Refactor merge conan and container auth preserve actions taskID (#36560)

* Remove duplicated code * Allow further ActionsUser package permission checks --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-10 05:48:51 +00:00 · 2026-02-09 04:04:56 +01:00
parent c401cda108
commit 34b34d2328
4 changed files with 32 additions and 60 deletions
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -117,7 +117,7 @@ func CommonRoutes() *web.Router {
 		&auth.OAuth2{},
 		&auth.Basic{},
 		&nuget.Auth{},
-		&conan.Auth{},
+		&Auth{},
 		&chef.Auth{},
 	})

@@ -537,7 +537,8 @@ func ContainerRoutes() *web.Router {

 	verifyAuth(r, []auth.Method{
 		&auth.Basic{},
-		&container.Auth{},
+		// container auth requires an token, so container.Authenticate issues a Ghost user token for anonymous access
+		&Auth{AllowGhostUser: true},
 	})

 	// TODO: Content Discovery / References (not implemented yet)
--- a/routers/api/packages/conan/auth.go
+++ b/routers/api/packages/conan/auth.go
@@ -1,7 +1,7 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

-package conan
+package packages

 import (
 	"net/http"
@@ -14,10 +14,13 @@ import (

 var _ auth.Method = &Auth{}

-type Auth struct{}
+// Auth is for conan and container
+type Auth struct {
+	AllowGhostUser bool
+}

 func (a *Auth) Name() string {
-	return "conan"
+	return "packages"
 }

 // Verify extracts the user from the Bearer token
@@ -32,10 +35,22 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 		return nil, nil
 	}

-	u, err := user_model.GetUserByID(req.Context(), packageMeta.UserID)
-	if err != nil {
-		return nil, err
+	var u *user_model.User
+	switch packageMeta.UserID {
+	case user_model.GhostUserID:
+		if !a.AllowGhostUser {
+			return nil, nil
+		}
+		u = user_model.NewGhostUser()
+	case user_model.ActionsUserID:
+		u = user_model.NewActionsUserWithTaskID(packageMeta.ActionsUserTaskID)
+	default:
+		u, err = user_model.GetUserByID(req.Context(), packageMeta.UserID)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	if packageMeta.Scope != "" {
 		store.GetData()["IsApiToken"] = true
 		store.GetData()["ApiTokenScope"] = packageMeta.Scope
--- a/routers/api/packages/container/auth.go
+++ b/routers/api/packages/container/auth.go
@@ -1,47 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"net/http"
-
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/services/auth"
-	"code.gitea.io/gitea/services/packages"
-)
-
-var _ auth.Method = &Auth{}
-
-type Auth struct{}
-
-func (a *Auth) Name() string {
-	return "container"
-}
-
-// Verify extracts the user from the Bearer token
-// If it's an anonymous session, a ghost user is returned
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
-	packageMeta, err := packages.ParseAuthorizationRequest(req)
-	if err != nil {
-		log.Trace("ParseAuthorizationToken: %v", err)
-		return nil, err
-	}
-
-	if packageMeta == nil || packageMeta.UserID == 0 {
-		return nil, nil
-	}
-
-	u, err := user_model.GetPossibleUserByID(req.Context(), packageMeta.UserID)
-	if err != nil {
-		return nil, err
-	}
-
-	if packageMeta.Scope != "" {
-		store.GetData()["IsApiToken"] = true
-		store.GetData()["ApiTokenScope"] = packageMeta.Scope
-	}
-
-	return u, nil
-}
--- a/services/packages/auth.go
+++ b/services/packages/auth.go
@@ -23,21 +23,24 @@ type packageClaims struct {
 	PackageMeta
 }
 type PackageMeta struct {
-	UserID int64
-	Scope  auth_model.AccessTokenScope
+	UserID            int64
+	Scope             auth_model.AccessTokenScope
+	ActionsUserTaskID int64
 }

 func CreateAuthorizationToken(u *user_model.User, packageScope auth_model.AccessTokenScope) (string, error) {
 	now := time.Now()

+	actionsUserTaskID, _ := user_model.GetActionsUserTaskID(u)
 	claims := packageClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)),
 			NotBefore: jwt.NewNumericDate(now),
 		},
 		PackageMeta: PackageMeta{
-			UserID: u.ID,
-			Scope:  packageScope,
+			UserID:            u.ID,
+			Scope:             packageScope,
+			ActionsUserTaskID: actionsUserTaskID,
 		},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)