Improved git http semantics and repo obfuscation (#94)

thomiceli · Sep 7, 2023 · 977fc9d · 977fc9d
1 parent 3e83700
commit 977fc9d
Showing 1 changed file with 13 additions and 15 deletions.
diff --git a/internal/web/git_http.go b/internal/web/git_http.go
@@ -47,30 +47,28 @@ func gitHttp(ctx echo.Context) error {
 
 			gist := getData(ctx, "gist").(*db.Gist)
 
-			// Shows basic auth if :
-			// - user wants to push the gist
-			// - user wants to clone a private gist
-			// - gist is not found (obfuscation)
-			// - admin setting to require login is set to true
-			noAuth := (ctx.QueryParam("service") == "git-upload-pack" ||
+			isInfoRefs := strings.HasSuffix(route.gitUrl, "/info/refs$")
+
+			isPull := ctx.QueryParam("service") == "git-upload-pack" ||
 				strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") ||
-				ctx.Request().Method == "GET") &&
-				gist.Private != 2 &&
-				gist.ID != 0 &&
-				!getData(ctx, "RequireLogin").(bool)
+				ctx.Request().Method == "GET" && !isInfoRefs
 
 			repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid)
-
 			if _, err := os.Stat(repositoryPath); os.IsNotExist(err) {
 				if err != nil {
+					log.Info().Err(err).Msg("Repository directory does not exist")
 					return errorRes(404, "Repository directory does not exist", err)
 				}
 			}
 
 			ctx.Set("repositoryPath", repositoryPath)
 
-			// Requires Basic Auth if we push the repository
-			if noAuth {
+			// Shows basic auth if :
+			// - user wants to push the gist
+			// - user wants to clone/pull a private gist
+			// - gist is not found (obfuscation)
+			// - admin setting to require login is set to true
+			if isPull && gist.Private != 2 && gist.ID != 0 && !getData(ctx, "RequireLogin").(bool) {
 				return route.handler(ctx)
 			}
 
@@ -90,15 +88,15 @@ func gitHttp(ctx echo.Context) error {
 			}
 
 			if gist.ID == 0 {
-				return errorRes(404, "Not found", nil)
+				return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
 			}
 
 			if ok, err := argon2id.verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
 				if err != nil {
 					return errorRes(500, "Cannot verify password", err)
 				}
 				log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
-				return errorRes(404, "Not found", nil)
+				return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
 			}
 
 			return route.handler(ctx)