forgejo/modules/setting/session.go

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package setting

import (
	"net/http"
	"path"
	"path/filepath"
	"strings"

	"code.gitea.io/gitea/modules/json"
	"code.gitea.io/gitea/modules/log"
)

// SessionConfig defines Session settings
var SessionConfig = struct {
	OriginalProvider string
	Provider         string
	// Provider configuration, it's corresponding to provider.
	ProviderConfig string
	// Cookie name to save session ID. Default is "MacaronSession".
	CookieName string
	// Cookie path to store. Default is "/".
	CookiePath string
	// GC interval time in seconds. Default is 3600.
	Gclifetime int64
	// Max life time in seconds. Default is whatever GC interval time is.
	Maxlifetime int64
	// Use HTTPS only. Default is false.
	Secure bool
	// Cookie domain name. Default is empty.
	Domain string
	// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax"
	SameSite http.SameSite
}{
	CookieName:  "i_like_gitea",
	Gclifetime:  86400,
	Maxlifetime: 86400,
	SameSite:    http.SameSiteLaxMode,
}

func loadSessionFrom(rootCfg ConfigProvider) {
	sec := rootCfg.Section("session")
	SessionConfig.Provider = sec.Key("PROVIDER").In("memory",
		[]string{"memory", "file", "redis", "mysql", "postgres", "couchbase", "memcache", "db"})
	SessionConfig.ProviderConfig = strings.Trim(sec.Key("PROVIDER_CONFIG").MustString(path.Join(AppDataPath, "sessions")), "\" ")
	if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig) {
		SessionConfig.ProviderConfig = path.Join(AppWorkPath, SessionConfig.ProviderConfig)
	}
	SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea")
	SessionConfig.CookiePath = AppSubURL
	if SessionConfig.CookiePath == "" {
		SessionConfig.CookiePath = "/"
	}
	SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(strings.HasPrefix(strings.ToLower(AppURL), "https://"))
	SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)
	SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)
	SessionConfig.Domain = sec.Key("DOMAIN").String()
	samesiteString := sec.Key("SAME_SITE").In("lax", []string{"none", "lax", "strict"})
	switch strings.ToLower(samesiteString) {
	case "none":
		SessionConfig.SameSite = http.SameSiteNoneMode
	case "strict":
		SessionConfig.SameSite = http.SameSiteStrictMode
	default:
		SessionConfig.SameSite = http.SameSiteLaxMode
	}
	shadowConfig, err := json.Marshal(SessionConfig)
	if err != nil {
		log.Fatal("Can't shadow session config: %v", err)
	}
	SessionConfig.ProviderConfig = string(shadowConfig)
	SessionConfig.OriginalProvider = SessionConfig.Provider
	SessionConfig.Provider = "VirtualSession"

	log.Info("Session Service Enabled")
}
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 02:37:37 +01:00			`// Copyright 2019 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 19:20:29 +01:00			`// SPDX-License-Identifier: MIT`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 02:37:37 +01:00
			`package setting`

			`import (`
Add SameSite setting for cookies (#14900) Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-03-07 09:12:43 +01:00			`"net/http"`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 02:37:37 +01:00			`"path"`
			`"path/filepath"`
			`"strings"`

Add an abstract json layout to make it's easier to change json library (#16528) * Add an abstract json layout to make it's easier to change json library * Fix import * Fix import sequence * Fix blank lines * Fix blank lines 2021-07-24 18:03:58 +02:00			`"code.gitea.io/gitea/modules/json"`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 02:37:37 +01:00			`"code.gitea.io/gitea/modules/log"`
			`)`

