From 33d4d3209632a0b1bbe010ae3f5dbf8fed5a4092 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Sun, 12 May 2024 10:26:01 +0800 Subject: [PATCH] Move reverproxyauth before session so the header will not be ignored even if user has login (#27821) (#30947) Backport #27821 by @lunny When a user logout and then login another user, the reverseproxy auth should be checked before session otherwise the old user is still login. Co-authored-by: Lunny Xiao --- routers/web/web.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/routers/web/web.go b/routers/web/web.go index bbda234115..25716f7181 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -100,14 +100,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler { // The Session plugin is expected to be executed second, in order to skip authentication // for users that have already signed in. func buildAuthGroup() *auth_service.Group { - group := auth_service.NewGroup( - &auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers - &auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers - &auth_service.Session{}, - ) + group := auth_service.NewGroup() + group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers + group.Add(&auth_service.Basic{}) // FIXME: this should be removed and only applied in download and git/lfs routers + if setting.Service.EnableReverseProxyAuth { - group.Add(&auth_service.ReverseProxy{}) + group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login } + group.Add(&auth_service.Session{}) if setting.IsWindows && auth_model.IsSSPIEnabled() { group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI