Refactor auth package (#17962)

2025-07-22 18:28:37 +00:00 · 2022-01-02 21:12:35 +08:00
parent e61b390d54
commit de8e3948a5
87 changed files with 2880 additions and 2770 deletions
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -11,8 +11,8 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/login"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -37,8 +37,8 @@ func CheckOAuthAccessToken(accessToken string) int64 {
 		log.Trace("oauth2.ParseToken: %v", err)
 		return 0
 	}
-	var grant *login.OAuth2Grant
-	if grant, err = login.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
+	var grant *auth.OAuth2Grant
+	if grant, err = auth.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
 		return 0
 	}
 	if token.Type != oauth2.TypeAccessToken {
--- a/services/auth/signin.go
+++ b/services/auth/signin.go
@@ -7,8 +7,8 @@ package auth
 import (
 	"strings"

+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/login"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
@@ -21,7 +21,7 @@ import (
 )

 // UserSignIn validates user name and password.
-func UserSignIn(username, password string) (*user_model.User, *login.Source, error) {
+func UserSignIn(username, password string) (*user_model.User, *auth.Source, error) {
 	var user *user_model.User
 	if strings.Contains(username, "@") {
 		user = &user_model.User{Email: strings.ToLower(strings.TrimSpace(username))}
@@ -50,13 +50,13 @@ func UserSignIn(username, password string) (*user_model.User, *login.Source, err
 	}

 	if hasUser {
-		source, err := login.GetSourceByID(user.LoginSource)
+		source, err := auth.GetSourceByID(user.LoginSource)
 		if err != nil {
 			return nil, nil, err
 		}

 		if !source.IsActive {
-			return nil, nil, oauth2.ErrLoginSourceNotActived
+			return nil, nil, oauth2.ErrAuthSourceNotActived
 		}

 		authenticator, ok := source.Cfg.(PasswordAuthenticator)
@@ -78,7 +78,7 @@ func UserSignIn(username, password string) (*user_model.User, *login.Source, err
 		return user, source, nil
 	}

-	sources, err := login.AllActiveSources()
+	sources, err := auth.AllActiveSources()
 	if err != nil {
 		return nil, nil, err
 	}
--- a/services/auth/login_source.go
+++ b/services/auth/login_source.go
@@ -5,18 +5,18 @@
 package auth

 import (
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/login"
 	user_model "code.gitea.io/gitea/models/user"
 )

-// DeleteLoginSource deletes a LoginSource record in DB.
-func DeleteLoginSource(source *login.Source) error {
+// DeleteSource deletes a AuthSource record in DB.
+func DeleteSource(source *auth.Source) error {
 	count, err := db.GetEngine(db.DefaultContext).Count(&user_model.User{LoginSource: source.ID})
 	if err != nil {
 		return err
 	} else if count > 0 {
-		return login.ErrSourceInUse{
+		return auth.ErrSourceInUse{
 			ID: source.ID,
 		}
 	}
@@ -25,17 +25,17 @@ func DeleteLoginSource(source *login.Source) error {
 	if err != nil {
 		return err
 	} else if count > 0 {
-		return login.ErrSourceInUse{
+		return auth.ErrSourceInUse{
 			ID: source.ID,
 		}
 	}

-	if registerableSource, ok := source.Cfg.(login.RegisterableSource); ok {
+	if registerableSource, ok := source.Cfg.(auth.RegisterableSource); ok {
 		if err := registerableSource.UnregisterSource(); err != nil {
 			return err
 		}
 	}

-	_, err = db.GetEngine(db.DefaultContext).ID(source.ID).Delete(new(login.Source))
+	_, err = db.GetEngine(db.DefaultContext).ID(source.ID).Delete(new(auth.Source))
 	return err
 }
--- a/services/auth/source/db/assert_interface_test.go
+++ b/services/auth/source/db/assert_interface_test.go
@@ -5,7 +5,7 @@
 package db_test

 import (
-	"code.gitea.io/gitea/models/login"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/db"
 )
@@ -15,7 +15,7 @@ import (

 type sourceInterface interface {
 	auth.PasswordAuthenticator
-	login.Config
+	auth_model.Config
 }

 var _ (sourceInterface) = &db.Source{}
--- a/services/auth/source/db/source.go
+++ b/services/auth/source/db/source.go
@@ -5,7 +5,7 @@
 package db

 import (
-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
 )

@@ -29,6 +29,6 @@ func (source *Source) Authenticate(user *user_model.User, login, password string
 }

 func init() {
-	login.RegisterTypeConfig(login.NoType, &Source{})
-	login.RegisterTypeConfig(login.Plain, &Source{})
+	auth.RegisterTypeConfig(auth.NoType, &Source{})
+	auth.RegisterTypeConfig(auth.Plain, &Source{})
 }
--- a/services/auth/source/ldap/assert_interface_test.go
+++ b/services/auth/source/ldap/assert_interface_test.go
@@ -5,7 +5,7 @@
 package ldap_test

 import (
-	"code.gitea.io/gitea/models/login"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/ldap"
 )
@@ -17,12 +17,12 @@ type sourceInterface interface {
 	auth.PasswordAuthenticator
 	auth.SynchronizableSource
 	auth.LocalTwoFASkipper
-	login.SSHKeyProvider
-	login.Config
-	login.SkipVerifiable
-	login.HasTLSer
-	login.UseTLSer
-	login.SourceSettable
+	auth_model.SSHKeyProvider
+	auth_model.Config
+	auth_model.SkipVerifiable
+	auth_model.HasTLSer
+	auth_model.UseTLSer
+	auth_model.SourceSettable
 }

 var _ (sourceInterface) = &ldap.Source{}
--- a/services/auth/source/ldap/source.go
+++ b/services/auth/source/ldap/source.go
@@ -7,7 +7,7 @@ package ldap
 import (
 	"strings"

-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
@@ -55,8 +55,8 @@ type Source struct {
 	UserUID               string // User Attribute listed in Group
 	SkipLocalTwoFA        bool   `json:",omitempty"` // Skip Local 2fa for users authenticated with this source

-	// reference to the loginSource
-	loginSource *login.Source
+	// reference to the authSource
+	authSource *auth.Source
 }

 // FromDB fills up a LDAPConfig from serialized format.
@@ -109,12 +109,12 @@ func (source *Source) ProvidesSSHKeys() bool {
 	return len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
 }

-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
-	source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+	source.authSource = authSource
 }

 func init() {
-	login.RegisterTypeConfig(login.LDAP, &Source{})
-	login.RegisterTypeConfig(login.DLDAP, &Source{})
+	auth.RegisterTypeConfig(auth.LDAP, &Source{})
+	auth.RegisterTypeConfig(auth.DLDAP, &Source{})
 }
--- a/services/auth/source/ldap/source_authenticate.go
+++ b/services/auth/source/ldap/source_authenticate.go
@@ -9,8 +9,8 @@ import (
 	"strings"

 	asymkey_model "code.gitea.io/gitea/models/asymkey"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/login"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/services/mailer"
 	user_service "code.gitea.io/gitea/services/user"
@@ -19,7 +19,7 @@ import (
 // Authenticate queries if login/password is valid against the LDAP directory pool,
 // and create a local user if success when enabled.
 func (source *Source) Authenticate(user *user_model.User, userName, password string) (*user_model.User, error) {
-	sr := source.SearchEntry(userName, password, source.loginSource.Type == login.DLDAP)
+	sr := source.SearchEntry(userName, password, source.authSource.Type == auth.DLDAP)
 	if sr == nil {
 		// User not in LDAP, do nothing
 		return nil, user_model.ErrUserNotExist{Name: userName}
@@ -59,7 +59,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 	}

 	if user != nil {
-		if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(user, source.loginSource, sr.SSHPublicKey) {
+		if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(user, source.authSource, sr.SSHPublicKey) {
 			return user, asymkey_model.RewriteAllPublicKeys()
 		}

