1
0
Fork 0

Move reverproxyauth before session so the header will not be ignored even if user has login (#27821)

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.

(cherry picked from commit 26ae5922348d2dbaf2161bbd6ac79b2aa455e5f0)
This commit is contained in:
Lunny Xiao 2024-05-11 22:55:49 +08:00 committed by Earl Warren
parent 32c97efab4
commit 1f56a49f28
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -98,14 +98,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
// The Session plugin is expected to be executed second, in order to skip authentication // The Session plugin is expected to be executed second, in order to skip authentication
// for users that have already signed in. // for users that have already signed in.
func buildAuthGroup() *auth_service.Group { func buildAuthGroup() *auth_service.Group {
group := auth_service.NewGroup( group := auth_service.NewGroup()
&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
&auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers group.Add(&auth_service.Basic{}) // FIXME: this should be removed and only applied in download and git/lfs routers
&auth_service.Session{},
)
if setting.Service.EnableReverseProxyAuth { if setting.Service.EnableReverseProxyAuth {
group.Add(&auth_service.ReverseProxy{}) group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
} }
group.Add(&auth_service.Session{})
if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) { if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) {
group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI