Allow Access Tokens with Required Login (#611)

2026-02-02 19:31:07 +08:00
parent b7278b60ab
commit b7dbdde66b
2 changed files with 90 additions and 1 deletions
--- a/internal/web/server/middlewares.go
+++ b/internal/web/server/middlewares.go
@@ -206,6 +206,9 @@ func makeCheckRequireLogin(isSingleGistAccess bool) Middleware {
 				return next(ctx)
 			}
 			if getUserByToken(ctx) != nil {
 				return next(ctx)
 			}
 			allow, err := auth.ShouldAllowUnauthenticatedGistAccess(handlers.ContextAuthInfo{Context: ctx}, isSingleGistAccess)
 			if err != nil {
 				log.Fatal().Err(err).Msg("Failed to check if unauthenticated access is allowed")
@@ -354,7 +357,6 @@ func getUserByToken(ctx *context.Context) *db.User {
 		return nil
 	}
 	// Update last used timestamp
 	_ = accessToken.UpdateLastUsed()
 	return &accessToken.User
--- a/internal/web/test/access_token_test.go
+++ b/internal/web/test/access_token_test.go
@@ -359,3 +359,90 @@ func TestAccessTokenLastUsedUpdate(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEqual(t, int64(0), tokenFromDB.LastUsedAt)
 }
 func TestAccessTokenWithRequireLogin(t *testing.T) {
 	s := Setup(t)
 	defer Teardown(t, s)
 	admin := db.UserDTO{Username: "thomas", Password: "thomas"}
 	register(t, s, admin)
 	gist1 := db.GistDTO{
 		Title:       "private-gist",
 		Description: "my private gist",
 		VisibilityDTO: db.VisibilityDTO{
 			Private: db.PrivateVisibility,
 		},
 		Name:    []string{"file.txt"},
 		Content: []string{"content"},
 	}
 	err := s.Request("POST", "/", gist1, 302)
 	require.NoError(t, err)
 	gist1db, err := db.GetGistByID("1")
 	require.NoError(t, err)
 	gist2 := db.GistDTO{
 		Title:       "public-gist",
 		Description: "my public gist",
 		VisibilityDTO: db.VisibilityDTO{
 			Private: db.PublicVisibility,
 		},
 		Name:    []string{"public.txt"},
 		Content: []string{"public content"},
 	}
 	err = s.Request("POST", "/", gist2, 302)
 	require.NoError(t, err)
 	gist2db, err := db.GetGistByID("2")
 	require.NoError(t, err)
 	token := &db.AccessToken{
 		Name:      "read-token",
 		UserID:    1,
 		ScopeGist: db.ReadPermission,
 	}
 	plainToken, err := token.GenerateToken()
 	require.NoError(t, err)
 	err = token.Create()
 	require.NoError(t, err)
 	err = s.Request("PUT", "/admin-panel/set-config", settingSet{"require-login", "1"}, 200)
 	require.NoError(t, err)
 	s.sessionCookie = ""
 	err = s.Request("GET", "/thomas/"+gist1db.Uuid, nil, 302)
 	require.NoError(t, err)
 	err = s.Request("GET", "/thomas/"+gist2db.Uuid, nil, 302)
 	require.NoError(t, err)
 	headers := map[string]string{"Authorization": "Token " + plainToken}
 	err = s.RequestWithHeaders("GET", "/thomas/"+gist1db.Uuid, nil, 200, headers)
 	require.NoError(t, err)
 	err = s.RequestWithHeaders("GET", "/thomas/"+gist2db.Uuid, nil, 200, headers)
 	require.NoError(t, err)
 	err = s.RequestWithHeaders("GET", "/thomas/"+gist1db.Uuid+"/raw/HEAD/file.txt", nil, 200, headers)
 	require.NoError(t, err)
 	invalidHeaders := map[string]string{"Authorization": "Token invalid_token"}
 	err = s.RequestWithHeaders("GET", "/thomas/"+gist1db.Uuid, nil, 302, invalidHeaders)
 	require.NoError(t, err)
 	noPermToken := &db.AccessToken{
 		Name:      "no-perm-token",
 		UserID:    1,
 		ScopeGist: db.NoPermission,
 	}
 	noPermPlain, err := noPermToken.GenerateToken()
 	require.NoError(t, err)
 	err = noPermToken.Create()
 	require.NoError(t, err)
 	noPermHeaders := map[string]string{"Authorization": "Token " + noPermPlain}
 	err = s.RequestWithHeaders("GET", "/thomas/"+gist1db.Uuid, nil, 302, noPermHeaders)
 	require.NoError(t, err)
 }