Move macaron to chi (#14293)

Use [chi](https://github.com/go-chi/chi) instead of the forked [macaron](https://gitea.com/macaron/macaron). Since macaron and chi have conflicts with session share, this big PR becomes a have-to thing. According my previous idea, we can replace macaron step by step but I'm wrong. :( Below is a list of big changes on this PR. - [x] Define `context.ResponseWriter` interface with an implementation `context.Response`. - [x] Use chi instead of macaron, and also a customize `Route` to wrap chi so that the router usage is similar as before. - [x] Create different routers for `web`, `api`, `internal` and `install` so that the codes will be more clear and no magic . - [x] Use https://github.com/unrolled/render instead of macaron's internal render - [x] Use https://github.com/NYTimes/gziphandler instead of https://gitea.com/macaron/gzip - [x] Use https://gitea.com/go-chi/session which is a modified version of https://gitea.com/macaron/session and removed `nodb` support since it will not be maintained. **BREAK** - [x] Use https://gitea.com/go-chi/captcha which is a modified version of https://gitea.com/macaron/captcha - [x] Use https://gitea.com/go-chi/cache which is a modified version of https://gitea.com/macaron/cache - [x] Use https://gitea.com/go-chi/binding which is a modified version of https://gitea.com/macaron/binding - [x] Use https://github.com/go-chi/cors instead of https://gitea.com/macaron/cors - [x] Dropped https://gitea.com/macaron/i18n and make a new one in `code.gitea.io/gitea/modules/translation` - [x] Move validation form structs from `code.gitea.io/gitea/modules/auth` to `code.gitea.io/gitea/modules/forms` to avoid dependency cycle. - [x] Removed macaron log service because it's not need any more. **BREAK** - [x] All form structs have to be get by `web.GetForm(ctx)` in the route function but not as a function parameter on routes definition. - [x] Move Git HTTP protocol implementation to use routers directly. - [x] Fix the problem that chi routes don't support trailing slash but macaron did. - [x] `/api/v1/swagger` now will be redirect to `/api/swagger` but not render directly so that `APIContext` will not create a html render. Notices: - Chi router don't support request with trailing slash - Integration test `TestUserHeatmap` maybe mysql version related. It's failed on my macOS(mysql 5.7.29 installed via brew) but succeed on CI. Co-authored-by: 6543 <6543@obermui.de>
2025-07-29 13:48:36 +00:00 · 2021-01-26 23:36:53 +08:00
parent 3adbbb4255
commit 6433ba0ec3
353 changed files with 5463 additions and 20785 deletions
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -12,22 +12,22 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/auth/oauth2"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/eventsource"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/hcaptcha"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/recaptcha"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/utils"
 	"code.gitea.io/gitea/services/externalaccount"
 	"code.gitea.io/gitea/services/mailer"

-	"gitea.com/macaron/captcha"
 	"github.com/markbates/goth"
 	"github.com/tstranex/u2f"
 )
@@ -149,7 +149,7 @@ func SignIn(ctx *context.Context) {
 }

 // SignInPost response for sign in request
-func SignInPost(ctx *context.Context, form auth.SignInForm) {
+func SignInPost(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("sign_in")

 	orderedOAuth2Names, oauth2Providers, err := models.GetActiveOAuth2Providers()
@@ -170,6 +170,7 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 		return
 	}

+	form := web.GetForm(ctx).(*auth.SignInForm)
 	u, err := models.UserSignIn(form.UserName, form.Password)
 	if err != nil {
 		if models.IsErrUserNotExist(err) {
@@ -250,7 +251,8 @@ func TwoFactor(ctx *context.Context) {
 }

 // TwoFactorPost validates a user's two-factor authentication token.
-func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
+func TwoFactorPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.TwoFactorAuthForm)
 	ctx.Data["Title"] = ctx.Tr("twofa")

 	// Ensure user is in a 2FA session.
@@ -328,7 +330,8 @@ func TwoFactorScratch(ctx *context.Context) {
 }

 // TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.
-func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthForm) {
+func TwoFactorScratchPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.TwoFactorScratchAuthForm)
 	ctx.Data["Title"] = ctx.Tr("twofa_scratch")

 	// Ensure user is in a 2FA session.
@@ -427,7 +430,8 @@ func U2FChallenge(ctx *context.Context) {
 }

