mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-11-04 00:11:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: require password login for creation of new token

Browse source 
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
This commit is contained in:
Gusted 2025-08-18 00:03:51 +02:00 committed by Earl Warren
commit 85e839e21d
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
routers/api/v1/api.go
View file

@ -414,8 +414,11 @@ func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) {
if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName {
return
}
if !ctx.IsBasicAuth {
ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required")
// Require basic authorization method to be used and that basic
// authorization used password login to verify the user.
if passwordLogin, ok := ctx.Data["IsPasswordLogin"].(bool); !ok || !passwordLogin {
ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth method not allowed")
return
}
}

1
services/auth/basic.go
View file

@ -151,6 +151,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
log.Trace("Basic Authorization: Logged in user %-v", u)
store.GetData()["IsPasswordLogin"] = true
return u, nil
}