forgejo/models/auth
Earl Warren 7cabc5670d
Implement remote user login source and promotion to regular user
A remote user (UserTypeRemoteUser) is a placeholder that can be
promoted to a regular user (UserTypeIndividual). It represents users
that exist somewhere else. Although the UserTypeRemoteUser already
exists in Forgejo, it is neither used or documented.

A new login type / source (Remote) is introduced and set to be the login type
of remote users.

Type        UserTypeRemoteUser
LogingType  Remote

The association between a remote user and its counterpart in another
environment (for instance another forge) is via the OAuth2 login
source:

LoginName   set to the unique identifier relative to the login source
LoginSource set to the identifier of the remote source

For instance when migrating from GitLab.com, a user can be created as
if it was authenticated using GitLab.com as an OAuth2 authentication
source.

When a user authenticates to Forejo from the same authentication
source and the identifier match, the remote user is promoted to a
regular user. For instance if 43 is the ID of the GitLab.com OAuth2
login source, 88 is the ID of the Remote loging source, and 48323
is the identifier of the foo user:

Type        UserTypeRemoteUser
LogingType  Remote
LoginName   48323
LoginSource 88
Email       (empty)
Name        foo

Will be promoted to the following when the user foo authenticates to
the Forgejo instance using GitLab.com as an OAuth2 provider. All users
with a LoginType of Remote and a LoginName of 48323 are examined. If
the LoginSource has a provider name that matches the provider name of
GitLab.com (usually just "gitlab"), it is a match and can be promoted.

The email is obtained via the OAuth2 provider and the user set to:

Type        UserTypeIndividual
LogingType  OAuth2
LoginName   48323
LoginSource 43
Email       foo@example.com
Name        foo

Note: the Remote login source is an indirection to the actual login
source, i.e. the provider string my be set to a login source that does
not exist yet.
2024-04-25 13:03:49 +02:00
..
TestOrphanedOAuth2Applications [BUG] Don't remove builtin OAuth2 applications 2024-04-06 01:07:45 +02:00
access_token.go Use db.Find instead of writing methods for every object (#28084) 2023-11-24 03:49:41 +00:00
access_token_scope.go [GITEA] silently ignore obsolete sudo scope 2024-02-05 16:05:50 +01:00
access_token_scope_test.go [GITEA] silently ignore obsolete sudo scope 2024-02-05 16:05:50 +01:00
access_token_test.go Use db.Find instead of writing methods for every object (#28084) 2023-11-24 03:49:41 +00:00
auth_token.go [SECURITY] Rework long-term authentication 2024-02-05 15:06:15 +01:00
main_test.go make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
oauth2.go Add comment for ContainsRedirectURI about the exact match (#30457) 2024-04-15 20:01:36 +02:00
oauth2_list.go Use db.Find instead of writing methods for every object (#28084) 2023-11-24 03:49:41 +00:00
oauth2_test.go Sort BuiltinApplicationsClientIDs() in test 2024-04-06 11:30:02 +02:00
session.go Fix session key conflict with database keyword (#28613) 2023-12-27 15:24:23 +08:00
session_test.go [GITEA] Fix session generation for database 2024-02-05 16:09:41 +01:00
source.go Implement remote user login source and promotion to regular user 2024-04-25 13:03:49 +02:00
source_test.go Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
twofactor.go [GITEA] Drop sha256-simd in favor of stdlib 2024-02-05 16:09:40 +01:00
webauthn.go Move more functions to db.Find (#28419) 2024-01-15 02:19:25 +00:00
webauthn_test.go