[v13.0/forgejo] fix: return on error if an LFS token cannot be parsed

Extracted from https://github.com/go-gitea/gitea/pull/35708
2025-10-25 11:06:58 +02:00 · 2025-10-25 11:06:58 +02:00 · fa1a2ba669
commit fa1a2ba669
parent afbf1efe02
2 changed files with 83 additions and 4 deletions
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@ -580,9 +580,6 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 }
 func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repository, mode perm.AccessMode) (*user_model.User, error) {
 	if !strings.Contains(tokenSHA, ".") {
 		return nil, nil
 	}
 	token, err := jwt.ParseWithClaims(tokenSHA, &Claims{}, func(t *jwt.Token) (any, error) {
 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
@ -590,7 +587,7 @@ func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repo
 		return setting.LFS.JWTSecretBytes, nil
 	})
 	if err != nil {
-		return nil, nil
+		return nil, errors.New("invalid token")
 	}
 	claims, claimsOk := token.Claims.(*Claims)
--- a/services/lfs/server_test.go
+++ b/services/lfs/server_test.go
@ -0,0 +1,82 @@
 // Copyright 2025 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package lfs
 import (
 	"fmt"
 	"strings"
 	"testing"
 	"time"
 	perm_model "forgejo.org/models/perm"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unittest"
 	"forgejo.org/modules/setting"
 	"forgejo.org/services/contexttest"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestMain(m *testing.M) {
 	unittest.MainTest(m)
 }
 type authTokenOptions struct {
 	Op     string
 	UserID int64
 	RepoID int64
 }
 func getLFSAuthTokenWithBearer(opts authTokenOptions) (string, error) {
 	now := time.Now()
 	claims := Claims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			ExpiresAt: jwt.NewNumericDate(now.Add(setting.LFS.HTTPAuthExpiry)),
 			NotBefore: jwt.NewNumericDate(now),
 		},
 		RepoID: opts.RepoID,
 		Op:     opts.Op,
 		UserID: opts.UserID,
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	// Sign and get the complete encoded token as a string using the secret
 	tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
 	if err != nil {
 		return "", fmt.Errorf("failed to sign LFS JWT token: %w", err)
 	}
 	return "Bearer " + tokenString, nil
 }
 func TestAuthenticate(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 	token2, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "download", UserID: 2, RepoID: 1})
 	_, token2, _ = strings.Cut(token2, " ")
 	ctx, _ := contexttest.MockContext(t, "/")
 	t.Run("handleLFSToken", func(t *testing.T) {
 		u, err := handleLFSToken(ctx, "", repo1, perm_model.AccessModeRead)
 		require.Error(t, err)
 		assert.Nil(t, u)
 		u, err = handleLFSToken(ctx, "invalid", repo1, perm_model.AccessModeRead)
 		require.Error(t, err)
 		assert.Nil(t, u)
 		u, err = handleLFSToken(ctx, token2, repo1, perm_model.AccessModeRead)
 		require.NoError(t, err)
 		assert.EqualValues(t, 2, u.ID)
 	})
 	t.Run("authenticate", func(t *testing.T) {
 		const prefixBearer = "Bearer "
 		assert.False(t, authenticate(ctx, repo1, "", true, false))
 		assert.False(t, authenticate(ctx, repo1, prefixBearer+"invalid", true, false))
 		assert.True(t, authenticate(ctx, repo1, prefixBearer+token2, true, false))
 	})
 }