 // U2FSign authenticates the user by signResp
-func U2FSign(ctx *context.Context, signResp u2f.SignResponse) {
+func U2FSign(ctx *context.Context) {
+	signResp := web.GetForm(ctx).(*u2f.SignResponse)
 	challSess := ctx.Session.Get("u2fChallenge")
 	idSess := ctx.Session.Get("twofaUid")
 	if challSess == nil || idSess == nil {
@@ -447,7 +451,7 @@ func U2FSign(ctx *context.Context, signResp u2f.SignResponse) {
 			log.Fatal("parsing u2f registration: %v", err)
 			continue
 		}
-		newCounter, authErr := r.Authenticate(signResp, *challenge, reg.Counter)
+		newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter)
 		if authErr == nil {
 			reg.Counter = newCounter
 			user, err := models.GetUserByID(id)
@@ -563,20 +567,20 @@ func SignInOAuth(ctx *context.Context) {
 	}

 	// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
-	user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
+	user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req, ctx.Resp)
 	if err == nil && user != nil {
 		// we got the user without going through the whole OAuth2 authentication flow again
 		handleOAuth2SignIn(user, gothUser, ctx, err)
 		return
 	}

-	if err = oauth2.Auth(loginSource.Name, ctx.Req.Request, ctx.Resp); err != nil {
+	if err = oauth2.Auth(loginSource.Name, ctx.Req, ctx.Resp); err != nil {
 		if strings.Contains(err.Error(), "no provider for ") {
 			if err = models.ResetOAuth2(); err != nil {
 				ctx.ServerError("SignIn", err)
 				return
 			}
-			if err = oauth2.Auth(loginSource.Name, ctx.Req.Request, ctx.Resp); err != nil {
+			if err = oauth2.Auth(loginSource.Name, ctx.Req, ctx.Resp); err != nil {
 				ctx.ServerError("SignIn", err)
 			}
 			return
@@ -602,7 +606,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 		return
 	}

-	u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
+	u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req, ctx.Resp)

 	handleOAuth2SignIn(u, gothUser, ctx, err)
 }
@@ -788,7 +792,8 @@ func LinkAccount(ctx *context.Context) {
 }

 // LinkAccountPostSignIn handle the coupling of external account with another account using signIn
-func LinkAccountPostSignIn(ctx *context.Context, signInForm auth.SignInForm) {
+func LinkAccountPostSignIn(ctx *context.Context) {
+	signInForm := web.GetForm(ctx).(*auth.SignInForm)
 	ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
 	ctx.Data["Title"] = ctx.Tr("link_account")
 	ctx.Data["LinkAccountMode"] = true
@@ -870,7 +875,8 @@ func LinkAccountPostSignIn(ctx *context.Context, signInForm auth.SignInForm) {
 }

 // LinkAccountPostRegister handle the creation of a new account for an external account using signUp
-func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterForm) {
+func LinkAccountPostRegister(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.RegisterForm)
 	// TODO Make insecure passwords optional for local accounts also,
 	//      once email-based Second-Factor Auth is available
 	ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
@@ -909,7 +915,7 @@ func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form au
 		var err error
 		switch setting.Service.CaptchaType {
 		case setting.ImageCaptcha:
-			valid = cpt.VerifyReq(ctx.Req)
+			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
 		case setting.ReCaptcha:
 			valid, err = recaptcha.Verify(ctx.Req.Context(), form.GRecaptchaResponse)
 		case setting.HCaptcha:
@@ -1029,7 +1035,7 @@ func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form au
 // HandleSignOut resets the session and sets the cookies
 func HandleSignOut(ctx *context.Context) {
 	_ = ctx.Session.Flush()
-	_ = ctx.Session.Destroy(ctx.Context)
+	_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
 	ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
 	ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
 	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
@@ -1069,7 +1075,8 @@ func SignUp(ctx *context.Context) {
 }

 // SignUpPost response for sign up information submission
-func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterForm) {
+func SignUpPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.RegisterForm)
 	ctx.Data["Title"] = ctx.Tr("sign_up")

 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
@@ -1097,7 +1104,7 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 		var err error
 		switch setting.Service.CaptchaType {
 		case setting.ImageCaptcha:
-			valid = cpt.VerifyReq(ctx.Req)
+			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
 		case setting.ReCaptcha:
 			valid, err = recaptcha.Verify(ctx.Req.Context(), form.GRecaptchaResponse)
 		case setting.HCaptcha:
@@ -1562,7 +1569,8 @@ func MustChangePassword(ctx *context.Context) {

 // MustChangePasswordPost response for updating a user's password after his/her
 // account was created by an admin
-func MustChangePasswordPost(ctx *context.Context, cpt *captcha.Captcha, form auth.MustChangePasswordForm) {
+func MustChangePasswordPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.MustChangePasswordForm)
 	ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
 	ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
 	if ctx.HasError() {
--- a/routers/user/auth_openid.go
+++ b/routers/user/auth_openid.go
@@ -9,19 +9,18 @@ import (
 	"net/url"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/auth/openid"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/hcaptcha"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/recaptcha"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/services/mailer"
-
-	"gitea.com/macaron/captcha"
 )

 const (
@@ -90,7 +89,8 @@ func allowedOpenIDURI(uri string) (err error) {
 }

 // SignInOpenIDPost response for openid sign in request
-func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {
+func SignInOpenIDPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.SignInOpenIDForm)
 	ctx.Data["Title"] = ctx.Tr("sign_in")
 	ctx.Data["PageIsSignIn"] = true
 	ctx.Data["PageIsLoginOpenID"] = true
@@ -143,9 +143,9 @@ func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {
 // signInOpenIDVerify handles response from OpenID provider
 func signInOpenIDVerify(ctx *context.Context) {

-	log.Trace("Incoming call to: " + ctx.Req.Request.URL.String())
+	log.Trace("Incoming call to: " + ctx.Req.URL.String())

-	fullURL := setting.AppURL + ctx.Req.Request.URL.String()[1:]
+	fullURL := setting.AppURL + ctx.Req.URL.String()[1:]
 	log.Trace("Full URL: " + fullURL)

 	var id, err = openid.Verify(fullURL)
@@ -276,8 +276,8 @@ func ConnectOpenID(ctx *context.Context) {
 }

 // ConnectOpenIDPost handles submission of a form to connect an OpenID URI to an existing account
-func ConnectOpenIDPost(ctx *context.Context, form auth.ConnectOpenIDForm) {
-
+func ConnectOpenIDPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.ConnectOpenIDForm)
 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)
 	if oid == "" {
 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")
@@ -346,7 +346,8 @@ func RegisterOpenID(ctx *context.Context) {
 }

 // RegisterOpenIDPost handles submission of a form to create a new user authenticated via an OpenID URI
-func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.SignUpOpenIDForm) {
+func RegisterOpenIDPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.SignUpOpenIDForm)
 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)
 	if oid == "" {
 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")
@@ -369,7 +370,7 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
 		var err error
 		switch setting.Service.CaptchaType {
 		case setting.ImageCaptcha:
-			valid = cpt.VerifyReq(ctx.Req)
+			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
 		case setting.ReCaptcha:
 			if err := ctx.Req.ParseForm(); err != nil {
 				ctx.ServerError("", err)
--- a/routers/user/oauth.go
+++ b/routers/user/oauth.go
@@ -12,14 +12,15 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"

-	"gitea.com/macaron/binding"
+	"gitea.com/go-chi/binding"
 	"github.com/dgrijalva/jwt-go"
 )

@@ -192,9 +193,10 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
 }

 // AuthorizeOAuth manages authorize requests
-func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {
+func AuthorizeOAuth(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.AuthorizationForm)
 	errs := binding.Errors{}
-	errs = form.Validate(ctx.Context, errs)
+	errs = form.Validate(ctx.Req, errs)
 	if len(errs) > 0 {
 		errstring := ""
 		for _, e := range errs {
@@ -341,7 +343,8 @@ func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {
 }

 // GrantApplicationOAuth manages the post request submitted when a user grants access to an application
-func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm) {
+func GrantApplicationOAuth(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.GrantApplicationForm)
 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
 		ctx.Session.Get("redirect_uri") != form.RedirectURI {
 		ctx.Error(400)
@@ -386,7 +389,8 @@ func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm)
 }

 // AccessTokenOAuth manages all access token requests by the client
-func AccessTokenOAuth(ctx *context.Context, form auth.AccessTokenForm) {
+func AccessTokenOAuth(ctx *context.Context) {
+	form := *web.GetForm(ctx).(*auth.AccessTokenForm)
 	if form.ClientID == "" {
 		authHeader := ctx.Req.Header.Get("Authorization")
 		authContent := strings.SplitN(authHeader, " ", 2)
--- a/routers/user/setting/account.go
+++ b/routers/user/setting/account.go
@@ -10,13 +10,14 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/services/mailer"
 )

