Fix oauth2 session gob register (#36017)

`gob.Register` must be called before Sessioner Fix #36016
2025-11-29 11:27:48 +01:00 · 2025-11-26 23:25:34 +08:00 · 2025-11-26 23:25:34 +08:00 · 000c06d41b
commit 000c06d41b
parent abe2755f7a
9 changed files with 22 additions and 27 deletions
--- a/go.mod
+++ b/go.mod
@ -17,7 +17,7 @@ require (
 	gitea.com/go-chi/binding v0.0.0-20240430071103-39a851e106ed
 	gitea.com/go-chi/cache v0.2.1
 	gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098
-	gitea.com/go-chi/session v0.0.0-20250926004215-636cadd82e15
+	gitea.com/go-chi/session v0.0.0-20251124165456-68e0254e989e
 	gitea.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96
 	gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4
 	github.com/42wim/httpsig v1.2.3
--- a/go.sum
+++ b/go.sum
@ -41,8 +41,8 @@ gitea.com/go-chi/cache v0.2.1 h1:bfAPkvXlbcZxPCpcmDVCWoHgiBSBmZN/QosnZvEC0+g=
 gitea.com/go-chi/cache v0.2.1/go.mod h1:Qic0HZ8hOHW62ETGbonpwz8WYypj9NieU9659wFUJ8Q=
 gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098 h1:p2ki+WK0cIeNQuqjR98IP2KZQKRzJJiV7aTeMAFwaWo=
 gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098/go.mod h1:LjzIOHlRemuUyO7WR12fmm18VZIlCAaOt9L3yKw40pk=
-gitea.com/go-chi/session v0.0.0-20250926004215-636cadd82e15 h1:qFYmz05u/s9664o7+XEgrlHXSPQ4uHO8/ccZGUb1uxA=
-gitea.com/go-chi/session v0.0.0-20250926004215-636cadd82e15/go.mod h1:0iEpFKnwO5dG0aF98O4eq6FMsAiXkNBaDIlUOlq4BtM=
+gitea.com/go-chi/session v0.0.0-20251124165456-68e0254e989e h1:4bugwPyGMLvblEm3pZ8fZProSPVxE4l0UXF2Kv6IJoY=
+gitea.com/go-chi/session v0.0.0-20251124165456-68e0254e989e/go.mod h1:KDvcfMUoXfATPHs2mbMoXFTXT45/FAFAS39waz9tPk0=
 gitea.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 h1:+wWBi6Qfruqu7xJgjOIrKVQGiLUZdpKYCZewJ4clqhw=
 gitea.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96/go.mod h1:VyMQP6ue6MKHM8UsOXfNfuMKD0oSAWZdXVcpHIN2yaY=
 gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4 h1:IFT+hup2xejHqdhS7keYWioqfmxdnfblFDTGoOwcZ+o=
--- a/modules/auth/webauthn/webauthn.go
+++ b/modules/auth/webauthn/webauthn.go
@ -22,7 +22,7 @@ var WebAuthn *webauthn.WebAuthn

 // Init initializes the WebAuthn instance from the config.
 func Init() {
-	gob.Register(&webauthn.SessionData{})
+	gob.Register(&webauthn.SessionData{}) // TODO: CHI-SESSION-GOB-REGISTER.

 	appURL, _ := protocol.FullyQualifiedOrigin(setting.AppURL)

--- a/routers/common/middleware.go
+++ b/routers/common/middleware.go
@ -5,6 +5,7 @@ package common

 import (
 	"fmt"
+	"log"
 	"net/http"
 	"strings"

@ -107,7 +108,11 @@ func ForwardedHeadersHandler(limit int, trustedProxies []string) func(h http.Han
 	return proxy.ForwardedHeaders(opt)
 }

