2021-06-09 07:33:54 +08:00
|
|
|
// Copyright 2021 The Gitea Authors. All rights reserved.
|
2022-11-27 13:20:29 -05:00
|
|
|
// SPDX-License-Identifier: MIT
|
2021-06-09 07:33:54 +08:00
|
|
|
|
|
|
|
|
package common
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2023-02-15 21:37:34 +08:00
|
|
|
"code.gitea.io/gitea/modules/cache"
|
2025-01-22 02:57:07 +08:00
|
|
|
"code.gitea.io/gitea/modules/gtprof"
|
2024-05-07 16:26:13 +08:00
|
|
|
"code.gitea.io/gitea/modules/httplib"
|
2026-03-08 17:59:46 +08:00
|
|
|
"code.gitea.io/gitea/modules/log"
|
2026-03-30 16:59:10 +02:00
|
|
|
"code.gitea.io/gitea/modules/public"
|
2024-12-24 11:43:57 +08:00
|
|
|
"code.gitea.io/gitea/modules/reqctx"
|
2021-06-09 07:33:54 +08:00
|
|
|
"code.gitea.io/gitea/modules/setting"
|
2022-01-20 19:41:25 +08:00
|
|
|
"code.gitea.io/gitea/modules/web/routing"
|
2024-02-27 15:12:22 +08:00
|
|
|
"code.gitea.io/gitea/services/context"
|
2021-06-09 07:33:54 +08:00
|
|
|
|
2023-04-27 14:06:45 +08:00
|
|
|
"gitea.com/go-chi/session"
|
2021-06-09 07:33:54 +08:00
|
|
|
"github.com/chi-middleware/proxy"
|
2024-06-18 07:28:47 +08:00
|
|
|
"github.com/go-chi/chi/v5"
|
2021-06-09 07:33:54 +08:00
|
|
|
)
|
|
|
|
|
|
2023-05-04 14:36:34 +08:00
|
|
|
// ProtocolMiddlewares returns HTTP protocol related middlewares, and it provides a global panic recovery
|
2023-04-27 14:06:45 +08:00
|
|
|
func ProtocolMiddlewares() (handlers []any) {
|
2024-12-24 11:43:57 +08:00
|
|
|
// the order is important
|
|
|
|
|
handlers = append(handlers, ChiRoutePathHandler()) // make sure chi has correct paths
|
2024-12-25 00:51:13 +08:00
|
|
|
handlers = append(handlers, RequestContextHandler()) // prepare the context and panic recovery
|
2023-05-04 14:36:34 +08:00
|
|
|
|
2024-12-24 11:43:57 +08:00
|
|
|
if setting.ReverseProxyLimit > 0 && len(setting.ReverseProxyTrustedProxies) > 0 {
|
|
|
|
|
handlers = append(handlers, ForwardedHeadersHandler(setting.ReverseProxyLimit, setting.ReverseProxyTrustedProxies))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if setting.IsRouteLogEnabled() {
|
|
|
|
|
handlers = append(handlers, routing.NewLoggerHandler())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if setting.IsAccessLogEnabled() {
|
|
|
|
|
handlers = append(handlers, context.AccessLogger())
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-30 16:59:10 +02:00
|
|
|
if !setting.IsProd {
|
|
|
|
|
handlers = append(handlers, public.ViteDevMiddleware)
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-24 11:43:57 +08:00
|
|
|
return handlers
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func RequestContextHandler() func(h http.Handler) http.Handler {
|
|
|
|
|
return func(next http.Handler) http.Handler {
|
2025-01-20 14:25:17 +08:00
|
|
|
return http.HandlerFunc(func(respOrig http.ResponseWriter, req *http.Request) {
|
|
|
|
|
// this response writer might not be the same as the one in context.Base.Resp
|
|
|
|
|
// because there might be a "gzip writer" in the middle, so the "written size" here is the compressed size
|
|
|
|
|
respWriter := context.WrapResponseWriter(respOrig)
|
|
|
|
|
|
|
|
|
|
profDesc := fmt.Sprintf("HTTP: %s %s", req.Method, req.RequestURI)
|
2024-12-24 11:43:57 +08:00
|
|
|
ctx, finished := reqctx.NewRequestContext(req.Context(), profDesc)
|
|
|
|
|
defer finished()
|
|
|
|
|
|
2025-01-22 02:57:07 +08:00
|
|
|
ctx, span := gtprof.GetTracer().Start(ctx, gtprof.TraceSpanHTTP)
|
|
|
|
|
req = req.WithContext(ctx)
|
|
|
|
|
defer func() {
|
|
|
|
|
chiCtx := chi.RouteContext(req.Context())
|
|
|
|
|
span.SetAttributeString(gtprof.TraceAttrHTTPRoute, chiCtx.RoutePattern())
|
|
|
|
|
span.End()
|
|
|
|
|
}()
|
|
|
|
|
|
2023-05-04 14:36:34 +08:00
|
|
|
defer func() {
|
2026-03-08 17:59:46 +08:00
|
|
|
if recovered := recover(); recovered != nil {
|
|
|
|
|
renderPanicErrorPage(respWriter, req, recovered) // it should never panic, and it handles the stack trace internally
|
2023-05-04 14:36:34 +08:00
|
|
|
}
|
|
|
|
|
}()
|
2021-12-24 16:50:49 +00:00
|
|
|
|
2024-12-24 11:43:57 +08:00
|
|
|
ds := reqctx.GetRequestDataStore(ctx)
|
|
|
|
|
req = req.WithContext(cache.WithCacheContext(ctx))
|
|
|
|
|
ds.SetContextValue(httplib.RequestContextKey, req)
|
|
|
|
|
ds.AddCleanUp(func() {
|
2025-12-12 02:59:42 +08:00
|
|
|
// TODO: GOLANG-HTTP-TMPDIR: Golang saves the uploaded files to temp directory (TMPDIR) when parsing multipart-form.