@@ -36,7 +37,8 @@ func Account(ctx *context.Context) {
 }

 // AccountPost response for change user's password
-func AccountPost(ctx *context.Context, form auth.ChangePasswordForm) {
+func AccountPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.ChangePasswordForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsAccount"] = true

@@ -80,7 +82,8 @@ func AccountPost(ctx *context.Context, form auth.ChangePasswordForm) {
 }

 // EmailPost response for change user's email
-func EmailPost(ctx *context.Context, form auth.AddEmailForm) {
+func EmailPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.AddEmailForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsAccount"] = true

@@ -252,8 +255,8 @@ func DeleteAccount(ctx *context.Context) {
 }

 // UpdateUIThemePost is used to update users' specific theme
-func UpdateUIThemePost(ctx *context.Context, form auth.UpdateThemeForm) {
-
+func UpdateUIThemePost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.UpdateThemeForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsAccount"] = true

--- a/routers/user/setting/account_test.go
+++ b/routers/user/setting/account_test.go
@@ -9,9 +9,10 @@ import (
 	"testing"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/modules/web"

 	"github.com/stretchr/testify/assert"
 )
@@ -85,11 +86,12 @@ func TestChangePassword(t *testing.T) {
 		test.LoadUser(t, ctx, 2)
 		test.LoadRepo(t, ctx, 1)

-		AccountPost(ctx, auth.ChangePasswordForm{
+		web.SetForm(ctx, &auth.ChangePasswordForm{
 			OldPassword: req.OldPassword,
 			Password:    req.NewPassword,
 			Retype:      req.Retype,
 		})
+		AccountPost(ctx)

 		assert.Contains(t, ctx.Flash.ErrorMsg, req.Message)
 		assert.EqualValues(t, http.StatusFound, ctx.Resp.Status())
--- a/routers/user/setting/applications.go
+++ b/routers/user/setting/applications.go
@@ -7,10 +7,11 @@ package setting

 import (
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
 )

 const (
@@ -28,7 +29,8 @@ func Applications(ctx *context.Context) {
 }

 // ApplicationsPost response for add user's access token
-func ApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm) {
+func ApplicationsPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.NewAccessTokenForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsApplications"] = true

--- a/routers/user/setting/keys.go
+++ b/routers/user/setting/keys.go
@@ -7,10 +7,11 @@ package setting

 import (
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
 )

 const (
@@ -31,7 +32,8 @@ func Keys(ctx *context.Context) {
 }

 // KeysPost response for change user's SSH/GPG keys
-func KeysPost(ctx *context.Context, form auth.AddKeyForm) {
+func KeysPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.AddKeyForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsKeys"] = true
 	ctx.Data["DisableSSH"] = setting.SSH.Disabled
--- a/routers/user/setting/oauth2.go
+++ b/routers/user/setting/oauth2.go
@@ -8,11 +8,12 @@ import (
 	"fmt"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
 )

 const (
@@ -20,7 +21,8 @@ const (
 )

 // OAuthApplicationsPost response for adding a oauth2 application
-func OAuthApplicationsPost(ctx *context.Context, form auth.EditOAuth2ApplicationForm) {
+func OAuthApplicationsPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.EditOAuth2ApplicationForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsApplications"] = true

@@ -51,7 +53,8 @@ func OAuthApplicationsPost(ctx *context.Context, form auth.EditOAuth2Application
 }

 // OAuthApplicationsEdit response for editing oauth2 application
-func OAuthApplicationsEdit(ctx *context.Context, form auth.EditOAuth2ApplicationForm) {
+func OAuthApplicationsEdit(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.EditOAuth2ApplicationForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsApplications"] = true

--- a/routers/user/setting/profile.go
+++ b/routers/user/setting/profile.go
@@ -14,12 +14,13 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web"

 	"github.com/unknwon/i18n"
 )
@@ -71,7 +72,8 @@ func HandleUsernameChange(ctx *context.Context, user *models.User, newName strin
 }

 // ProfilePost response for change user's profile
-func ProfilePost(ctx *context.Context, form auth.UpdateProfileForm) {
+func ProfilePost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.UpdateProfileForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsProfile"] = true

@@ -123,7 +125,7 @@ func ProfilePost(ctx *context.Context, form auth.UpdateProfileForm) {

