[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP

(cherry picked from commit 7b0549cd70aa7cafec853e15b25270847c59850b) (cherry picked from commit 13e10a65d974c7b594681bfa36402a6144862116) (cherry picked from commit 65bdd73cf27895a9fb8db2a95ef4f5b08951481d) (cherry picked from commit 64eba8bb923176b4c286b1d0c83792f3c3005ca8) (cherry picked from commit 4c49b1a759abe3604afc1121e83c9a942016ad6a) (cherry picked from commit 93b4d0640683ea986657453b1fce49a00c861764) (cherry picked from commit e2bc5f36d958f4349160ec145719c302d4023cd0) (cherry picked from commit 2bee76f9dfa998c83ea4fe648997fad0b6224fa9) (cherry picked from commit 3d8a1b4a9fb9dc55bbd62fd8855ea85e58dc263f) (cherry picked from commit 99dd092cd02d7af8374acf454833ce1c05fd4fd9) (cherry picked from commit 0fdbd02204d533f907cd22c83c73bf0156ec4a88) (cherry picked from commit 70b277a183c0d85966fa84e9b054f164ae2d2a44) (cherry picked from commit 3eece7fbb4e67d970d8979d0d60a58ee2a195ea5) (cherry picked from commit 4838fc9e1145a74c56926de68854234604b5e38f) (cherry picked from commit b76ed541cf4d73702a83d6b96f8618b6f8c44393) (cherry picked from commit b1141cb3a1a0c602020ddff2021448a056cb3232) (cherry picked from commit 63f4f8a1cefe10ddc4a9a589e9ae2087b78ec3c6) (cherry picked from commit 67245f5b440c20bbd7fc039747f6b386cee3fbed) (cherry picked from commit 19f1633fa3dcf14275fd7fcb3bb549e20ef8f688) (cherry picked from commit 51c9663b4a4150d8ea3bdf1ef1eb157ead30046c)
2023-02-24 14:24:29 +01:00 · 2023-02-24 14:24:29 +01:00 · 9413fd0274
parent 22c619ccdb
commit 9413fd0274
4 changed files with 34 additions and 4 deletions
--- a/modules/context/api.go
+++ b/modules/context/api.go
@ -197,13 +197,20 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }

+func getOtpHeader(header http.Header) string {
+	otpHeader := header.Get("X-Gitea-OTP")
+	if forgejoHeader := header.Get("X-Forgejo-OTP"); forgejoHeader != "" {
+		otpHeader = forgejoHeader
+	}
+	return otpHeader
+}
+
 // CheckForOTP validates OTP
 func (ctx *APIContext) CheckForOTP() {
 	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
 		return // Skip 2FA
 	}

-	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
 	twofa, err := auth.GetTwoFactorByUID(ctx.Doer.ID)
 	if err != nil {
 		if auth.IsErrTwoFactorNotEnrolled(err) {
@ -212,7 +219,7 @@ func (ctx *APIContext) CheckForOTP() {
 		ctx.Error(http.StatusInternalServerError, "GetTwoFactorByUID", err)
 		return
 	}
-	ok, err := twofa.ValidateTOTP(otpHeader)
+	ok, err := twofa.ValidateTOTP(getOtpHeader(ctx.Req.Header))
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err)
 		return
--- a/modules/context/api_forgejo_test.go
+++ b/modules/context/api_forgejo_test.go
@ -0,0 +1,23 @@
+// SPDX-License-Identifier: MIT
+
+package context
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOtpHeader(t *testing.T) {
+	header := http.Header{}
+	assert.EqualValues(t, "", getOtpHeader(header))
+	// Gitea
+	giteaOtp := "123456"
+	header.Set("X-Gitea-OTP", giteaOtp)
+	assert.EqualValues(t, giteaOtp, getOtpHeader(header))
+	// Forgejo has precedence
+	forgejoOtp := "abcdef"
+	header.Set("X-Forgejo-OTP", forgejoOtp)
+	assert.EqualValues(t, forgejoOtp, getOtpHeader(header))
+}
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -56,7 +56,7 @@
 //	     description: Sudo API request as the user provided as the key. Admin privileges are required.
 //	TOTPHeader:
 //	     type: apiKey
-//	     name: X-GITEA-OTP
+//	     name: X-FORGEJO-OTP
 //	     in: header
 //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.
 //
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -22895,7 +22895,7 @@
    "TOTPHeader": {
      "description": "Must be used in combination with BasicAuth if two-factor authentication is enabled.",
      "type": "apiKey",
-      "name": "X-GITEA-OTP",
+      "name": "X-FORGEJO-OTP",
      "in": "header"
    },
    "Token": {