github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

webAuthUser can be user email address #9247

New Issue
Closed
opened 2025-11-02 08:33:12 -06:00 by GiteaMirror · 2 comments
GiteaMirror commented 2025-11-02 08:33:12 -06:00
Owner
Copy Link

Originally created by @prajith-nair on GitHub (Jul 21, 2022).

Feature Description

app.ini

[service]
REGISTER_EMAIL_CONFIRM    = false
ENABLE_NOTIFY_MAIL        = false
DISABLE_REGISTRATION      = true
ENABLE_CAPTCHA            = false
REQUIRE_SIGNIN_VIEW       = true
DEFULT_KEEP_EMAIL_PRIVATE = false
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
ENABLE_REVERSE_PROXY_EMAIL = true

[mailer]
ENABLED = false

[security]
INSTALL_LOCK = true
REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-USER
REVERSE_PROXY_TRUSTED_PROXIES=*

There are scenarios where application accepts X-WEBAUTH-USER as email address

testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'upgrade-insecure-requests', '1'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'sec-fetch-dest', 'document'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'sec-fetch-mode', 'navigate'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'sec-fetch-site', 'none'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'sec-fetch-user', '?1'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-webauth-user', 'myid@domain.net'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-opaque-id', 'myid@domain.net'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-forwarded-for', 'xx.xx.xx.5'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-forwarded-host', 'testbed.domain.com:11316'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-forwarded-server', 'testbed.domain.com'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-forwarded-proto', 'http'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-request-id', '1853a940-d5d5-40fa-a18e-1ca6c9d64a65'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-envoy-expected-rq-timeout-ms', '300000'
testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx    | 'x-envoy-original-path', '/code/'

However Gitea treats X-WEBAUTH-USER as username and X-WEBAUTH-EMAIL as email address hence, setting REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-USER will endup with below error.

2022/07/21 09:34:25 models/user/user.go:1011:GetUserByName() [I] [62d91da1] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "email_notifications_preference", "passwd", "passwd_hash_algo", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "is_restricted", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "repo_admin_change_team_access", "diff_view_style", "theme", "keep_activity_private" FROM "user" WHERE "lower_name"=$1 LIMIT 1 [my@domain.net] - 2.541209ms
2022/07/21 09:34:25 ...auth/reverseproxy.go:119:newUser() [E] [62d91da1] CreateUser: User name is invalid [my@domain.net]: must be valid alpha or numeric or dash(-_) or dot characters
2022/07/21 09:34:25 routers/web/base.go:134:1() [E] [62d91da1] PANIC: runtime error: invalid memory address or nil pointer dereference
	/usr/local/go/src/runtime/panic.go:220 (0x457655)
	/usr/local/go/src/runtime/signal_unix.go:818 (0x457625)
	/go/src/code.gitea.io/gitea/services/auth/auth.go:72 (0x172e171)
	/go/src/code.gitea.io/gitea/services/auth/reverseproxy.go:78 (0x173166f)
	/go/src/code.gitea.io/gitea/services/auth/group.go:90 (0x172f67b)
	/go/src/code.gitea.io/gitea/modules/context/context.go:653 (0x1b1cbcd)
	/go/src/code.gitea.io/gitea/modules/web/wrap.go:59 (0x1f477ec)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/src/code.gitea.io/gitea/modules/context/context.go:800 (0x1b1ecda)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:71 (0x1736b0c)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:314 (0x17384bb)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:442 (0x1738cd5)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/src/code.gitea.io/gitea/routers/web/base.go:173 (0x217fb11)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/gitea.com/go-chi/session@v0.0.0-20211218221615-e3605d8b28b8/session.go:257 (0x1529c7d)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/src/code.gitea.io/gitea/modules/web/wrap.go:110 (0x1f482e8)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:71 (0x1736b0c)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:314 (0x17384bb)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:442 (0x1738cd5)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/src/code.gitea.io/gitea/routers/common/middleware.go:79 (0x1fb2ca2)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/src/code.gitea.io/gitea/modules/web/routing/logger_manager.go:123 (0x1f430ef)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/middleware/strip.go:30 (0x1fb0418)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/github.com/chi-middleware/proxy@v1.1.1/middleware.go:37 (0x1facd16)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/src/code.gitea.io/gitea/routers/common/middleware.go:32 (0x1fb2af2)
	/usr/local/go/src/net/http/server.go:2084 (0x94506e)
	/go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:88 (0x1736ac1)
	/go/src/code.gitea.io/gitea/modules/web/route.go:200 (0x1f4680d)
	/usr/local/go/src/net/http/server.go:2916 (0x94865a)
	/usr/local/go/src/net/http/server.go:1966 (0x943b16)
	/usr/local/go/src/runtime/asm_amd64.s:1571 (0x4746a0)

We need to get login name from the email if it's REVERSE_PROXY_AUTHENTICATION_USER is empty.

// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
func (r *ReverseProxy) getUserName(req *http.Request) string {
	webAuthUser := strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthUser))
	if len(webAuthUser) == 0 {
		email := strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthEmail))
		if !strings.Contains(email, "@") {
			return ""
		}
		webAuthUser := strings.Split(email, "@")[0]
		return webAuthUser
	}
	return webAuthUser
}
Originally created by @prajith-nair on GitHub (Jul 21, 2022). ### Feature Description app.ini ``` [service] REGISTER_EMAIL_CONFIRM = false ENABLE_NOTIFY_MAIL = false DISABLE_REGISTRATION = true ENABLE_CAPTCHA = false REQUIRE_SIGNIN_VIEW = true DEFULT_KEEP_EMAIL_PRIVATE = false ENABLE_REVERSE_PROXY_AUTHENTICATION = true ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true ENABLE_REVERSE_PROXY_EMAIL = true [mailer] ENABLED = false [security] INSTALL_LOCK = true REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-USER REVERSE_PROXY_TRUSTED_PROXIES=* ``` There are scenarios where application accepts X-WEBAUTH-USER as email address ``` testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'upgrade-insecure-requests', '1' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'sec-fetch-dest', 'document' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'sec-fetch-mode', 'navigate' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'sec-fetch-site', 'none' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'sec-fetch-user', '?1' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-webauth-user', 'myid@domain.net' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-opaque-id', 'myid@domain.net' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-forwarded-for', 'xx.xx.xx.5' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-forwarded-host', 'testbed.domain.com:11316' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-forwarded-server', 'testbed.domain.com' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-forwarded-proto', 'http' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-request-id', '1853a940-d5d5-40fa-a18e-1ca6c9d64a65' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-envoy-expected-rq-timeout-ms', '300000' testbed_envoy.1.b88qkyf37xg4@ip-10-120-64-xx | 'x-envoy-original-path', '/code/' ``` However Gitea treats X-WEBAUTH-USER as username and X-WEBAUTH-EMAIL as email address hence, setting REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-USER will endup with below error. ``` 2022/07/21 09:34:25 models/user/user.go:1011:GetUserByName() [I] [62d91da1] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "email_notifications_preference", "passwd", "passwd_hash_algo", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "is_restricted", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "repo_admin_change_team_access", "diff_view_style", "theme", "keep_activity_private" FROM "user" WHERE "lower_name"=$1 LIMIT 1 [my@domain.net] - 2.541209ms 2022/07/21 09:34:25 ...auth/reverseproxy.go:119:newUser() [E] [62d91da1] CreateUser: User name is invalid [my@domain.net]: must be valid alpha or numeric or dash(-_) or dot characters 2022/07/21 09:34:25 routers/web/base.go:134:1() [E] [62d91da1] PANIC: runtime error: invalid memory address or nil pointer dereference /usr/local/go/src/runtime/panic.go:220 (0x457655) /usr/local/go/src/runtime/signal_unix.go:818 (0x457625) /go/src/code.gitea.io/gitea/services/auth/auth.go:72 (0x172e171) /go/src/code.gitea.io/gitea/services/auth/reverseproxy.go:78 (0x173166f) /go/src/code.gitea.io/gitea/services/auth/group.go:90 (0x172f67b) /go/src/code.gitea.io/gitea/modules/context/context.go:653 (0x1b1cbcd) /go/src/code.gitea.io/gitea/modules/web/wrap.go:59 (0x1f477ec) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/src/code.gitea.io/gitea/modules/context/context.go:800 (0x1b1ecda) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:71 (0x1736b0c) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:314 (0x17384bb) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:442 (0x1738cd5) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/src/code.gitea.io/gitea/routers/web/base.go:173 (0x217fb11) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/gitea.com/go-chi/session@v0.0.0-20211218221615-e3605d8b28b8/session.go:257 (0x1529c7d) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/src/code.gitea.io/gitea/modules/web/wrap.go:110 (0x1f482e8) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:71 (0x1736b0c) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:314 (0x17384bb) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:442 (0x1738cd5) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/src/code.gitea.io/gitea/routers/common/middleware.go:79 (0x1fb2ca2) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/src/code.gitea.io/gitea/modules/web/routing/logger_manager.go:123 (0x1f430ef) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/middleware/strip.go:30 (0x1fb0418) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/github.com/chi-middleware/proxy@v1.1.1/middleware.go:37 (0x1facd16) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/src/code.gitea.io/gitea/routers/common/middleware.go:32 (0x1fb2af2) /usr/local/go/src/net/http/server.go:2084 (0x94506e) /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.7/mux.go:88 (0x1736ac1) /go/src/code.gitea.io/gitea/modules/web/route.go:200 (0x1f4680d) /usr/local/go/src/net/http/server.go:2916 (0x94865a) /usr/local/go/src/net/http/server.go:1966 (0x943b16) /usr/local/go/src/runtime/asm_amd64.s:1571 (0x4746a0) ``` We need to get login name from the email if it's REVERSE_PROXY_AUTHENTICATION_USER is empty. ``` // getUserName extracts the username from the "setting.ReverseProxyAuthUser" header func (r *ReverseProxy) getUserName(req *http.Request) string { webAuthUser := strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthUser)) if len(webAuthUser) == 0 { email := strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthEmail)) if !strings.Contains(email, "@") { return "" } webAuthUser := strings.Split(email, "@")[0] return webAuthUser } return webAuthUser } ```
GiteaMirror added the issue/needs-feedback label 2025-11-02 08:33:12 -06:00
GiteaMirror commented 2025-11-02 08:33:12 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (May 10, 2023):

What's your auth provider?

I have the experience managing companies with thousands staffs.

I had made a mistake before: use "email" as usernames, it causes various problems in the end.

So, I would suggest IT people to always use a unique username for username, do not use email as username, do not try to guess username.

@wxiaoguang commented on GitHub (May 10, 2023): What's your auth provider? I have the experience managing companies with thousands staffs. I had made a mistake before: use "email" as usernames, it causes various problems in the end. So, I would suggest IT people to always use a unique username for username, do not use email as username, do not try to guess username.
GiteaMirror commented 2025-11-02 08:33:13 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (May 14, 2023):

I think this pr/issue can be closed, feel free to reopen if there are new thoughts.

@wxiaoguang commented on GitHub (May 14, 2023): I think this pr/issue can be closed, feel free to reopen if there are new thoughts.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/needs-feedback
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#9247
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?