Move reverproxyauth before session so the header will not be ignored even if user has login (#27821)

When a user logout and then login another user, the reverseproxy auth should be checked before session otherwise the old user is still login. (cherry picked from commit 26ae5922348d2dbaf2161bbd6ac79b2aa455e5f0)
2024-07-01 03:23:53 +02:00 · 2024-05-11 22:55:49 +08:00 · 2024-05-11 22:55:49 +08:00 · 1f56a49f28
parent 32c97efab4
commit 1f56a49f28
1 changed files with 6 additions and 6 deletions
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -98,14 +98,14 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
 // The Session plugin is expected to be executed second, in order to skip authentication
 // for users that have already signed in.
 func buildAuthGroup() *auth_service.Group {
-	group := auth_service.NewGroup(
+	group := auth_service.NewGroup()
-		&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers
+	group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
-		&auth_service.Basic{},  // FIXME: this should be removed and only applied in download and git/lfs routers
+	group.Add(&auth_service.Basic{})  // FIXME: this should be removed and only applied in download and git/lfs routers
-		&auth_service.Session{},
+
 	)
 	if setting.Service.EnableReverseProxyAuth {
-		group.Add(&auth_service.ReverseProxy{})
+		group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
 	}
 	group.Add(&auth_service.Session{})
 	if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) {
 		group.Add(&auth_service.SSPI{}) // it MUST be the last, see the comment of SSPI