mirror of https://github.com/go-gitea/gitea.git synced 2026-05-15 23:40:58 +02:00

Go to file

fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564 ) (#37588 )

## Summary

Fixes
[go-gitea/gitea#37564](https://github.com/go-gitea/gitea/issues/37564):
when an OIDC provider returns a `picture` claim, Gitea is supposed to
download that image as the user's avatar (if `[oauth2_client]
UPDATE_AVATAR = true`). Two latent bugs prevented this from working
consistently:

1. **Default Go User-Agent rejected by some image hosts.**
`oauth2UpdateAvatarIfNeed` used `http.Get`, which sends `User-Agent:
Go-http-client/1.1`. Hosts like `upload.wikimedia.org` reject that UA
with `403`, and every error path silently returned, so the user was left
with an identicon and **no log line** to diagnose the issue.
2. **Link-account *register* path skipped avatar sync.** First-time OIDC
sign-ins where auto-registration is disabled (or required a
username/password retype) go through `LinkAccountPostRegister`, which
created the user but never called `oauth2SignInSync`. So the avatar /
full name / SSH keys from the IdP were dropped on the floor for those
users, even though the existing-account-link path (`oauth2LinkAccount`)
and the auto-register path (`handleOAuth2SignIn`) both already did the
sync.

## Changes

- `routers/web/auth/oauth.go` — `oauth2UpdateAvatarIfNeed` now uses
`http.NewRequest` + `http.DefaultClient.Do`, sets `User-Agent: Gitea
<version>`, and logs every failure path at `Warn` (invalid URL, fetch
error, non-200, body read error, oversize body, upload error). No silent
failures.
- `routers/web/auth/linkaccount.go` — `LinkAccountPostRegister` now
calls `oauth2SignInSync` after a successful user creation, mirroring the
auto-register and link-existing-account flows.
- `tests/integration/oauth_avatar_test.go` — new
`TestOAuth2AvatarFromPicture` integration test with five sub-cases:
- `AutoRegister_FetchesAvatarFromPictureWithGiteaUA` — happy path,
asserts `use_custom_avatar=true`, an avatar hash is set, exactly one
HTTP request was made, and the request carried a `Gitea ` UA. The mock
server enforces the UA prefix to mirror real-world hosts that reject
Go's default UA.
- `AutoRegister_NonOK_DoesNotUpdateAvatar` — server returns 403; user's
avatar must remain unset.
- `AutoRegister_EmptyPicture_NoFetch` — empty `picture` claim must not
trigger any HTTP request.
- `AutoRegister_UpdateAvatarFalse_NoFetch` — `UPDATE_AVATAR=false` must
not trigger any HTTP request.
- `LinkAccountRegister_FetchesAvatarFromPicture` — guards the
`linkaccount.go` fix; without the new `oauth2SignInSync` call this
assertion fails.

## Related

- Upstream issue: go-gitea/gitea#37564
--------------------------------------------

AI Editor was used in this PR

---------

Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>

2026-05-15 11:22:36 -07:00

.devcontainer

chore: upgrade Go version in devcontainer image to 1.26 (#37374 )

2026-04-22 21:47:59 +02:00

.gitea

…

.github

fix: catch and fix more lint problems (#37674 )

2026-05-13 09:00:41 +02:00

assets

fix(deps): update go dependencies (major) (#37639 )

2026-05-11 07:00:29 +00:00

build

chore: clean up "contrib" dir (#37690 )

2026-05-13 14:22:47 +00:00

cmd

refactor(log): replace log.Critical with log.Error (#37624 )

2026-05-09 16:32:49 +00:00

contrib

chore: clean up "contrib" dir (#37690 )

2026-05-13 14:22:47 +00:00

custom/conf

refactor: use modernc sqlite driver as default (#37562 )

2026-05-06 18:57:59 +00:00

docker

Fix various problems (#37129 )

2026-04-08 01:17:05 +08:00

docs

Improve Contributing docs and set a release schedule (#37109 )

2026-04-12 11:26:02 -07:00

models

fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692 )

