feat: wire GITEA_TOKEN env var as auth fallback for single-user deployments
Update Auth middleware to accept a fallbackToken parameter. When no per-user cookie token is present and GITEA_TOKEN is set in the environment, the middleware uses the env token instead of redirecting to /settings. Cookie tokens still take precedence over the fallback. Add three new unit tests covering: fallback used when no cookie, cookie takes precedence over fallback, and redirect when neither is set. Closes leeworks-agents/gitea-mobile#125 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
agent-company
@@ -11,7 +11,7 @@ import (
|
||||
const testSecret = "test-secret-that-is-at-least-32-chars-long"
|
||||
|
||||
func TestAuth_HealthBypass(t *testing.T) {
|
||||
handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
|
||||
@@ -25,7 +25,7 @@ func TestAuth_HealthBypass(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestAuth_SettingsBypass(t *testing.T) {
|
||||
handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
|
||||
@@ -39,7 +39,7 @@ func TestAuth_SettingsBypass(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestAuth_RedirectWithoutToken(t *testing.T) {
|
||||
handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
|
||||
@@ -57,7 +57,7 @@ func TestAuth_RedirectWithoutToken(t *testing.T) {
|
||||
|
||||
func TestAuth_PassWithToken(t *testing.T) {
|
||||
called := false
|
||||
handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
called = true
|
||||
token := TokenFromContext(r.Context())
|
||||
if token != "my-token" {
|
||||
@@ -83,3 +83,72 @@ func TestAuth_PassWithToken(t *testing.T) {
|
||||
t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuth_FallbackToken_UsedWhenNoCookie(t *testing.T) {
|
||||
called := false
|
||||
handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
called = true
|
||||
token := TokenFromContext(r.Context())
|
||||
if token != "env-fallback-token" {
|
||||
t.Errorf("token = %q, want %q", token, "env-fallback-token")
|
||||
}
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
w := httptest.NewRecorder()
|
||||
handler.ServeHTTP(w, req)
|
||||
|
||||
if !called {
|
||||
t.Error("next handler was not called with fallback token")
|
||||
}
|
||||
if w.Code != http.StatusOK {
|
||||
t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuth_FallbackToken_CookieTakesPrecedence(t *testing.T) {
|
||||
called := false
|
||||
handler := Auth(testSecret, "env-fallback-token")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
called = true
|
||||
token := TokenFromContext(r.Context())
|
||||
if token != "cookie-token" {
|
||||
t.Errorf("token = %q, want %q (cookie should take precedence over fallback)", token, "cookie-token")
|
||||
}
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
|
||||
// Set a cookie token.
|
||||
cookieW := httptest.NewRecorder()
|
||||
auth.SetTokenCookie(cookieW, "cookie-token", testSecret, false)
|
||||
cookie := cookieW.Result().Cookies()[0]
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
req.AddCookie(cookie)
|
||||
w := httptest.NewRecorder()
|
||||
handler.ServeHTTP(w, req)
|
||||
|
||||
if !called {
|
||||
t.Error("next handler was not called")
|
||||
}
|
||||
if w.Code != http.StatusOK {
|
||||
t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuth_NoFallbackToken_RedirectsWithoutCookie(t *testing.T) {
|
||||
handler := Auth(testSecret, "")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/issues", nil)
|
||||
w := httptest.NewRecorder()
|
||||
handler.ServeHTTP(w, req)
|
||||
|
||||
if w.Code != http.StatusSeeOther {
|
||||
t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
|
||||
}
|
||||
if loc := w.Header().Get("Location"); loc != "/settings" {
|
||||
t.Errorf("Location = %q, want %q", loc, "/settings")
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user