---
modules/context/auth.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/context/auth.go b/modules/context/auth.go
index 4f8bb7aa368e2..3cd03801623f8 100644
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -1,4 +1,5 @@
// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
From e06b9ba3f78a67ff5f365dab692cea30fc4bfd56 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 18 Apr 2019 23:52:28 -0400
Subject: [PATCH 07/10] remove check for token in OTP
---
modules/context/api.go | 3 ---
1 file changed, 3 deletions(-)
diff --git a/modules/context/api.go b/modules/context/api.go
index ef5ceab7dbadc..cbabfe40e1865 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -116,9 +116,6 @@ func (ctx *APIContext) RequireCSRF() {
// CheckForOTP validateds OTP
func (ctx *APIContext) CheckForOTP() {
- if ctx.Data["IsApiToken"] == true {
- return
- }
otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
if err != nil {
From f3fa3e7d58f5fabefa3d0b17d1528ef4c438ffc7 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 18 Apr 2019 23:53:19 -0400
Subject: [PATCH 08/10] Update auth.go
---
modules/context/auth.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/context/auth.go b/modules/context/auth.go
index 3cd03801623f8..772403bda9be9 100644
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -1,5 +1,5 @@
// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2019 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
From ab64336a7926f6caef9e5926f21f94a3cf6e0381 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 18 Apr 2019 23:55:31 -0400
Subject: [PATCH 09/10] simplify
---
routers/api/v1/api.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index c4eb73980be4d..4f1476abff23b 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -169,13 +169,14 @@ func repoAssignment() macaron.Handler {
// Contexter middleware already checks token for user sign in process.
func reqToken() macaron.Handler {
return func(ctx *context.APIContext) {
- if true == ctx.Data["IsApiToken"] || ctx.Context.IsBasicAuth {
- ctx.CheckForOTP()
+ if true == ctx.Data["IsApiToken"] {
return
}
+ if ctx.Context.IsBasicAuth {
+ ctx.CheckForOTP()
+ }
if ctx.IsSigned {
ctx.RequireCSRF()
- ctx.CheckForOTP()
return
}
ctx.Context.Error(401)
From ff8ae24b94cc37f8c6e0138606072fb3b5009a64 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Fri, 19 Apr 2019 00:01:06 -0400
Subject: [PATCH 10/10] Update api.go
---
routers/api/v1/api.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 4f1476abff23b..ac92f7cd43428 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -174,6 +174,7 @@ func reqToken() macaron.Handler {
}
if ctx.Context.IsBasicAuth {
ctx.CheckForOTP()
+ return
}
if ctx.IsSigned {
ctx.RequireCSRF()