2026-05-15 08:39:18 +00:00

modules

fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564 ) (#37588 )

2026-05-15 11:22:36 -07:00

options

[skip ci] Updated translations via Crowdin

2026-05-14 01:11:01 +00:00

public

Update go js py dependencies (#37525 )

2026-05-04 19:27:47 +00:00

routers

fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564 ) (#37588 )

2026-05-15 11:22:36 -07:00

services

fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692 )

2026-05-15 08:39:18 +00:00

snap

fix: snap build (main branch) (#37685 )

2026-05-13 17:31:47 -07:00

templates

feat(api): add sort and order query parameters to job list endpoints (#37672 )

2026-05-13 13:11:02 +00:00

tests

fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564 ) (#37588 )

2026-05-15 11:22:36 -07:00

tools

fix: catch and fix more lint problems (#37674 )

2026-05-13 09:00:41 +02:00

web_src

refactor: replace Fomantic search module with first-party code (#37443 )

2026-05-11 05:25:26 +00:00

.air.toml

…

.changelog.yml

Don't add useless labels which will bother changelog generation (#37267 )

2026-04-19 11:34:40 -07:00

.dockerignore

Refactor integration tests infrastructure (#37462 )

2026-04-29 16:37:38 +00:00

.editorconfig

Serve OpenAPI 3.0 spec at /openapi.v1.json (#37038 )

2026-04-29 20:47:52 +08:00

.envrc

…

.gitattributes

…

.gitignore

Allow multiple projects per issue and pull requests (#36784 )

2026-04-30 22:38:05 +08:00

.golangci.yml

perf: replace goheader linter with custom check (#37599 )

2026-05-08 23:39:35 +02:00

.ignore

…

.mailmap

…

.markdownlint.yaml

…

.spectral.yaml

…

.yamllint.yaml

Move jobparser from act repository to Gitea (#36699 )

2026-02-22 19:33:01 +00:00

AGENTS.md

docs(agents): update AGENTS.md (#37684 )

2026-05-13 08:27:22 +02:00

BSDmakefile

…

CHANGELOG-archived.md

…

CHANGELOG.md

docs: fix 4 typos in CHANGELOG.md (#37549 )

2026-05-05 17:25:44 +02:00

CLAUDE.md

Improve timeline entries for WIP prefix changes in pull requests (#36518 )

2026-02-05 05:57:08 +00:00

CODE_OF_CONDUCT.md

…

CONTRIBUTING.md

ci: allow chore type in PR title lint (#37575 )

2026-05-07 17:18:10 +00:00

crowdin.yml

…

DCO

…

Dockerfile

build: update pnpm to v11 (#37591 )

2026-05-08 04:17:20 +00:00

Dockerfile.rootless

build: update pnpm to v11 (#37591 )

2026-05-08 04:17:20 +00:00

eslint.config.ts

feat(editor): broaden language detection in web code editor (#37619 )

2026-05-10 04:51:46 +00:00

eslint.json.config.ts

chore: clean up "contrib" dir (#37690 )

2026-05-13 14:22:47 +00:00

flake.lock

Update Nix flake (#37425 )

2026-04-26 11:46:48 +02:00

flake.nix

refactor: use modernc sqlite driver as default (#37562 )

2026-05-06 18:57:59 +00:00

go.mod

fix(deps): update go dependencies (major) (#37639 )

2026-05-11 07:00:29 +00:00

go.sum

fix(deps): update go dependencies (major) (#37639 )

2026-05-11 07:00:29 +00:00

LICENSE

…

main_timezones.go

…

main.go

Clean up Makefile, tests and legacy code (#36638 )

2026-02-19 01:23:32 +00:00

MAINTAINERS

Apply as maintainer (#36947 )

2026-03-22 08:18:42 -07:00

Makefile

test(e2e): run playwright via container (#37300 )

2026-05-10 09:16:02 +00:00

package.json

fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test (#37662 )

2026-05-12 01:34:49 +02:00

playwright.config.ts

Revert "Add WebKit to e2e test matrix (#37298 )" (#37315 )

