lrf-nitro opened a new pull request, #8913:
URL: https://github.com/apache/devlake/pull/8913
Open-API (/rest) requests authenticated with a valid API key were rejected
with 401 "unauthorized" whenever AUTH_ENABLED is on (the default - unless
explicitly disabled via env var). The API-key middleware authenticates the
request and sets common.USER via c.Set, then re-dispatches the rewritten path
through router.HandleContext. gin's HandleContext calls Context.reset(), which
sets c.Keys = nil and destroys the user, so the terminal RequireAuth gate sees
no user and 401s.
Carry the authenticated user on the request's context.Context, which
survives HandleContext (only gin Keys are reset). GetUser now falls back to the
request context when gin Keys are empty. This fixes every /rest endpoint
(webhooks, push, etc.) at once without disabling auth.
Add regression coverage:
- shared: user set via SetUserOnRequest survives a HandleContext re-dispatch
while gin Keys do not.
- api: the full RestAuthentication -> OIDCAuthentication -> RequireAuth
chain with AUTH_ENABLED=true returns 200 for a valid key, 401 for missing
token, 403 for an invalid key, and 401 for a userless protected route.
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
### ⚠️ Pre Checklist
> Please complete _ALL_ items in this checklist, and remove before submitting
- [x] I have read through the [Contributing
Documentation](https://devlake.apache.org/community/).
- [x] I have added relevant tests.
- [x] I have added relevant documentation.
- [x] I will add labels to the PR, such as `pr-type/bug-fix`,
`pr-type/feature-development`, etc.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]