Move macaron to chi (#14293)

Use [chi](https://github.com/go-chi/chi) instead of the forked [macaron](https://gitea.com/macaron/macaron). Since macaron and chi have conflicts with session share, this big PR becomes a have-to thing. According my previous idea, we can replace macaron step by step but I'm wrong. :( Below is a list of big changes on this PR. - [x] Define `context.ResponseWriter` interface with an implementation `context.Response`. - [x] Use chi instead of macaron, and also a customize `Route` to wrap chi so that the router usage is similar as before. - [x] Create different routers for `web`, `api`, `internal` and `install` so that the codes will be more clear and no magic . - [x] Use https://github.com/unrolled/render instead of macaron's internal render - [x] Use https://github.com/NYTimes/gziphandler instead of https://gitea.com/macaron/gzip - [x] Use https://gitea.com/go-chi/session which is a modified version of https://gitea.com/macaron/session and removed `nodb` support since it will not be maintained. **BREAK** - [x] Use https://gitea.com/go-chi/captcha which is a modified version of https://gitea.com/macaron/captcha - [x] Use https://gitea.com/go-chi/cache which is a modified version of https://gitea.com/macaron/cache - [x] Use https://gitea.com/go-chi/binding which is a modified version of https://gitea.com/macaron/binding - [x] Use https://github.com/go-chi/cors instead of https://gitea.com/macaron/cors - [x] Dropped https://gitea.com/macaron/i18n and make a new one in `code.gitea.io/gitea/modules/translation` - [x] Move validation form structs from `code.gitea.io/gitea/modules/auth` to `code.gitea.io/gitea/modules/forms` to avoid dependency cycle. - [x] Removed macaron log service because it's not need any more. **BREAK** - [x] All form structs have to be get by `web.GetForm(ctx)` in the route function but not as a function parameter on routes definition. - [x] Move Git HTTP protocol implementation to use routers directly. - [x] Fix the problem that chi routes don't support trailing slash but macaron did. - [x] `/api/v1/swagger` now will be redirect to `/api/swagger` but not render directly so that `APIContext` will not create a html render. Notices: - Chi router don't support request with trailing slash - Integration test `TestUserHeatmap` maybe mysql version related. It's failed on my macOS(mysql 5.7.29 installed via brew) but succeed on CI. Co-authored-by: 6543 <6543@obermui.de>
2025-05-31 12:00:01 +02:00 · 2021-01-26 23:36:53 +08:00 · 2021-01-26 23:36:53 +08:00 · 6433ba0ec3
commit 6433ba0ec3
parent 3adbbb4255
353 changed files with 5463 additions and 20785 deletions
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@ -7,12 +7,8 @@ package context

 import (
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
-
-	"gitea.com/macaron/csrf"
-	"gitea.com/macaron/macaron"
 )

 // ToggleOptions contains required or check options
@ -24,42 +20,23 @@ type ToggleOptions struct {
 }

 // Toggle returns toggle options as middleware
-func Toggle(options *ToggleOptions) macaron.Handler {
+func Toggle(options *ToggleOptions) func(ctx *Context) {
 	return func(ctx *Context) {
-		isAPIPath := auth.IsAPIPath(ctx.Req.URL.Path)
-
 		// Check prohibit login users.
 		if ctx.IsSigned {
 			if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
-				if isAPIPath {
-					ctx.JSON(403, map[string]string{
-						"message": "This account is not activated.",
-					})
-					return
-				}
 				ctx.HTML(200, "user/auth/activate")
 				return
-			} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
+			}
+			if !ctx.User.IsActive || ctx.User.ProhibitLogin {
 				log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
-				if isAPIPath {
-					ctx.JSON(403, map[string]string{
-						"message": "This account is prohibited from signing in, please contact your site administrator.",
-					})
-					return
-				}
 				ctx.HTML(200, "user/auth/prohibit_login")
 				return
 			}

 			if ctx.User.MustChangePassword {
-				if isAPIPath {
-					ctx.JSON(403, map[string]string{
-						"message": "You must change your password. Change it at: " + setting.AppURL + "/user/change_password",
-					})
-					return
-				}
 				if ctx.Req.URL.Path != "/user/settings/change_password" {
 					ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
 					ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
@ -82,8 +59,8 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 			return
 		}