@@ -80,8 +80,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 		Name:         sr.Username,
 		FullName:     composeFullName(sr.Name, sr.Surname, sr.Username),
 		Email:        sr.Mail,
-		LoginType:    source.loginSource.Type,
-		LoginSource:  source.loginSource.ID,
+		LoginType:    source.authSource.Type,
+		LoginSource:  source.authSource.ID,
 		LoginName:    userName,
 		IsActive:     true,
 		IsAdmin:      sr.IsAdmin,
@@ -95,7 +95,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str

 	mailer.SendRegisterNotifyMail(user)

-	if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(user, source.loginSource, sr.SSHPublicKey) {
+	if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(user, source.authSource, sr.SSHPublicKey) {
 		err = asymkey_model.RewriteAllPublicKeys()
 	}

--- a/services/auth/source/ldap/source_sync.go
+++ b/services/auth/source/ldap/source_sync.go
@@ -19,22 +19,22 @@ import (

 // Sync causes this ldap source to synchronize its users with the db
 func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
-	log.Trace("Doing: SyncExternalUsers[%s]", source.loginSource.Name)
+	log.Trace("Doing: SyncExternalUsers[%s]", source.authSource.Name)

 	var existingUsers []int
 	isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
 	var sshKeysNeedUpdate bool

 	// Find all users with this login type - FIXME: Should this be an iterator?
-	users, err := user_model.GetUsersBySource(source.loginSource)
+	users, err := user_model.GetUsersBySource(source.authSource)
 	if err != nil {
 		log.Error("SyncExternalUsers: %v", err)
 		return err
 	}
 	select {
 	case <-ctx.Done():
-		log.Warn("SyncExternalUsers: Cancelled before update of %s", source.loginSource.Name)
-		return db.ErrCancelledf("Before update of %s", source.loginSource.Name)
+		log.Warn("SyncExternalUsers: Cancelled before update of %s", source.authSource.Name)
+		return db.ErrCancelledf("Before update of %s", source.authSource.Name)
 	default:
 	}

@@ -44,7 +44,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {

 	sr, err := source.SearchEntries()
 	if err != nil {
-		log.Error("SyncExternalUsers LDAP source failure [%s], skipped", source.loginSource.Name)
+		log.Error("SyncExternalUsers LDAP source failure [%s], skipped", source.authSource.Name)
 		return nil
 	}

@@ -65,7 +65,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 	for _, su := range sr {
 		select {
 		case <-ctx.Done():
-			log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", source.loginSource.Name)
+			log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", source.authSource.Name)
 			// Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed
 			if sshKeysNeedUpdate {
 				err = asymkey_model.RewriteAllPublicKeys()
@@ -73,7 +73,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 					log.Error("RewriteAllPublicKeys: %v", err)
 				}
 			}
-			return db.ErrCancelledf("During update of %s before completed update of users", source.loginSource.Name)
+			return db.ErrCancelledf("During update of %s before completed update of users", source.authSource.Name)
 		default:
 		}
 		if len(su.Username) == 0 {
@@ -96,14 +96,14 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 		fullName := composeFullName(su.Name, su.Surname, su.Username)
 		// If no existing user found, create one
 		if usr == nil {
-			log.Trace("SyncExternalUsers[%s]: Creating user %s", source.loginSource.Name, su.Username)
+			log.Trace("SyncExternalUsers[%s]: Creating user %s", source.authSource.Name, su.Username)

 			usr = &user_model.User{
 				LowerName:    su.LowerName,
 				Name:         su.Username,
 				FullName:     fullName,
-				LoginType:    source.loginSource.Type,
-				LoginSource:  source.loginSource.ID,
+				LoginType:    source.authSource.Type,
+				LoginSource:  source.authSource.ID,
 				LoginName:    su.Username,
 				Email:        su.Mail,
 				IsAdmin:      su.IsAdmin,
@@ -114,12 +114,12 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 			err = user_model.CreateUser(usr)

 			if err != nil {
-				log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.loginSource.Name, su.Username, err)
+				log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.authSource.Name, su.Username, err)
 			}

