diff --git a/go.mod b/go.mod index aa77a62338ce1..51cf47b2d320a 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( gitea.com/go-chi/binding v0.0.0-20240430071103-39a851e106ed gitea.com/go-chi/cache v0.2.1 gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098 - gitea.com/go-chi/session v0.0.0-20250926004215-636cadd82e15 + gitea.com/go-chi/session v0.0.0-20251124165456-68e0254e989e gitea.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4 github.com/42wim/httpsig v1.2.3 diff --git a/go.sum b/go.sum index 9af066f1e4ae5..86fe782ae7ba7 100644 --- a/go.sum +++ b/go.sum @@ -41,8 +41,8 @@ gitea.com/go-chi/cache v0.2.1 h1:bfAPkvXlbcZxPCpcmDVCWoHgiBSBmZN/QosnZvEC0+g= gitea.com/go-chi/cache v0.2.1/go.mod h1:Qic0HZ8hOHW62ETGbonpwz8WYypj9NieU9659wFUJ8Q= gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098 h1:p2ki+WK0cIeNQuqjR98IP2KZQKRzJJiV7aTeMAFwaWo= gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098/go.mod h1:LjzIOHlRemuUyO7WR12fmm18VZIlCAaOt9L3yKw40pk= -gitea.com/go-chi/session v0.0.0-20250926004215-636cadd82e15 h1:qFYmz05u/s9664o7+XEgrlHXSPQ4uHO8/ccZGUb1uxA= -gitea.com/go-chi/session v0.0.0-20250926004215-636cadd82e15/go.mod h1:0iEpFKnwO5dG0aF98O4eq6FMsAiXkNBaDIlUOlq4BtM= +gitea.com/go-chi/session v0.0.0-20251124165456-68e0254e989e h1:4bugwPyGMLvblEm3pZ8fZProSPVxE4l0UXF2Kv6IJoY= +gitea.com/go-chi/session v0.0.0-20251124165456-68e0254e989e/go.mod h1:KDvcfMUoXfATPHs2mbMoXFTXT45/FAFAS39waz9tPk0= gitea.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 h1:+wWBi6Qfruqu7xJgjOIrKVQGiLUZdpKYCZewJ4clqhw= gitea.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96/go.mod h1:VyMQP6ue6MKHM8UsOXfNfuMKD0oSAWZdXVcpHIN2yaY= gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4 h1:IFT+hup2xejHqdhS7keYWioqfmxdnfblFDTGoOwcZ+o= diff --git a/modules/auth/webauthn/webauthn.go b/modules/auth/webauthn/webauthn.go index cbf5279c651fd..86f55c6b247f8 100644 --- a/modules/auth/webauthn/webauthn.go +++ b/modules/auth/webauthn/webauthn.go @@ -22,7 +22,7 @@ var WebAuthn *webauthn.WebAuthn // Init initializes the WebAuthn instance from the config. func Init() { - gob.Register(&webauthn.SessionData{}) + gob.Register(&webauthn.SessionData{}) // TODO: CHI-SESSION-GOB-REGISTER. appURL, _ := protocol.FullyQualifiedOrigin(setting.AppURL) diff --git a/routers/common/middleware.go b/routers/common/middleware.go index 07adee18cec64..bfa258b976552 100644 --- a/routers/common/middleware.go +++ b/routers/common/middleware.go @@ -5,6 +5,7 @@ package common import ( "fmt" + "log" "net/http" "strings" @@ -107,7 +108,11 @@ func ForwardedHeadersHandler(limit int, trustedProxies []string) func(h http.Han return proxy.ForwardedHeaders(opt) } -func Sessioner() (func(next http.Handler) http.Handler, error) { +func MustInitSessioner() func(next http.Handler) http.Handler { + // TODO: CHI-SESSION-GOB-REGISTER: chi-session has a design problem: it calls gob.Register for "Set" + // But if the server restarts, then the first "Get" will fail to decode the previously stored session data because the structs are not registered yet. + // So each package should make sure their structs are registered correctly during startup for session storage. + middleware, err := session.Sessioner(session.Options{ Provider: setting.SessionConfig.Provider, ProviderConfig: setting.SessionConfig.ProviderConfig, @@ -120,8 +125,7 @@ func Sessioner() (func(next http.Handler) http.Handler, error) { Domain: setting.SessionConfig.Domain, }) if err != nil { - return nil, fmt.Errorf("failed to create session middleware: %w", err) + log.Fatalf("common.Sessioner failed: %v", err) } - - return middleware, nil + return middleware } diff --git a/routers/install/install.go b/routers/install/install.go index 