[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP

(cherry picked from commit 7b0549cd70aa7cafec853e15b25270847c59850b) (cherry picked from commit 13e10a65d974c7b594681bfa36402a6144862116) (cherry picked from commit 89982e6c4a7f9cf7024b2db3ed14b2b79db29064) (cherry picked from commit a4acf6343d9f5c6dedeb261c524cd7ac5ae1b3c1) (cherry picked from commit 9886aec9f8b09b58c73c55598a2017417a51843d) (cherry picked from commit 1ee9bd7549eaa094f5cfa9636a89d8f13766ccc8) (cherry picked from commit f343cf5597d666f937c582677f4d62ac2137dc4e) (cherry picked from commit eaca81faf4c0fcde024e23ae0eedac6cb091378b)
2023-02-24 14:24:29 +01:00 · 2023-02-24 14:24:29 +01:00 · 480f8528f3
parent a83a971cdf
commit 480f8528f3
4 changed files with 34 additions and 4 deletions
--- a/modules/context/api.go
+++ b/modules/context/api.go
@ -188,13 +188,20 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }

+func getOtpHeader(header http.Header) string {
+	otpHeader := header.Get("X-Gitea-OTP")
+	if forgejoHeader := header.Get("X-Forgejo-OTP"); forgejoHeader != "" {
+		otpHeader = forgejoHeader
+	}
+	return otpHeader
+}
+
 // CheckForOTP validates OTP
 func (ctx *APIContext) CheckForOTP() {
 	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
 		return // Skip 2FA
 	}

-	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
 	twofa, err := auth.GetTwoFactorByUID(ctx.Context.Doer.ID)
 	if err != nil {
 		if auth.IsErrTwoFactorNotEnrolled(err) {
@ -203,7 +210,7 @@ func (ctx *APIContext) CheckForOTP() {
 		ctx.Context.Error(http.StatusInternalServerError)
 		return
 	}
-	ok, err := twofa.ValidateTOTP(otpHeader)
+	ok, err := twofa.ValidateTOTP(getOtpHeader(ctx.Req.Header))
 	if err != nil {
 		ctx.Context.Error(http.StatusInternalServerError)
 		return
--- a/modules/context/api_forgejo_test.go
+++ b/modules/context/api_forgejo_test.go
@ -0,0 +1,23 @@
+// SPDX-License-Identifier: MIT
+
+package context
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOtpHeader(t *testing.T) {
+	header := http.Header{}
+	assert.EqualValues(t, "", getOtpHeader(header))
+	// Gitea
+	giteaOtp := "123456"
+	header.Set("X-Gitea-OTP", giteaOtp)
+	assert.EqualValues(t, giteaOtp, getOtpHeader(header))
+	// Forgejo has precedence
+	forgejoOtp := "abcdef"
+	header.Set("X-Forgejo-OTP", forgejoOtp)
+	assert.EqualValues(t, forgejoOtp, getOtpHeader(header))
+}
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -56,7 +56,7 @@
 //	     description: Sudo API request as the user provided as the key. Admin privileges are required.
 //	TOTPHeader:
 //	     type: apiKey
-//	     name: X-GITEA-OTP
+//	     name: X-FORGEJO-OTP
 //	     in: header
 //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.
 //
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -21018,7 +21018,7 @@
    "TOTPHeader": {
      "description": "Must be used in combination with BasicAuth if two-factor authentication is enabled.",
      "type": "apiKey",
-      "name": "X-GITEA-OTP",
+      "name": "X-FORGEJO-OTP",
      "in": "header"
    },
    "Token": {