 			if err == nil && isAttributeSSHPublicKeySet {
-				log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.loginSource.Name, usr.Name)
-				if asymkey_model.AddPublicKeysBySource(usr, source.loginSource, su.SSHPublicKey) {
+				log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.authSource.Name, usr.Name)
+				if asymkey_model.AddPublicKeysBySource(usr, source.authSource, su.SSHPublicKey) {
 					sshKeysNeedUpdate = true
 				}
 			}
@@ -129,7 +129,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 			}
 		} else if updateExisting {
 			// Synchronize SSH Public Key if that attribute is set
-			if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(usr, source.loginSource, su.SSHPublicKey) {
+			if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(usr, source.authSource, su.SSHPublicKey) {
 				sshKeysNeedUpdate = true
 			}

@@ -140,7 +140,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 				usr.FullName != fullName ||
 				!usr.IsActive {

-				log.Trace("SyncExternalUsers[%s]: Updating user %s", source.loginSource.Name, usr.Name)
+				log.Trace("SyncExternalUsers[%s]: Updating user %s", source.authSource.Name, usr.Name)

 				usr.FullName = fullName
 				usr.Email = su.Mail
@@ -156,7 +156,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {

 				err = user_model.UpdateUserCols(db.DefaultContext, usr, "full_name", "email", "is_admin", "is_restricted", "is_active")
 				if err != nil {
-					log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.loginSource.Name, usr.Name, err)
+					log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.authSource.Name, usr.Name, err)
 				}
 			}

@@ -179,8 +179,8 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {

 	select {
 	case <-ctx.Done():
-		log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", source.loginSource.Name)
-		return db.ErrCancelledf("During update of %s before delete users", source.loginSource.Name)
+		log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", source.authSource.Name)
+		return db.ErrCancelledf("During update of %s before delete users", source.authSource.Name)
 	default:
 	}

@@ -192,12 +192,12 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 				existPos++
 			}
 			if usr.IsActive && (existPos >= len(existingUsers) || i < existingUsers[existPos]) {
-				log.Trace("SyncExternalUsers[%s]: Deactivating user %s", source.loginSource.Name, usr.Name)
+				log.Trace("SyncExternalUsers[%s]: Deactivating user %s", source.authSource.Name, usr.Name)

 				usr.IsActive = false
 				err = user_model.UpdateUserCols(db.DefaultContext, usr, "is_active")
 				if err != nil {
-					log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", source.loginSource.Name, usr.Name, err)
+					log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", source.authSource.Name, usr.Name, err)
 				}
 			}
 		}
--- a/services/auth/source/oauth2/assert_interface_test.go
+++ b/services/auth/source/oauth2/assert_interface_test.go
@@ -5,7 +5,7 @@
 package oauth2_test

 import (
-	"code.gitea.io/gitea/models/login"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 )
@@ -14,9 +14,9 @@ import (
 // It tightly binds the interfaces and implementation without breaking go import cycles

 type sourceInterface interface {
-	login.Config
-	login.SourceSettable
-	login.RegisterableSource
+	auth_model.Config
+	auth_model.SourceSettable
+	auth_model.RegisterableSource
 	auth.PasswordAuthenticator
 }

--- a/services/auth/source/oauth2/init.go
+++ b/services/auth/source/oauth2/init.go
@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"sync"

-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"

@@ -52,19 +52,19 @@ func Init() error {
 	// Unlock our mutex
 	gothRWMutex.Unlock()

-	return initOAuth2LoginSources()
+	return initOAuth2Sources()
 }

 // ResetOAuth2 clears existing OAuth2 providers and loads them from DB
 func ResetOAuth2() error {
 	ClearProviders()
-	return initOAuth2LoginSources()
+	return initOAuth2Sources()
 }

-// initOAuth2LoginSources is used to load and register all active OAuth2 providers
-func initOAuth2LoginSources() error {
-	loginSources, _ := login.GetActiveOAuth2ProviderLoginSources()
-	for _, source := range loginSources {
+// initOAuth2Sources is used to load and register all active OAuth2 providers
+func initOAuth2Sources() error {
+	authSources, _ := auth.GetActiveOAuth2ProviderSources()
+	for _, source := range authSources {
 		oauth2Source, ok := source.Cfg.(*Source)
 		if !ok {
 			continue
--- a/services/auth/source/oauth2/providers.go
+++ b/services/auth/source/oauth2/providers.go
@@ -9,7 +9,7 @@ import (
 	"net/url"
 	"sort"

