lrf-nitro opened a new pull request, #8913:
URL: https://github.com/apache/devlake/pull/8913

   Open-API (/rest) requests authenticated with a valid API key were rejected 
with 401 "unauthorized" whenever AUTH_ENABLED is on (the default - unless 
explicitly disabled via env var). The API-key middleware authenticates the 
request and sets common.USER via c.Set, then re-dispatches the rewritten path 
through router.HandleContext. gin's HandleContext calls Context.reset(), which 
sets c.Keys = nil and destroys the user, so the terminal RequireAuth gate sees 
no user and 401s.
   
   Carry the authenticated user on the request's context.Context, which 
survives HandleContext (only gin Keys are reset). GetUser now falls back to the 
request context when gin Keys are empty. This fixes every /rest endpoint 
(webhooks, push, etc.) at once without disabling auth.
   
   Add regression coverage:
   - shared: user set via SetUserOnRequest survives a HandleContext re-dispatch 
while gin Keys do not.
   - api: the full RestAuthentication -> OIDCAuthentication -> RequireAuth 
chain with AUTH_ENABLED=true returns 200 for a valid key, 401 for missing 
token, 403 for an invalid key, and 401 for a userless protected route.
   
   <!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   this work for additional information regarding copyright ownership.
   The ASF licenses this file to You under the Apache License, Version 2.0
   (the "License"); you may not use this file except in compliance with
   the License.  You may obtain a copy of the License at
   
       http://www.apache.org/licenses/LICENSE-2.0
   
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
   -->
   ### ⚠️ Pre Checklist
   
   > Please complete _ALL_ items in this checklist, and remove before submitting
   
   - [x] I have read through the [Contributing 
Documentation](https://devlake.apache.org/community/).
   - [x] I have added relevant tests.
   - [x] I have added relevant documentation.
   - [x] I will add labels to the PR, such as `pr-type/bug-fix`, 
`pr-type/feature-development`, etc.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to