de484e86bc
This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
112 lines
2.9 KiB
Go
112 lines
2.9 KiB
Go
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
// Copyright 2018 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package setting
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
auth_model "code.gitea.io/gitea/models/auth"
|
|
"code.gitea.io/gitea/modules/base"
|
|
"code.gitea.io/gitea/modules/context"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/web"
|
|
"code.gitea.io/gitea/services/forms"
|
|
)
|
|
|
|
const (
|
|
tplSettingsApplications base.TplName = "user/settings/applications"
|
|
)
|
|
|
|
// Applications render manage access token page
|
|
func Applications(ctx *context.Context) {
|
|
ctx.Data["Title"] = ctx.Tr("settings")
|
|
ctx.Data["PageIsSettingsApplications"] = true
|
|
|
|
loadApplicationsData(ctx)
|
|
|
|
ctx.HTML(http.StatusOK, tplSettingsApplications)
|
|
}
|
|
|
|
// ApplicationsPost response for add user's access token
|
|
func ApplicationsPost(ctx *context.Context) {
|
|
form := web.GetForm(ctx).(*forms.NewAccessTokenForm)
|
|
ctx.Data["Title"] = ctx.Tr("settings")
|
|
ctx.Data["PageIsSettingsApplications"] = true
|
|
|
|
if ctx.HasError() {
|
|
loadApplicationsData(ctx)
|
|
|
|
ctx.HTML(http.StatusOK, tplSettingsApplications)
|
|
return
|
|
}
|
|
|
|
scope, err := form.GetScope()
|
|
if err != nil {
|
|
ctx.ServerError("GetScope", err)
|
|
return
|
|
}
|
|
t := &auth_model.AccessToken{
|
|
UID: ctx.Doer.ID,
|
|
Name: form.Name,
|
|
Scope: scope,
|
|
}
|
|
|
|
exist, err := auth_model.AccessTokenByNameExists(t)
|
|
if err != nil {
|
|
ctx.ServerError("AccessTokenByNameExists", err)
|
|
return
|
|
}
|
|
if exist {
|
|
ctx.Flash.Error(ctx.Tr("settings.generate_token_name_duplicate", t.Name))
|
|
ctx.Redirect(setting.AppSubURL + "/user/settings/applications")
|
|
return
|
|
}
|
|
|
|
if err := auth_model.NewAccessToken(t); err != nil {
|
|
ctx.ServerError("NewAccessToken", err)
|
|
return
|
|
}
|
|
|
|
ctx.Flash.Success(ctx.Tr("settings.generate_token_success"))
|
|
ctx.Flash.Info(t.Token)
|
|
|
|
ctx.Redirect(setting.AppSubURL + "/user/settings/applications")
|
|
}
|
|
|
|
// DeleteApplication response for delete user access token
|
|
func DeleteApplication(ctx *context.Context) {
|
|
if err := auth_model.DeleteAccessTokenByID(ctx.FormInt64("id"), ctx.Doer.ID); err != nil {
|
|
ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
|
|
} else {
|
|
ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))
|
|
}
|
|
|
|
ctx.JSON(http.StatusOK, map[string]interface{}{
|
|
"redirect": setting.AppSubURL + "/user/settings/applications",
|
|
})
|
|
}
|
|
|
|
func loadApplicationsData(ctx *context.Context) {
|
|
tokens, err := auth_model.ListAccessTokens(auth_model.ListAccessTokensOptions{UserID: ctx.Doer.ID})
|
|
if err != nil {
|
|
ctx.ServerError("ListAccessTokens", err)
|
|
return
|
|
}
|
|
ctx.Data["Tokens"] = tokens
|
|
ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable
|
|
if setting.OAuth2.Enable {
|
|
ctx.Data["Applications"], err = auth_model.GetOAuth2ApplicationsByUserID(ctx, ctx.Doer.ID)
|
|
if err != nil {
|
|
ctx.ServerError("GetOAuth2ApplicationsByUserID", err)
|
|
return
|
|
}
|
|
ctx.Data["Grants"], err = auth_model.GetOAuth2GrantsByUserID(ctx, ctx.Doer.ID)
|
|
if err != nil {
|
|
ctx.ServerError("GetOAuth2GrantsByUserID", err)
|
|
return
|
|
}
|
|
}
|
|
}
|