Skip to content

Commit

Permalink
Move reverproxyauth before session so the header will not be ignored …
Browse files Browse the repository at this point in the history
…even if user has login (go-gitea#27821)

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.
  • Loading branch information
lunny authored and GiteaBot committed May 11, 2024
1 parent 94c5a30 commit a5f10c5
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions routers/web/web.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,14 +98,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
// The Session plugin is expected to be executed second, in order to skip authentication
// for users that have already signed in.
func buildAuthGroup() *auth_service.Group {
group := auth_service.NewGroup(
&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers
&auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers
&auth_service.Session{},
)
group := auth_service.NewGroup()
group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
group.Add(&auth_service.Basic{}) // FIXME: this should be removed and only applied in download and git/lfs routers

if setting.Service.EnableReverseProxyAuth {
group.Add(&auth_service.ReverseProxy{})
group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
}
group.Add(&auth_service.Session{})

if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) {
group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI
Expand Down

0 comments on commit a5f10c5

Please sign in to comment.