Pass Gitea API token to requests#9

fnetX · 2021-11-26T04:15:28+01:00

fnetX commented

2021-11-26 04:15:28 +01:00

In case you want to allow non-public repos, this should do the job. But I'm fine if we decide everything needs to be 100% public - this just adds the ability e.g. to use an API token from a random user who only has access to limited repos.

This allows to display repos that aren't fully public. Some users seem
to be very interested in not having their pages viewable, and it might
make even sense to avoid e.g. search engines to read them.
If set to some random user string, this could allow to set the
visibility at least to limited (so only logged users see the repo), and
should allow to view private repos in the future with another API token.

In case you want to allow non-public repos, this should do the job. But I'm fine if we decide everything needs to be 100% public - this just adds the ability e.g. to use an API token from a random user who only has access to limited repos. --- This allows to display repos that aren't fully public. Some users seem to be very interested in not having their pages viewable, and it might make even sense to avoid e.g. search engines to read them. If set to some random user string, this could allow to set the visibility at least to limited (so only logged users see the repo), and should allow to view private repos in the future with another API token.

fnetX force-pushed main from 660022f2e5 to 772c17e214

2021-11-26 04:19:32 +01:00

Compare

6543 reviewed

2021-11-26 04:48:18 +01:00

main.go Outdated

              @ -39,6 +39,8 @@ var MainDomainSuffix = []byte("." + envOr("PAGES_DOMAIN", "codeberg.page"))  
     // GiteaRoot specifies the root URL of the Gitea instance, without a trailing slash.  
     var GiteaRoot = []byte(envOr("GITEA_ROOT", "https://codeberg.org"))  
        
     var GiteaApiToken = []byte(envOr("GITEA_API_TOKEN", ""))  
  

why use []byte if it will get converted to string later?

👍 1

Probably because the other variables used it? Reason for that is that []byte is preferred by fasthttp, but in this case it's only ever used in a string, so having it as a string here as well makes sense.

Probably because the other variables used it? Reason for that is that `[]byte` is preferred by fasthttp, but in this case it's only ever used in a string, so having it as a string here as well makes sense.

momar marked this conversation as resolved

momar requested changes

2021-11-26 11:14:32 +01:00

momar left a comment

Found a security issue (token gets exposed to the client), see code comments for details.

handler.go Outdated

              @ -153,3 +153,3 @@  
     s.Step("raw domain preparations, now trying with specified branch")  
     if tryBranch(targetRepo, pathElements[2][1:], pathElements[3:],  
     string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",  
     string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),  
  

This is the "canonicalLink" argument that's exposed to the client as a Link header (to indicate the official URL in Gitea to e.g. search engines), the token must not be added here!

I'd prefer to only have it directly at fasthttp Requests, so the token really only goes to Gitea.

This is the "canonicalLink" argument that's exposed to the client as a `Link` header (to indicate the official URL in Gitea to e.g. search engines), the token must not be added here! I'd prefer to only have it directly at `fasthttp` Requests, so the token really only goes to Gitea.

sorry, I missed this was the canonicalLink. I thought this would pass down to the default branch query, but missed this was another API call in getBranchTimestamp.

momar marked this conversation as resolved

handler.go Outdated

              @ -165,3 +165,3 @@  
     s.Step("raw domain preparations, now trying with default branch")  
     tryBranch(targetRepo, "", pathElements[2:],  
     string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",  
     string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),  
  