Fix the error message when the token is incorrect (#25701)

we refactored `userIDFromToken` for the token parsing part into a new function `parseToken`. `parseToken` returns the string `token` from request, and a boolean `ok` representing whether the token exists or not. So we can distinguish between token non-existence and token inconsistency in the `verfity` function, thus solving the problem of no proper error message when the token is inconsistent. close #24439 related #22119 --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Giteabot <teabot@gitea.io>
2025-07-15 23:17:19 +00:00 · 2023-07-11 10:04:28 +08:00
parent 2f31d2d56c
commit 491cc06ffe
3 changed files with 54 additions and 26 deletions
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -59,31 +59,32 @@ func (o *OAuth2) Name() string {
 	return "oauth2"
 }

+// parseToken returns the token from request, and a boolean value
+// representing whether the token exists or not
+func parseToken(req *http.Request) (string, bool) {
+	_ = req.ParseForm()
+	// Check token.
+	if token := req.Form.Get("token"); token != "" {
+		return token, true
+	}
+	// Check access token.
+	if token := req.Form.Get("access_token"); token != "" {
+		return token, true
+	}
+	// check header token
+	if auHead := req.Header.Get("Authorization"); auHead != "" {
+		auths := strings.Fields(auHead)
+		if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
+			return auths[1], true
+		}
+	}
+	return "", false
+}
+
 // userIDFromToken returns the user id corresponding to the OAuth token.
 // It will set 'IsApiToken' to true if the token is an API token and
 // set 'ApiTokenScope' to the scope of the access token
-func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
-	_ = req.ParseForm()
-
-	// Check access token.
-	tokenSHA := req.Form.Get("token")
-	if len(tokenSHA) == 0 {
-		tokenSHA = req.Form.Get("access_token")
-	}
-	if len(tokenSHA) == 0 {
-		// Well, check with header again.
-		auHead := req.Header.Get("Authorization")
-		if len(auHead) > 0 {
-			auths := strings.Fields(auHead)
-			if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
-				tokenSHA = auths[1]
-			}
-		}
-	}
-	if len(tokenSHA) == 0 {
-		return 0
-	}
-
+func (o *OAuth2) userIDFromToken(tokenSHA string, store DataStore) int64 {
 	// Let's see if token is valid.
 	if strings.Contains(tokenSHA, ".") {
 		uid := CheckOAuthAccessToken(tokenSHA)
@@ -129,10 +130,15 @@ func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStor
 		return nil, nil
 	}

-	id := o.userIDFromToken(req, store)
+	token, ok := parseToken(req)
+	if !ok {
+		return nil, nil
+	}
+
+	id := o.userIDFromToken(token, store)

 	if id <= 0 && id != -2 { // -2 means actions, so we need to allow it.
-		return nil, nil
+		return nil, user_model.ErrUserNotExist{}
 	}
 	log.Trace("OAuth2 Authorization: Found token for user[%d]", id)