-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"

@@ -55,7 +55,7 @@ func NewImagedProvider(image string, provider GothProvider) *ImagedProvider {
 }

 // Providers contains the map of registered OAuth2 providers in Gitea (based on goth)
-// key is used to map the OAuth2Provider with the goth provider type (also in LoginSource.OAuth2Config.Provider)
+// key is used to map the OAuth2Provider with the goth provider type (also in AuthSource.OAuth2Config.Provider)
 // value is used to store display data
 var gothProviders = map[string]GothProvider{}

@@ -88,14 +88,14 @@ func GetOAuth2Providers() []Provider {
 func GetActiveOAuth2Providers() ([]string, map[string]Provider, error) {
 	// Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type

-	loginSources, err := login.GetActiveOAuth2ProviderLoginSources()
+	authSources, err := auth.GetActiveOAuth2ProviderSources()
 	if err != nil {
 		return nil, nil, err
 	}

 	var orderedKeys []string
 	providers := make(map[string]Provider)
-	for _, source := range loginSources {
+	for _, source := range authSources {
 		prov := gothProviders[source.Cfg.(*Source).Provider]
 		if source.Cfg.(*Source).IconURL != "" {
 			prov = &ImagedProvider{prov, source.Cfg.(*Source).IconURL}
@@ -140,8 +140,8 @@ func ClearProviders() {
 }

 var (
-	// ErrLoginSourceNotActived login source is not actived error
-	ErrLoginSourceNotActived = errors.New("Login source is not actived")
+	// ErrAuthSourceNotActived login source is not actived error
+	ErrAuthSourceNotActived = errors.New("auth source is not actived")
 )

 // used to create different types of goth providers
@@ -153,7 +153,7 @@ func createProvider(providerName string, source *Source) (goth.Provider, error)

 	p, ok := gothProviders[source.Provider]
 	if !ok {
-		return nil, ErrLoginSourceNotActived
+		return nil, ErrAuthSourceNotActived
 	}

 	provider, err = p.CreateGothProvider(providerName, callbackURL, source)
--- a/services/auth/source/oauth2/source.go
+++ b/services/auth/source/oauth2/source.go
@@ -5,7 +5,7 @@
 package oauth2

 import (
-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
 )

@@ -33,8 +33,8 @@ type Source struct {
 	RestrictedGroup    string
 	SkipLocalTwoFA     bool `json:",omitempty"`

-	// reference to the loginSource
-	loginSource *login.Source
+	// reference to the authSource
+	authSource *auth.Source
 }

 // FromDB fills up an OAuth2Config from serialized format.
@@ -47,11 +47,11 @@ func (source *Source) ToDB() ([]byte, error) {
 	return json.Marshal(source)
 }

-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
-	source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+	source.authSource = authSource
 }

 func init() {
-	login.RegisterTypeConfig(login.OAuth2, &Source{})
+	auth.RegisterTypeConfig(auth.OAuth2, &Source{})
 }
--- a/services/auth/source/oauth2/source_callout.go
+++ b/services/auth/source/oauth2/source_callout.go
@@ -14,7 +14,7 @@ import (
 // Callout redirects request/response pair to authenticate against the provider
 func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error {
 	// not sure if goth is thread safe (?) when using multiple providers
-	request.Header.Set(ProviderHeaderKey, source.loginSource.Name)
+	request.Header.Set(ProviderHeaderKey, source.authSource.Name)

