github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-25 16:06:45 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Further separation of authentication and synchronization areas in sources #8424

New Issue
Open
opened 2025-11-02 08:05:29 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-02 08:05:29 -06:00
Owner
Copy Link

Originally created by @pboguslawski on GitHub (Jan 29, 2022).

Feature Description

Please consider further separation of authentication and synchronization areas in sources:

(1)
UserSignIn() iterates now over all sources to authenticate user

https://github.com/go-gitea/gitea/blob/main/services/auth/signin.go#L86

It should skip this step if reverse proxy authentication is enabled.

After successful authentication, UserSignIn() should not finish but iterate
over all sources in similar way to find first source that is able to synchronize
user data (create user if doesn't exist) for this user only.

Note: user sync source may be different than authentication source (think of
authenticating user by reverse proxy and fetching user data from ldap source).

(2)
Sync stuff like in

https://github.com/go-gitea/gitea/blob/main/services/auth/source/ldap/source_sync.go

should be refactored to allow sync of one specified user /SyncUser() maybe/ and all users
/maybe SyncAllUsers() instead of Sync()/ and SyncAllUsers() should be simple iteration
of SyncUser() for all users from this source. (1) Should use SyncUser() to synchronize
user data from this source.

(3)
Sync stuff like this

https://github.com/go-gitea/gitea/blob/main/services/auth/source/ldap/source_authenticate.go#L53

should be moved from authentication area to sync area (2).

(4)
2FA should be optional and independent of any auth source (may be not required when reverse proxy is used and its auth used there is secure enough). 2FA may probably by be called in UserSignIn() also after main auth and sync?

Separation of auth and sync areas should allow admin in the future to configure advanced scenarios like authenticate users by reverse proxy (or from a few parallelly used auth backends like sql/ldap dbs - first configured backend that knows user wins) and use a few user sync sql/ldap data backends in parallel (some users from ldap1, some from ldap2, some from sql1, some from sql1, first configured backend that knows user data wins).

Related:
https://github.com/go-gitea/gitea/pull/16199
https://github.com/go-gitea/gitea/pull/18452

Screenshots

No response

Originally created by @pboguslawski on GitHub (Jan 29, 2022). ### Feature Description Please consider further separation of authentication and synchronization areas in sources: (1) UserSignIn() iterates now over all sources to authenticate user https://github.com/go-gitea/gitea/blob/main/services/auth/signin.go#L86 It should skip this step if reverse proxy authentication is enabled. After successful authentication, UserSignIn() should not finish but iterate over all sources in similar way to find first source that is able to synchronize user data (create user if doesn't exist) for this user only. Note: user sync source may be different than authentication source (think of authenticating user by reverse proxy and fetching user data from ldap source). (2) Sync stuff like in https://github.com/go-gitea/gitea/blob/main/services/auth/source/ldap/source_sync.go should be refactored to allow sync of one specified user /SyncUser() maybe/ and all users /maybe SyncAllUsers() instead of Sync()/ and SyncAllUsers() should be simple iteration of SyncUser() for all users from this source. (1) Should use SyncUser() to synchronize user data from this source. (3) Sync stuff like this https://github.com/go-gitea/gitea/blob/main/services/auth/source/ldap/source_authenticate.go#L53 should be moved from authentication area to sync area (2). (4) 2FA should be optional and independent of any auth source (may be not required when reverse proxy is used and its auth used there is secure enough). 2FA may probably by be called in UserSignIn() also after main auth and sync? Separation of auth and sync areas should allow admin in the future to configure advanced scenarios like authenticate users by reverse proxy (or from a few parallelly used auth backends like sql/ldap dbs - first configured backend that knows user wins) and use a few user sync sql/ldap data backends in parallel (some users from ldap1, some from ldap2, some from sql1, some from sql1, first configured backend that knows user data wins). Related: https://github.com/go-gitea/gitea/pull/16199 https://github.com/go-gitea/gitea/pull/18452 ### Screenshots _No response_
GiteaMirror added the type/featuretopic/authentication labels 2025-11-02 08:05:29 -06:00
GiteaMirror commented 2025-11-02 08:05:30 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jan 29, 2022):

I agree we need to do this.

It's clear that people want directory services so we need to consider this.

@zeripath commented on GitHub (Jan 29, 2022): I agree we need to do this. It's clear that people want directory services so we need to consider this.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/authentication type/feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#8424
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?