Gitea Authentication no longer working with NGINX Proxies

[a20eac1d]

• Gitea version: 1.11.0+dev-34-gd151503d3
• Operating system: Ubuntu 18.04
• Database:
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist for Docker log, Docker-Compose and NGINX proxy: https://gist.github.com/a20eac1d/925d72a3ad6f0d1f8d9d5bd1240d6156

Description

I recently updated my Gitea Docker container to the latest version and it seems like one of the last Gitea updates broke compatibility with NGINX web proxies.

After setting up the Gitea instance and creating an account I will be immediately logged in without entering any credentials. When switching devices or computers, I still dont have to login with my password. My account is automatically logged in WORLDWIDE on EVERY device.

The "Logout" button does nothing and simply redirects me to my dashboard.

[zeripath]

Edit: I've got the wrong end of the stick here.

This is totally the wrong interpretation of the problem.

---

Hi! It's difficult to know what the causative change is as this is highly configuration dependent on your proxy and I'm not sure how to go about setting up a test environment for this - any test harness would be highly complex.

Could you tell us what the last known working version was?

Are you able to do a git bisect from a known working version and the latest?

The code that handles this is as follows and the majority of it is 3 years old with 10 months being the youngest:

gitea/modules/auth/auth.go

Lines 134 to 169 in 6ddd3b0

	if setting.Service.EnableReverseProxyAuth {
	webAuthUser := ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
	if len(webAuthUser) > 0 {
	u, err := models.GetUserByName(webAuthUser)
	if err != nil {
	if !models.IsErrUserNotExist(err) {
	log.Error("GetUserByName: %v", err)
	return nil, false
	}
	// Check if enabled auto-registration.
	if setting.Service.EnableReverseProxyAutoRegister {
	email := gouuid.NewV4().String() + "@localhost"
	if setting.Service.EnableReverseProxyEmail {
	webAuthEmail := ctx.Req.Header.Get(setting.ReverseProxyAuthEmail)
	if len(webAuthEmail) > 0 {
	email = webAuthEmail
	}
	}
	u := &models.User{
	Name: webAuthUser,
	Email: email,
	Passwd: webAuthUser,
	IsActive: true,
	}
	if err = models.CreateUser(u); err != nil {
	// FIXME: should I create a system notice?
	log.Error("CreateUser: %v", err)
	return nil, false
	}
	return u, false
	}
	}
	return u, false
	}
	}

As you can see if the X-WEBAUTH-USER header is set then the user will be logged in automatically as the appropriate user.

To log out from this you would need to log out from both Gitea - removing the session from gitea and log out from the WEBAUTH host - meaning that it no longer sends the X-WEBAUTH-USER.

Hmm... we did change some more upstream auth bits but I'm not sure that these would account for this.

[a20eac1d]

Oh wow, it is the auto-login caused by logging in to HTTP Basic-Auth.

When the login details for both HTTP Basic-Auth and Gitea are the same, it will login automatically.

What a strange feature.
Is there any chance that you could disable it by default? Those two login systems should definitely be seperate. It makes no sense to have it turned on automatically and I'm sure it will cause confusion in the future.

[a20eac1d]

I tried to disable the feature using: https://docs.gitea.io/en-us/config-cheat-sheet/

ENABLE_REVERSE_PROXY_AUTHENTICATION

Setting it to false does not seem to have any impact on the issue. Am I using it wrong?

[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = true
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.example.org
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
ENABLE_REVERSE_PROXY_EMAIL = false

[lunny]

Those default values are already false.

[zeripath]

He's looking for a way to disable basic authentication in Gitea - I don't think we have that.

[a20eac1d]

Those default values are already false.

Those default values weren't in the "app.ini" created by Gitea, I had to add them.

But even now, they don't do anything. Setting them to true/false does nothing.

[zeripath]

@a20eac1d those settings are for a different type of login - in that case the proxy server is setting a X-WEBAUTH-USER header. Basic authentication is set using the AUTHORIZATION header with type basic.

We have no setting to turn that mode of authentication off at present - it's used in the API, predominantly for controlling tokens. I think it would be possible to add a simple config switch to disallow this method of authentication though.