 // UpdateAvatarSetting update user's avatar
 // FIXME: limit size.
-func UpdateAvatarSetting(ctx *context.Context, form auth.AvatarForm, ctxUser *models.User) error {
+func UpdateAvatarSetting(ctx *context.Context, form *auth.AvatarForm, ctxUser *models.User) error {
 	ctxUser.UseCustomAvatar = form.Source == auth.AvatarLocal
 	if len(form.Gravatar) > 0 {
 		if form.Avatar != nil {
@@ -171,7 +173,8 @@ func UpdateAvatarSetting(ctx *context.Context, form auth.AvatarForm, ctxUser *mo
 }

 // AvatarPost response for change user's avatar request
-func AvatarPost(ctx *context.Context, form auth.AvatarForm) {
+func AvatarPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.AvatarForm)
 	if err := UpdateAvatarSetting(ctx, form, ctx.User); err != nil {
 		ctx.Flash.Error(err.Error())
 	} else {
--- a/routers/user/setting/security_openid.go
+++ b/routers/user/setting/security_openid.go
@@ -6,15 +6,17 @@ package setting

 import (
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/auth/openid"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
 )

 // OpenIDPost response for change user's openid
-func OpenIDPost(ctx *context.Context, form auth.AddOpenIDForm) {
+func OpenIDPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.AddOpenIDForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsSecurity"] = true

@@ -70,9 +72,9 @@ func OpenIDPost(ctx *context.Context, form auth.AddOpenIDForm) {
 }

 func settingsOpenIDVerify(ctx *context.Context) {
-	log.Trace("Incoming call to: " + ctx.Req.Request.URL.String())
+	log.Trace("Incoming call to: " + ctx.Req.URL.String())

-	fullURL := setting.AppURL + ctx.Req.Request.URL.String()[1:]
+	fullURL := setting.AppURL + ctx.Req.URL.String()[1:]
 	log.Trace("Full URL: " + fullURL)

 	id, err := openid.Verify(fullURL)
--- a/routers/user/setting/security_twofa.go
+++ b/routers/user/setting/security_twofa.go
@@ -13,10 +13,11 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"

 	"github.com/pquerna/otp"
 	"github.com/pquerna/otp/totp"
@@ -165,7 +166,8 @@ func EnrollTwoFactor(ctx *context.Context) {
 }

 // EnrollTwoFactorPost handles enrolling the user into 2FA.
-func EnrollTwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
+func EnrollTwoFactorPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.TwoFactorAuthForm)
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsSecurity"] = true

--- a/routers/user/setting/security_u2f.go
+++ b/routers/user/setting/security_u2f.go
@@ -8,16 +8,18 @@ import (
 	"errors"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"

 	"github.com/tstranex/u2f"
 )

 // U2FRegister initializes the u2f registration procedure
-func U2FRegister(ctx *context.Context, form auth.U2FRegistrationForm) {
+func U2FRegister(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.U2FRegistrationForm)
 	if form.Name == "" {
 		ctx.Error(409)
 		return
@@ -55,7 +57,8 @@ func U2FRegister(ctx *context.Context, form auth.U2FRegistrationForm) {
 }

 // U2FRegisterPost receives the response of the security key
-func U2FRegisterPost(ctx *context.Context, response u2f.RegisterResponse) {
+func U2FRegisterPost(ctx *context.Context) {
+	response := web.GetForm(ctx).(*u2f.RegisterResponse)
 	challSess := ctx.Session.Get("u2fChallenge")
 	u2fName := ctx.Session.Get("u2fName")
 	if challSess == nil || u2fName == nil {
@@ -69,7 +72,7 @@ func U2FRegisterPost(ctx *context.Context, response u2f.RegisterResponse) {
 		// certificate by default.
 		SkipAttestationVerify: true,
 	}
-	reg, err := u2f.Register(response, *challenge, config)
+	reg, err := u2f.Register(*response, *challenge, config)
 	if err != nil {
 		ctx.ServerError("u2f.Register", err)
 		return
@@ -82,7 +85,8 @@ func U2FRegisterPost(ctx *context.Context, response u2f.RegisterResponse) {
 }

 // U2FDelete deletes an security key by id
-func U2FDelete(ctx *context.Context, form auth.U2FDeleteForm) {
+func U2FDelete(ctx *context.Context) {
+	form := web.GetForm(ctx).(*auth.U2FDeleteForm)
 	reg, err := models.GetU2FRegistrationByID(form.ID)
 	if err != nil {
 		if models.IsErrU2FRegistrationNotExist(err) {