 	// don't use the default gothic begin handler to prevent issues when some error occurs
 	// normally the gothic library will write some custom stuff to the response instead of our own nice error page
@@ -34,7 +34,7 @@ func (source *Source) Callout(request *http.Request, response http.ResponseWrite
 // this will trigger a new authentication request, but because we save it in the session we can use that
 func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) {
 	// not sure if goth is thread safe (?) when using multiple providers
-	request.Header.Set(ProviderHeaderKey, source.loginSource.Name)
+	request.Header.Set(ProviderHeaderKey, source.authSource.Name)

 	gothRWMutex.RLock()
 	defer gothRWMutex.RUnlock()
--- a/services/auth/source/oauth2/source_register.go
+++ b/services/auth/source/oauth2/source_register.go
@@ -10,13 +10,13 @@ import (

 // RegisterSource causes an OAuth2 configuration to be registered
 func (source *Source) RegisterSource() error {
-	err := RegisterProviderWithGothic(source.loginSource.Name, source)
-	return wrapOpenIDConnectInitializeError(err, source.loginSource.Name, source)
+	err := RegisterProviderWithGothic(source.authSource.Name, source)
+	return wrapOpenIDConnectInitializeError(err, source.authSource.Name, source)
 }

 // UnregisterSource causes an OAuth2 configuration to be unregistered
 func (source *Source) UnregisterSource() error {
-	RemoveProviderFromGothic(source.loginSource.Name)
+	RemoveProviderFromGothic(source.authSource.Name)
 	return nil
 }

--- a/services/auth/source/pam/assert_interface_test.go
+++ b/services/auth/source/pam/assert_interface_test.go
@@ -5,7 +5,7 @@
 package pam_test

 import (
-	"code.gitea.io/gitea/models/login"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/pam"
 )
@@ -15,8 +15,8 @@ import (

 type sourceInterface interface {
 	auth.PasswordAuthenticator
-	login.Config
-	login.SourceSettable
+	auth_model.Config
+	auth_model.SourceSettable
 }

 var _ (sourceInterface) = &pam.Source{}
--- a/services/auth/source/pam/source.go
+++ b/services/auth/source/pam/source.go
@@ -5,7 +5,7 @@
 package pam

 import (
-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
 )

@@ -22,8 +22,8 @@ type Source struct {
 	EmailDomain    string
 	SkipLocalTwoFA bool `json:",omitempty"` // Skip Local 2fa for users authenticated with this source

-	// reference to the loginSource
-	loginSource *login.Source
+	// reference to the authSource
+	authSource *auth.Source
 }

 // FromDB fills up a PAMConfig from serialized format.
@@ -36,11 +36,11 @@ func (source *Source) ToDB() ([]byte, error) {
 	return json.Marshal(source)
 }

-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
-	source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+	source.authSource = authSource
 }

 func init() {
-	login.RegisterTypeConfig(login.PAM, &Source{})
+	auth.RegisterTypeConfig(auth.PAM, &Source{})
 }
--- a/services/auth/source/pam/source_authenticate.go
+++ b/services/auth/source/pam/source_authenticate.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"strings"

-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/auth/pam"
 	"code.gitea.io/gitea/modules/setting"
@@ -55,8 +55,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 		Name:        username,
 		Email:       email,
 		Passwd:      password,
-		LoginType:   login.PAM,
-		LoginSource: source.loginSource.ID,
+		LoginType:   auth.PAM,
+		LoginSource: source.authSource.ID,
 		LoginName:   userName, // This is what the user typed in
 		IsActive:    true,
 	}
--- a/services/auth/source/smtp/assert_interface_test.go
+++ b/services/auth/source/smtp/assert_interface_test.go
@@ -5,7 +5,7 @@
 package smtp_test

 import (
-	"code.gitea.io/gitea/models/login"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/smtp"
 )
@@ -15,11 +15,11 @@ import (

 type sourceInterface interface {
 	auth.PasswordAuthenticator
-	login.Config
-	login.SkipVerifiable
-	login.HasTLSer
-	login.UseTLSer
-	login.SourceSettable
+	auth_model.Config
+	auth_model.SkipVerifiable
+	auth_model.HasTLSer
+	auth_model.UseTLSer
+	auth_model.SourceSettable
 }

 var _ (sourceInterface) = &smtp.Source{}
--- a/services/auth/source/smtp/source.go
+++ b/services/auth/source/smtp/source.go
@@ -5,7 +5,7 @@
 package smtp

 import (
-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
 )

