Move reverproxyauth before session so the header will not be ignored even if user has login (#27821)

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.

(cherry picked from commit 26ae5922348d2dbaf2161bbd6ac79b2aa455e5f0)
This commit is contained in:
Lunny Xiao 2024-05-11 22:55:49 +08:00 committed by Earl Warren
parent 32c97efab4
commit 1f56a49f28
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG key ID: 0579CB2928A78A00

View file

@ -98,14 +98,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
// The Session plugin is expected to be executed second, in order to skip authentication
// for users that have already signed in.
func buildAuthGroup() *auth_service.Group {
group := auth_service.NewGroup(
&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers
&auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers
&auth_service.Session{},
)
group := auth_service.NewGroup()
group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
group.Add(&auth_service.Basic{}) // FIXME: this should be removed and only applied in download and git/lfs routers
if setting.Service.EnableReverseProxyAuth {
group.Add(&auth_service.ReverseProxy{})
group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
}
group.Add(&auth_service.Session{})
if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) {
group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI