mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-15 20:40:52 +09:00
65c5a5ff7b
Fixes #38217 ## Problem Turnstile CAPTCHA verification uses `http.DefaultClient`, so the request to `challenges.cloudflare.com` bypasses Gitea's configured HTTP proxy — unlike other outbound HTTP clients such as the update checker (`modules/updatechecker/update_checker.go`) and migrations. In deployments where egress is only permitted through the configured proxy, verification fails. ## Fix Build the client with `proxy.Proxy()` as the transport proxy, mirroring the update checker: ```go func httpClient() *http.Client { return &http.Client{ Transport: &http.Transport{ Proxy: proxy.Proxy(), }, } } ``` The client is built per call (rather than a package-level var) because `proxy.Proxy()` reads `setting.Proxy` when invoked; building it at request time ensures it reflects the loaded settings. When no proxy is configured, behavior is unchanged (`proxy.Proxy()` returns a no-op / `http.ProxyFromEnvironment`). --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
104 lines
3.1 KiB
Go
104 lines
3.1 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package turnstile
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"gitea.dev/modules/json"
|
|
"gitea.dev/modules/proxy"
|
|
"gitea.dev/modules/setting"
|
|
"gitea.dev/modules/util"
|
|
)
|
|
|
|
// httpClient returns an HTTP client that honors Gitea's proxy configuration.
|
|
var httpClient = util.OnceValue[*http.Client]{
|
|
Func: func() *http.Client {
|
|
transport := http.DefaultTransport.(*http.Transport).Clone()
|
|
transport.Proxy = proxy.Proxy()
|
|
return &http.Client{Transport: transport}
|
|
},
|
|
}
|
|
|
|
// Response is the structure of JSON returned from API
|
|
type Response struct {
|
|
Success bool `json:"success"`
|
|
ChallengeTS string `json:"challenge_ts"`
|
|
Hostname string `json:"hostname"`
|
|
ErrorCodes []ErrorCode `json:"error-codes"`
|
|
Action string `json:"login"`
|
|
Cdata string `json:"cdata"`
|
|
}
|
|
|
|
// Verify calls Cloudflare Turnstile API to verify token
|
|
func Verify(ctx context.Context, response string) (bool, error) {
|
|
// Cloudflare turnstile official access instruction address: https://developers.cloudflare.com/turnstile/get-started/server-side-validation/
|
|
post := url.Values{
|
|
"secret": {setting.Service.CfTurnstileSecret},
|
|
"response": {response},
|
|
}
|
|
// Basically a copy of http.PostForm, but with a context
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost,
|
|
"https://challenges.cloudflare.com/turnstile/v0/siteverify", strings.NewReader(post.Encode()))
|
|
if err != nil {
|
|
return false, fmt.Errorf("Failed to create CAPTCHA request: %w", err)
|
|
}
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
resp, err := httpClient.Value().Do(req)
|
|
if err != nil {
|
|
return false, fmt.Errorf("Failed to send CAPTCHA response: %w", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return false, fmt.Errorf("Failed to read CAPTCHA response: %w", err)
|
|
}
|
|
|
|
var jsonResponse Response
|
|
if err := json.Unmarshal(body, &jsonResponse); err != nil {
|
|
return false, fmt.Errorf("Failed to parse CAPTCHA response: %w", err)
|
|
}
|
|
|
|
var respErr error
|
|
if len(jsonResponse.ErrorCodes) > 0 {
|
|
respErr = jsonResponse.ErrorCodes[0]
|
|
}
|
|
return jsonResponse.Success, respErr
|
|
}
|
|
|
|
// ErrorCode is a reCaptcha error
|
|
type ErrorCode string
|
|
|
|
// String fulfills the Stringer interface
|
|
func (e ErrorCode) String() string {
|
|
switch e {
|
|
case "missing-input-secret":
|
|
return "The secret parameter was not passed."
|
|
case "invalid-input-secret":
|
|
return "The secret parameter was invalid or did not exist."
|
|
case "missing-input-response":
|
|
return "The response parameter was not passed."
|
|
case "invalid-input-response":
|
|
return "The response parameter is invalid or has expired."
|
|
case "bad-request":
|
|
return "The request was rejected because it was malformed."
|
|
case "timeout-or-duplicate":
|
|
return "The response parameter has already been validated before."
|
|
case "internal-error":
|
|
return "An internal error happened while validating the response. The request can be retried."
|
|
}
|
|
return string(e)
|
|
}
|
|
|
|
// Error fulfills the error interface
|
|
func (e ErrorCode) Error() string {
|
|
return e.String()
|
|
}
|