format with gofumpt (#18184) * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt 2022-01-20 18:46:10 +01:00			`// SessionConfig defines Session settings`
			`var SessionConfig = struct {`
Refactor the setting to make unit test easier (#22405) Some bugs caused by less unit tests in fundamental packages. This PR refactor `setting` package so that create a unit test will be easier than before. - All `LoadFromXXX` files has been splited as two functions, one is `InitProviderFromXXX` and `LoadCommonSettings`. The first functions will only include the code to create or new a ini file. The second function will load common settings. - It also renames all functions in setting from `newXXXService` to `loadXXXSetting` or `loadXXXFrom` to make the function name less confusing. - Move `XORMLog` to `SQLLog` because it's a better name for that. Maybe we should finally move these `loadXXXSetting` into the `XXXInit` function? Any idea? --------- Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: delvh <dev.lh@web.de> 2023-02-19 17:12:01 +01:00			`OriginalProvider string`
			`Provider string`
format with gofumpt (#18184) * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt 2022-01-20 18:46:10 +01:00			`// Provider configuration, it's corresponding to provider.`
			`ProviderConfig string`
			`// Cookie name to save session ID. Default is "MacaronSession".`
			`CookieName string`
Fix incorrect cookie path for AppSubURL (#29534) Regression of #24107 (cherry picked from commit 44398e405ffe297997c6b9c8dbb97f966926b65a) 2024-03-03 01:14:12 +01:00			`// Cookie path to store. Default is "/".`
format with gofumpt (#18184) * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt 2022-01-20 18:46:10 +01:00			`CookiePath string`
			`// GC interval time in seconds. Default is 3600.`
			`Gclifetime int64`
			`// Max life time in seconds. Default is whatever GC interval time is.`
			`Maxlifetime int64`
			`// Use HTTPS only. Default is false.`
			`Secure bool`
			`// Cookie domain name. Default is empty.`
			`Domain string`
			`// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax"`
			`SameSite http.SameSite`
			`}{`
			`CookieName: "i_like_gitea",`
			`Gclifetime: 86400,`
			`Maxlifetime: 86400,`
			`SameSite: http.SameSiteLaxMode,`
			`}`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 02:37:37 +01:00
Refactor the setting to make unit test easier (#22405) Some bugs caused by less unit tests in fundamental packages. This PR refactor `setting` package so that create a unit test will be easier than before. - All `LoadFromXXX` files has been splited as two functions, one is `InitProviderFromXXX` and `LoadCommonSettings`. The first functions will only include the code to create or new a ini file. The second function will load common settings. - It also renames all functions in setting from `newXXXService` to `loadXXXSetting` or `loadXXXFrom` to make the function name less confusing. - Move `XORMLog` to `SQLLog` because it's a better name for that. Maybe we should finally move these `loadXXXSetting` into the `XXXInit` function? Any idea? --------- Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: delvh <dev.lh@web.de> 2023-02-19 17:12:01 +01:00			`func loadSessionFrom(rootCfg ConfigProvider) {`
			`sec := rootCfg.Section("session")`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 08:47:46 +01:00			`SessionConfig.Provider = sec.Key("PROVIDER").In("memory",`
Create DB session provider(based on xorm) (#13031) * Create Xorm session provider This PR creates a Xorm session provider which creates the appropriate Session table for macaron/session. Fix #7137 Signed-off-by: Andrew Thornton <art27@cantab.net> * extraneous l Signed-off-by: Andrew Thornton <art27@cantab.net> * fix lint Signed-off-by: Andrew Thornton <art27@cantab.net> * use key instead of ID to be compatible with go-macaron/session Signed-off-by: Andrew Thornton <art27@cantab.net> * And change the migration too. Signed-off-by: Andrew Thornton <art27@cantab.net> * Update spacing of imports Co-authored-by: 6543 <6543@obermui.de> * Update modules/session/xorm.go Co-authored-by: techknowlogick <matti@mdranta.net> * add xorm provider to the virtual provider Signed-off-by: Andrew Thornton <art27@cantab.net> * prep for master merge * prep for merge master * As per @lunny * move migration out of the way * Move to call this db session as per @lunny Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2021-02-15 06:33:31 +01:00			`[]string{"memory", "file", "redis", "mysql", "postgres", "couchbase", "memcache", "db"})`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 08:47:46 +01:00			`SessionConfig.ProviderConfig = strings.Trim(sec.Key("PROVIDER_CONFIG").MustString(path.Join(AppDataPath, "sessions")), "\" ")`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 02:37:37 +01:00			`if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig) {`