2026-04-20 19:49:38 +00:00

pnpm-lock.yaml

fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test (#37662 )

2026-05-12 01:34:49 +02:00

pnpm-workspace.yaml

fix(deps): update npm dependencies (#37636 )

2026-05-11 05:01:34 +00:00

pyproject.toml

…

README.md

refactor: use modernc sqlite driver as default (#37562 )

2026-05-06 18:57:59 +00:00

README.zh-cn.md

refactor: use modernc sqlite driver as default (#37562 )

2026-05-06 18:57:59 +00:00

README.zh-tw.md

refactor: use modernc sqlite driver as default (#37562 )

2026-05-06 18:57:59 +00:00

renovate.json5

fix(deps): update npm dependencies (#37647 )

2026-05-11 16:03:11 +00:00

SECURITY.md

…

stylelint.config.ts

refactor: lint bare fill/stroke colors, add vars for git graph color series (#37543 )

2026-05-07 21:18:23 +00:00

tailwind.config.ts

Fix UI regression (#37218 )

2026-04-14 23:24:44 +08:00

tsconfig.json

Enable strict TypeScript, add errorMessage helper (#37292 )

2026-04-20 07:22:05 +00:00

types.d.ts

Remove htmx (#37224 )

2026-04-15 17:26:26 +00:00

uv.lock

Update go js py dependencies (#37525 )

2026-05-04 19:27:47 +00:00

vite.config.ts

Fail vite build on rolldown warnings via NODE_ENV=test (#37270 )

2026-04-21 18:11:07 +00:00

vitest.config.ts

Enable concurrent vitest execution (#36998 )

2026-03-30 16:17:16 +00:00

README.md

Gitea

繁體中文 | 简体中文

Purpose

The goal of this project is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service.

As Gitea is written in Go, it works across all the platforms and architectures that are supported by Go, including Linux, macOS, and Windows on x86, amd64, ARM and PowerPC architectures. This project has been forked from Gogs since November of 2016, but a lot has changed.

For online demonstrations, you can visit demo.gitea.com.

For accessing free Gitea service (with a limited number of repositories), you can visit gitea.com.

To quickly deploy your own dedicated Gitea instance on Gitea Cloud, you can start a free trial at cloud.gitea.com.

Documentation

You can find comprehensive documentation on our official documentation website.

It includes installation, administration, usage, development, contributing guides, and more to help you get started and explore all features effectively.

If you have any suggestions or would like to contribute to it, you can visit the documentation repository

Building

From the root of the source tree, run:

TAGS="bindata" make build

The build target is split into two sub-targets:

make backend which requires Go Stable, the required version is defined in go.mod.
make frontend which requires Node.js LTS or greater and pnpm.

Internet connectivity is required to download the go and npm modules. When building from the official source tarballs which include pre-built frontend files, the frontend target will not be triggered, making it possible to build without Node.js.

More info: https://docs.gitea.com/installation/install-from-source

Using

After building, a binary file named gitea will be generated in the root of the source tree by default. To run it, use:

./gitea web

Note

If you're interested in using our APIs, we have experimental support with documentation.

Contributing

Expected workflow is: Fork -> Patch -> Push -> Pull Request

Note

YOU MUST READ THE CONTRIBUTORS GUIDE BEFORE STARTING TO WORK ON A PULL REQUEST.

If you have found a vulnerability in the project, please write privately to security@gitea.io. Thanks!

Translating

Translations are done through Crowdin. If you want to translate to a new language, ask one of the managers in the Crowdin project to add a new language there.

You can also just create an issue for adding a language or ask on Discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty, but we hope to fill it as questions pop up.

Get more information from documentation.

Official and Third-Party Projects

We provide an official go-sdk, a CLI tool called tea and an action runner for Gitea Action.

We maintain a list of Gitea-related projects at gitea/awesome-gitea, where you can discover more third-party projects, including SDKs, plugins, themes, and more.

Communication

If you have questions that are not covered by the documentation, you can get in contact with us on our Discord server or create a post in the discourse forum.