-		if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" && !auth.IsAPIPath(ctx.Req.URL.Path) {
-			csrf.Validate(ctx.Context, ctx.csrf)
+		if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
+			Validate(ctx, ctx.csrf)
 			if ctx.Written() {
 				return
 			}
@ -91,13 +68,6 @@ func Toggle(options *ToggleOptions) macaron.Handler {

 		if options.SignInRequired {
 			if !ctx.IsSigned {
-				// Restrict API calls with error message.
-				if isAPIPath {
-					ctx.JSON(403, map[string]string{
-						"message": "Only signed in user is allowed to call APIs.",
-					})
-					return
-				}
 				if ctx.Req.URL.Path != "/user/events" {
 					ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
 				}
@ -108,32 +78,10 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 				ctx.HTML(200, "user/auth/activate")
 				return
 			}
-			if ctx.IsSigned && isAPIPath && ctx.IsBasicAuth {
-				twofa, err := models.GetTwoFactorByUID(ctx.User.ID)
-				if err != nil {
-					if models.IsErrTwoFactorNotEnrolled(err) {
-						return // No 2FA enrollment for this user
-					}
-					ctx.Error(500)
-					return
-				}
-				otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
-				ok, err := twofa.ValidateTOTP(otpHeader)
-				if err != nil {
-					ctx.Error(500)
-					return
-				}
-				if !ok {
-					ctx.JSON(403, map[string]string{
-						"message": "Only signed in user is allowed to call APIs.",
-					})
-					return
-				}
-			}
 		}

 		// Redirect to log in page if auto-signin info is provided and has not signed in.
-		if !options.SignOutRequired && !ctx.IsSigned && !isAPIPath &&
+		if !options.SignOutRequired && !ctx.IsSigned &&
 			len(ctx.GetCookie(setting.CookieUserName)) > 0 {
 			if ctx.Req.URL.Path != "/user/events" {
 				ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
@ -151,3 +99,86 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 		}
 	}
 }
+
+// ToggleAPI returns toggle options as middleware
+func ToggleAPI(options *ToggleOptions) func(ctx *APIContext) {
+	return func(ctx *APIContext) {
+		// Check prohibit login users.
+		if ctx.IsSigned {
+			if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
+				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+				ctx.JSON(403, map[string]string{
+					"message": "This account is not activated.",
+				})
+				return
+			}
+			if !ctx.User.IsActive || ctx.User.ProhibitLogin {
+				log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
+				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+				ctx.JSON(403, map[string]string{
+					"message": "This account is prohibited from signing in, please contact your site administrator.",
+				})
+				return
+			}
+
+			if ctx.User.MustChangePassword {
+				ctx.JSON(403, map[string]string{
+					"message": "You must change your password. Change it at: " + setting.AppURL + "/user/change_password",
+				})
+				return
+			}
+		}
+
+		// Redirect to dashboard if user tries to visit any non-login page.
+		if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {
+			ctx.Redirect(setting.AppSubURL + "/")
+			return
+		}
+
+		if options.SignInRequired {
+			if !ctx.IsSigned {
+				// Restrict API calls with error message.
+				ctx.JSON(403, map[string]string{
+					"message": "Only signed in user is allowed to call APIs.",
+				})
+				return
+			} else if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
+				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+				ctx.HTML(200, "user/auth/activate")
+				return
+			}
+			if ctx.IsSigned && ctx.IsBasicAuth {
+				twofa, err := models.GetTwoFactorByUID(ctx.User.ID)
+				if err != nil {
+					if models.IsErrTwoFactorNotEnrolled(err) {
+						return // No 2FA enrollment for this user
+					}
+					ctx.InternalServerError(err)
+					return
+				}
+				otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
+				ok, err := twofa.ValidateTOTP(otpHeader)
+				if err != nil {
+					ctx.InternalServerError(err)
+					return
+				}
+				if !ok {
+					ctx.JSON(403, map[string]string{
+						"message": "Only signed in user is allowed to call APIs.",
+					})
+					return
+				}
+			}
+		}
+
+		if options.AdminRequired {
+			if !ctx.User.IsAdmin {
+				ctx.JSON(403, map[string]string{
+					"message": "You have no permission to request for this.",
+				})
+				return
+			}
+			ctx.Data["PageIsAdmin"] = true
+		}
+	}
+}