-func Sessioner() (func(next http.Handler) http.Handler, error) {
+func MustInitSessioner() func(next http.Handler) http.Handler {
+	// TODO: CHI-SESSION-GOB-REGISTER: chi-session has a design problem: it calls gob.Register for "Set"
+	// But if the server restarts, then the first "Get" will fail to decode the previously stored session data because the structs are not registered yet.
+	// So each package should make sure their structs are registered correctly during startup for session storage.
+
 	middleware, err := session.Sessioner(session.Options{
 		Provider:       setting.SessionConfig.Provider,
 		ProviderConfig: setting.SessionConfig.ProviderConfig,
@ -120,8 +125,7 @@ func Sessioner() (func(next http.Handler) http.Handler, error) {
 		Domain:         setting.SessionConfig.Domain,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to create session middleware: %w", err)
+		log.Fatalf("common.Sessioner failed: %v", err)
 	}
-
-	return middleware, nil
+	return middleware
 }
--- a/routers/install/install.go
+++ b/routers/install/install.go
@ -55,8 +55,8 @@ func getSupportedDbTypeNames() (dbTypeNames []map[string]string) {
 	return dbTypeNames
 }

-// Contexter prepare for rendering installation page
-func Contexter() func(next http.Handler) http.Handler {
+// installContexter prepare for rendering installation page
+func installContexter() func(next http.Handler) http.Handler {
 	rnd := templates.HTMLRenderer()
 	dbTypeNames := getSupportedDbTypeNames()
 	envConfigKeys := setting.CollectEnvConfigKeys()
--- a/routers/install/routes.go
+++ b/routers/install/routes.go
@ -8,7 +8,6 @@ import (
 	"html"
 	"net/http"

-	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web"
@ -25,11 +24,8 @@ func Routes() *web.Router {
 	base.Methods("GET, HEAD", "/assets/*", public.FileHandlerFunc())

 	r := web.NewRouter()
-	if sessionMid, err := common.Sessioner(); err == nil && sessionMid != nil {
-		r.Use(sessionMid, Contexter())
-	} else {
-		log.Fatal("common.Sessioner failed: %v", err)
-	}
+	r.Use(common.MustInitSessioner(), installContexter())
+
 	r.Get("/", Install) // it must be on the root, because the "install.js" use the window.location to replace the "localhost" AppURL
 	r.Post("/", web.Bind(forms.InstallForm{}), SubmitInstall)
 	r.Get("/post-install", InstallDone)
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@ -277,8 +277,11 @@ type LinkAccountData struct {
 	GothUser     goth.User
 }

+func init() {
+	gob.Register(LinkAccountData{}) // TODO: CHI-SESSION-GOB-REGISTER
+}
+
 func oauth2GetLinkAccountData(ctx *context.Context) *LinkAccountData {
-	gob.Register(LinkAccountData{})
 	v, ok := ctx.Session.Get("linkAccountData").(LinkAccountData)
 	if !ok {
 		return nil
@ -287,7 +290,6 @@ func oauth2GetLinkAccountData(ctx *context.Context) *LinkAccountData {
 }

 func Oauth2SetLinkAccountData(ctx *context.Context, linkAccountData LinkAccountData) error {
-	gob.Register(LinkAccountData{})
 	return updateSession(ctx, nil, map[string]any{
 		"linkAccountData": linkAccountData,
 	})
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -267,11 +267,7 @@ func Routes() *web.Router {
 	routes.Get("/ssh_info", misc.SSHInfo)
 	routes.Get("/api/healthz", healthcheck.Check)

-	if sessionMid, err := common.Sessioner(); err == nil && sessionMid != nil {
-		mid = append(mid, sessionMid, context.Contexter())
-	} else {
-		log.Fatal("common.Sessioner failed: %v", err)
-	}
+	mid = append(mid, common.MustInitSessioner(), context.Contexter())

 	// Get user from session if logged in.
 	mid = append(mid, webAuth(buildAuthGroup()))
--- a/services/auth/source/oauth2/init.go
+++ b/services/auth/source/oauth2/init.go
@ -22,9 +22,6 @@ import (

 var gothRWMutex = sync.RWMutex{}

-// UsersStoreKey is the key for the store
-const UsersStoreKey = "gitea-oauth2-sessions"
-
 // ProviderHeaderKey is the HTTP header key
 const ProviderHeaderKey = "gitea-oauth2-provider"

@ -33,7 +30,7 @@ func Init(ctx context.Context) error {
 	// Lock our mutex
 	gothRWMutex.Lock()

-	gob.Register(&sessions.Session{})
+	gob.Register(&sessions.Session{}) // TODO: CHI-SESSION-GOB-REGISTER. FIXME: it seems to be an abuse, why the Session struct itself is stored in session store again?

 	gothic.Store = &SessionsStore{
 		maxLength: int64(setting.OAuth2.MaxTokenLength),