[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP

Loïc Dachary · earl-warren · commit eaca81faf4c0 · 2023-05-02T20:04:52.000+02:00
(cherry picked from commit 7b0549cd70aa7cafec853e15b25270847c59850b)
(cherry picked from commit 13e10a65d974c7b594681bfa36402a6144862116)
(cherry picked from commit 89982e6c4a7f9cf7024b2db3ed14b2b79db29064)
(cherry picked from commit a4acf6343d9f5c6dedeb261c524cd7ac5ae1b3c1)
(cherry picked from commit 9886aec9f8b09b58c73c55598a2017417a51843d)
(cherry picked from commit 1ee9bd7549eaa094f5cfa9636a89d8f13766ccc8)
(cherry picked from commit f343cf5597d666f937c582677f4d62ac2137dc4e)
diff --git a/modules/context/api.go b/modules/context/api.go
@@ -188,13 +188,20 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }
 
+func getOtpHeader(header http.Header) string {
+	otpHeader := header.Get("X-Gitea-OTP")
+	if forgejoHeader := header.Get("X-Forgejo-OTP"); forgejoHeader != "" {
+		otpHeader = forgejoHeader
+	}
+	return otpHeader
+}
+
 // CheckForOTP validates OTP
 func (ctx *APIContext) CheckForOTP() {
 	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
 		return // Skip 2FA
 	}
 
-	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
 	twofa, err := auth.GetTwoFactorByUID(ctx.Context.Doer.ID)
 	if err != nil {
 		if auth.IsErrTwoFactorNotEnrolled(err) {
@@ -203,7 +210,7 @@ func (ctx *APIContext) CheckForOTP() {
 		ctx.Context.Error(http.StatusInternalServerError)
 		return
 	}
-	ok, err := twofa.ValidateTOTP(otpHeader)
+	ok, err := twofa.ValidateTOTP(getOtpHeader(ctx.Req.Header))
 	if err != nil {
 		ctx.Context.Error(http.StatusInternalServerError)
 		return
diff --git a/modules/context/api_forgejo_test.go b/modules/context/api_forgejo_test.go
@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: MIT
+
+package context
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOtpHeader(t *testing.T) {
+	header := http.Header{}
+	assert.EqualValues(t, "", getOtpHeader(header))
+	// Gitea
+	giteaOtp := "123456"
+	header.Set("X-Gitea-OTP", giteaOtp)
+	assert.EqualValues(t, giteaOtp, getOtpHeader(header))
+	// Forgejo has precedence
+	forgejoOtp := "abcdef"
+	header.Set("X-Forgejo-OTP", forgejoOtp)
+	assert.EqualValues(t, forgejoOtp, getOtpHeader(header))
+}
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -56,7 +56,7 @@
 //	     description: Sudo API request as the user provided as the key. Admin privileges are required.
 //	TOTPHeader:
 //	     type: apiKey
-//	     name: X-GITEA-OTP
+//	     name: X-FORGEJO-OTP
 //	     in: header
 //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.
 //
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
@@ -21018,7 +21018,7 @@
     "TOTPHeader": {
       "description": "Must be used in combination with BasicAuth if two-factor authentication is enabled.",
       "type": "apiKey",
-      "name": "X-GITEA-OTP",
+      "name": "X-FORGEJO-OTP",
       "in": "header"
     },
     "Token": {