4a9dabac6fe87..c5acf968bddfe 100644 --- a/routers/install/install.go +++ b/routers/install/install.go @@ -55,8 +55,8 @@ func getSupportedDbTypeNames() (dbTypeNames []map[string]string) { return dbTypeNames } -// Contexter prepare for rendering installation page -func Contexter() func(next http.Handler) http.Handler { +// installContexter prepare for rendering installation page +func installContexter() func(next http.Handler) http.Handler { rnd := templates.HTMLRenderer() dbTypeNames := getSupportedDbTypeNames() envConfigKeys := setting.CollectEnvConfigKeys() diff --git a/routers/install/routes.go b/routers/install/routes.go index d47c1f61eeb53..0914c921c0c37 100644 --- a/routers/install/routes.go +++ b/routers/install/routes.go @@ -8,7 +8,6 @@ import ( "html" "net/http" - "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/public" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/web" @@ -25,11 +24,8 @@ func Routes() *web.Router { base.Methods("GET, HEAD", "/assets/*", public.FileHandlerFunc()) r := web.NewRouter() - if sessionMid, err := common.Sessioner(); err == nil && sessionMid != nil { - r.Use(sessionMid, Contexter()) - } else { - log.Fatal("common.Sessioner failed: %v", err) - } + r.Use(common.MustInitSessioner(), installContexter()) + r.Get("/", Install) // it must be on the root, because the "install.js" use the window.location to replace the "localhost" AppURL r.Post("/", web.Bind(forms.InstallForm{}), SubmitInstall) r.Get("/post-install", InstallDone) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index f1c155e78f52c..f7ce5875ca873 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -277,8 +277,11 @@ type LinkAccountData struct { GothUser goth.User } +func init() { + gob.Register(LinkAccountData{}) // TODO: CHI-SESSION-GOB-REGISTER +} + func oauth2GetLinkAccountData(ctx *context.Context) *LinkAccountData { - gob.Register(LinkAccountData{}) v, ok := ctx.Session.Get("linkAccountData").(LinkAccountData) if !ok { return nil @@ -287,7 +290,6 @@ func oauth2GetLinkAccountData(ctx *context.Context) *LinkAccountData { } func Oauth2SetLinkAccountData(ctx *context.Context, linkAccountData LinkAccountData) error { - gob.Register(LinkAccountData{}) return updateSession(ctx, nil, map[string]any{ "linkAccountData": linkAccountData, }) diff --git a/routers/web/web.go b/routers/web/web.go index 8b55e4469eeb7..dd1b391c68983 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -267,11 +267,7 @@ func Routes() *web.Router { routes.Get("/ssh_info", misc.SSHInfo) routes.Get("/api/healthz", healthcheck.Check) - if sessionMid, err := common.Sessioner(); err == nil && sessionMid != nil { - mid = append(mid, sessionMid, context.Contexter()) - } else { - log.Fatal("common.Sessioner failed: %v", err) - } + mid = append(mid, common.MustInitSessioner(), context.Contexter()) // Get user from session if logged in. mid = append(mid, webAuth(buildAuthGroup())) diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go index 313f375281b2c..2a165bac85dcd 100644 --- a/services/auth/source/oauth2/init.go +++ b/services/auth/source/oauth2/init.go @@ -22,9 +22,6 @@ import ( var gothRWMutex = sync.RWMutex{} -// UsersStoreKey is the key for the store -const UsersStoreKey = "gitea-oauth2-sessions" - // ProviderHeaderKey is the HTTP header key const ProviderHeaderKey = "gitea-oauth2-provider" @@ -33,7 +30,7 @@ func Init(ctx context.Context) error { // Lock our mutex gothRWMutex.Lock() - gob.Register(&sessions.Session{}) + gob.Register(&sessions.Session{}) // TODO: CHI-SESSION-GOB-REGISTER. FIXME: it seems to be an abuse, why the Session struct itself is stored in session store again? gothic.Store = &SessionsStore{ maxLength: int64(setting.OAuth2.MaxTokenLength),