			`SessionConfig.ProviderConfig = path.Join(AppWorkPath, SessionConfig.ProviderConfig)`
			`}`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 08:47:46 +01:00			`SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea")`
Fix incorrect cookie path for AppSubURL (#29534) Regression of #24107 (cherry picked from commit 44398e405ffe297997c6b9c8dbb97f966926b65a) 2024-03-03 01:14:12 +01:00			`SessionConfig.CookiePath = AppSubURL`
			`if SessionConfig.CookiePath == "" {`
			`SessionConfig.CookiePath = "/"`
			`}`
Use secure cookie for HTTPS sites (#26999) If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's default value should be true. And, if a user visits an "http" site with "https" AppURL, they won't be able to login, and they should have been warned. The only problem is that the "language" can't be set either in such case, while I think it is not a serious problem, and it could be fixed easily if needed. ![image](https://github.com/go-gitea/gitea/assets/2114189/7bc9a859-dcc1-467d-bc7c-1dd6a10389e3) 2023-09-11 11:03:51 +02:00			`SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(strings.HasPrefix(strings.ToLower(AppURL), "https://"))`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 08:47:46 +01:00			`SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)`
			`SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)`
			`SessionConfig.Domain = sec.Key("DOMAIN").String()`
Add SameSite setting for cookies (#14900) Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-03-07 09:12:43 +01:00			`samesiteString := sec.Key("SAME_SITE").In("lax", []string{"none", "lax", "strict"})`
			`switch strings.ToLower(samesiteString) {`
			`case "none":`
			`SessionConfig.SameSite = http.SameSiteNoneMode`
			`case "strict":`
			`SessionConfig.SameSite = http.SameSiteStrictMode`
			`default:`
			`SessionConfig.SameSite = http.SameSiteLaxMode`
			`}`
Prevent creating empty sessions (#6677) * Prevent creating empty sessions Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/setting/session.go * Remove unnecessary option Signed-off-by: Andrew Thornton <art27@cantab.net> * Add destory to list of ignored misspellings * rename cookie.go -> virtual.go * Delete old file * Add test to ensure that sessions are not created without being logged in Signed-off-by: Andrew Thornton <art27@cantab.net> * fix tests Signed-off-by: Andrew Thornton <art27@cantab.net> * Update integrations/create_no_session_test.go 2019-04-20 08:44:50 +02:00			`shadowConfig, err := json.Marshal(SessionConfig)`
			`if err != nil {`
			`log.Fatal("Can't shadow session config: %v", err)`
			`}`
			`SessionConfig.ProviderConfig = string(shadowConfig)`
Refactor the setting to make unit test easier (#22405) Some bugs caused by less unit tests in fundamental packages. This PR refactor `setting` package so that create a unit test will be easier than before. - All `LoadFromXXX` files has been splited as two functions, one is `InitProviderFromXXX` and `LoadCommonSettings`. The first functions will only include the code to create or new a ini file. The second function will load common settings. - It also renames all functions in setting from `newXXXService` to `loadXXXSetting` or `loadXXXFrom` to make the function name less confusing. - Move `XORMLog` to `SQLLog` because it's a better name for that. Maybe we should finally move these `loadXXXSetting` into the `XXXInit` function? Any idea? --------- Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: delvh <dev.lh@web.de> 2023-02-19 17:12:01 +01:00			`SessionConfig.OriginalProvider = SessionConfig.Provider`
Prevent creating empty sessions (#6677) * Prevent creating empty sessions Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/setting/session.go * Remove unnecessary option Signed-off-by: Andrew Thornton <art27@cantab.net> * Add destory to list of ignored misspellings * rename cookie.go -> virtual.go * Delete old file * Add test to ensure that sessions are not created without being logged in Signed-off-by: Andrew Thornton <art27@cantab.net> * fix tests Signed-off-by: Andrew Thornton <art27@cantab.net> * Update integrations/create_no_session_test.go 2019-04-20 08:44:50 +02:00			`SessionConfig.Provider = "VirtualSession"`

Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 02:37:37 +01:00			`log.Info("Session Service Enabled")`
			`}`