|
|
|
|
|
// The "req" might have changed due to the new "req.WithContext" calls
|
|
|
|
|
// For example: in NewBaseContext, a new "req" with context is created, and the multipart-form is parsed there.
|
|
|
|
|
// So we always use the latest "req" from the data store.
|
|
|
|
|
ctxReq := ds.GetContextValue(httplib.RequestContextKey).(*http.Request)
|
|
|
|
|
if ctxReq.MultipartForm != nil {
|
|
|
|
|
_ = ctxReq.MultipartForm.RemoveAll() // remove the temp files buffered to tmp directory
|
2024-12-24 11:43:57 +08:00
|
|
|
}
|
|
|
|
|
})
|
2025-01-20 14:25:17 +08:00
|
|
|
next.ServeHTTP(respWriter, req)
|
2023-04-27 14:06:45 +08:00
|
|
|
})
|
2024-12-24 11:43:57 +08:00
|
|
|
}
|
|
|
|
|
}
|
2021-06-09 07:33:54 +08:00
|
|
|
|
2024-12-24 11:43:57 +08:00
|
|
|
func ChiRoutePathHandler() func(h http.Handler) http.Handler {
|
|
|
|
|
// make sure chi uses EscapedPath(RawPath) as RoutePath, then "%2f" could be handled correctly
|
|
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
|
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
|
2025-01-22 02:57:07 +08:00
|
|
|
chiCtx := chi.RouteContext(req.Context())
|
2024-12-24 11:43:57 +08:00
|
|
|
if req.URL.RawPath == "" {
|
2025-01-22 02:57:07 +08:00
|
|
|
chiCtx.RoutePath = req.URL.EscapedPath()
|
2021-06-09 07:33:54 +08:00
|
|
|
} else {
|
2025-01-22 02:57:07 +08:00
|
|
|
chiCtx.RoutePath = req.URL.RawPath
|
2021-06-09 07:33:54 +08:00
|
|
|
}
|
2024-12-24 11:43:57 +08:00
|
|
|
next.ServeHTTP(resp, req)
|
|
|
|
|
})
|
2021-06-09 07:33:54 +08:00
|
|
|
}
|
2024-12-24 11:43:57 +08:00
|
|
|
}
|
2022-01-20 19:41:25 +08:00
|
|
|
|
2024-12-24 11:43:57 +08:00
|
|
|
func ForwardedHeadersHandler(limit int, trustedProxies []string) func(h http.Handler) http.Handler {
|
|
|
|
|
opt := proxy.NewForwardedHeadersOptions().WithForwardLimit(limit).ClearTrustedProxies()
|
|
|
|
|
for _, n := range trustedProxies {
|
|
|
|
|
if !strings.Contains(n, "/") {
|
|
|
|
|
opt.AddTrustedProxy(n)
|
|
|
|
|
} else {
|
|
|
|
|
opt.AddTrustedNetwork(n)
|
|
|
|
|
}
|
2021-06-09 07:33:54 +08:00
|
|
|
}
|
2024-12-24 11:43:57 +08:00
|
|
|
return proxy.ForwardedHeaders(opt)
|
2021-06-09 07:33:54 +08:00
|
|
|
}
|
2023-03-04 19:01:24 +05:30
|
|
|
|
2025-11-26 23:25:34 +08:00
|
|
|
func MustInitSessioner() func(next http.Handler) http.Handler {
|
|
|
|
|
// TODO: CHI-SESSION-GOB-REGISTER: chi-session has a design problem: it calls gob.Register for "Set"
|
|
|
|
|
// But if the server restarts, then the first "Get" will fail to decode the previously stored session data because the structs are not registered yet.
|
|
|
|
|
// So each package should make sure their structs are registered correctly during startup for session storage.
|
|
|
|
|
|
2025-09-28 14:24:19 +02:00
|
|
|
middleware, err := session.Sessioner(session.Options{
|
2023-04-27 14:06:45 +08:00
|
|
|
Provider: setting.SessionConfig.Provider,
|
|
|
|
|
ProviderConfig: setting.SessionConfig.ProviderConfig,
|
|
|
|
|
CookieName: setting.SessionConfig.CookieName,
|
|
|
|
|
CookiePath: setting.SessionConfig.CookiePath,
|
|
|
|
|
Gclifetime: setting.SessionConfig.Gclifetime,
|
|
|
|
|
Maxlifetime: setting.SessionConfig.Maxlifetime,
|
|
|
|
|
Secure: setting.SessionConfig.Secure,
|
|
|
|
|
SameSite: setting.SessionConfig.SameSite,
|
|
|
|
|
Domain: setting.SessionConfig.Domain,
|
|
|
|
|
})
|
2025-09-28 14:24:19 +02:00
|
|
|
if err != nil {
|
2026-03-08 17:59:46 +08:00
|
|
|
log.Fatal("common.Sessioner failed: %v", err)
|
2025-09-28 14:24:19 +02:00
|
|
|
}
|
2025-11-26 23:25:34 +08:00
|
|
|
return middleware
|
2023-04-27 14:06:45 +08:00
|
|
|
}
|