@@ -28,8 +28,8 @@ type Source struct {
 	DisableHelo    bool
 	SkipLocalTwoFA bool `json:",omitempty"`

-	// reference to the loginSource
-	loginSource *login.Source
+	// reference to the authSource
+	authSource *auth.Source
 }

 // FromDB fills up an SMTPConfig from serialized format.
@@ -57,11 +57,11 @@ func (source *Source) UseTLS() bool {
 	return source.ForceSMTPS || source.Port == 465
 }

-// SetLoginSource sets the related LoginSource
-func (source *Source) SetLoginSource(loginSource *login.Source) {
-	source.loginSource = loginSource
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+	source.authSource = authSource
 }

 func init() {
-	login.RegisterTypeConfig(login.SMTP, &Source{})
+	auth.RegisterTypeConfig(auth.SMTP, &Source{})
 }
--- a/services/auth/source/smtp/source_authenticate.go
+++ b/services/auth/source/smtp/source_authenticate.go
@@ -10,7 +10,7 @@ import (
 	"net/textproto"
 	"strings"

-	"code.gitea.io/gitea/models/login"
+	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/mailer"
@@ -71,8 +71,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 		Name:        strings.ToLower(username),
 		Email:       userName,
 		Passwd:      password,
-		LoginType:   login.SMTP,
-		LoginSource: source.loginSource.ID,
+		LoginType:   auth_model.SMTP,
+		LoginSource: source.authSource.ID,
 		LoginName:   userName,
 		IsActive:    true,
 	}
--- a/services/auth/source/sspi/assert_interface_test.go
+++ b/services/auth/source/sspi/assert_interface_test.go
@@ -5,7 +5,7 @@
 package sspi_test

 import (
-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/services/auth/source/sspi"
 )

@@ -13,7 +13,7 @@ import (
 // It tightly binds the interfaces and implementation without breaking go import cycles

 type sourceInterface interface {
-	login.Config
+	auth.Config
 }

 var _ (sourceInterface) = &sspi.Source{}
--- a/services/auth/source/sspi/source.go
+++ b/services/auth/source/sspi/source.go
@@ -5,7 +5,7 @@
 package sspi

 import (
-	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
 )

@@ -36,5 +36,5 @@ func (cfg *Source) ToDB() ([]byte, error) {
 }

 func init() {
-	login.RegisterTypeConfig(login.SSPI, &Source{})
+	auth.RegisterTypeConfig(auth.SSPI, &Source{})
 }
--- a/services/auth/sspi_windows.go
+++ b/services/auth/sspi_windows.go
@@ -9,8 +9,8 @@ import (
 	"net/http"
 	"strings"

+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/avatars"
-	"code.gitea.io/gitea/models/login"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/log"
@@ -154,7 +154,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore,

 // getConfig retrieves the SSPI configuration from login sources
 func (s *SSPI) getConfig() (*sspi.Source, error) {
-	sources, err := login.ActiveSources(login.SSPI)
+	sources, err := auth.ActiveSources(auth.SSPI)
 	if err != nil {
 		return nil, err
 	}
@@ -250,7 +250,7 @@ func sanitizeUsername(username string, cfg *sspi.Source) string {
 // fails (or if negotiation should continue), which would prevent other authentication methods
 // to execute at all.
 func specialInit() {
-	if login.IsSSPIEnabled() {
+	if auth.IsSSPIEnabled() {
 		Register(&SSPI{})
 	}
 }
--- a/services/auth/sync.go
+++ b/services/auth/sync.go
@@ -7,8 +7,8 @@ package auth
 import (
 	"context"

+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/login"
 	"code.gitea.io/gitea/modules/log"
 )

@@ -16,7 +16,7 @@ import (
 func SyncExternalUsers(ctx context.Context, updateExisting bool) error {
 	log.Trace("Doing: SyncExternalUsers")

-	ls, err := login.Sources()
+	ls, err := auth.Sources()
 	if err != nil {
 		log.Error("SyncExternalUsers: %v", err)
 		return err