0
0
mirror of https://github.com/go-gitea/gitea.git synced 2026-07-09 04:39:13 +02:00
gitea/models/avatars/avatar.go
Lunny Xiao cbe1b703dc
refactor: Use db.Get[] instead of db.GetEngine(ctx).Get(bean) to avoid zero value fetching wrong database record (#37977)
This PR replaces a set of struct-based `Get` lookups with explicit
`db.Get` / `db.Exist` conditions in places where zero-value fields can
lead to ambiguous matches or incorrect records being returned.

The main goal is to make read paths deterministic and avoid accidentally
matching the wrong row when only part of a struct is populated.

### What changed

- replace many `db.GetEngine(ctx).Get(bean)` calls with explicit
`builder.Eq` conditions across models such as actions, admin tasks,
issues, pull requests, repositories, users, packages, redirects,
watches, stars, and follows
- use quoted column names where needed for reserved fields like `index`,
`type`, and `name`
- add dedicated user lookup helpers for:
  - primary email
  - OAuth login source / login name
- update sign-in and OAuth-related flows to use explicit individual-user
lookups instead of partially populated `User` structs
- tighten package property and Terraform lock lookups to avoid ambiguous
reads and updates
- keep existing fallback behavior where needed, while removing reliance
on zero-value struct matching

### User-facing impact

These changes primarily affect authentication and account lookup paths:

- email/username sign-in now re-fetches users through explicit keys
- OAuth2 auto-linking now resolves users by name or primary email
explicitly
- OAuth2 login/sync now looks up users by login source, login type, and
login name explicitly
- non-individual accounts are no longer implicitly matched through
partial user lookups in these flows

This should reduce the risk of incorrect account matches and make query
behavior more predictable across the codebase.

---------

Co-authored-by: bircni <bircni@icloud.com>
2026-06-27 10:24:02 -07:00

241 lines
7.6 KiB
Go

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package avatars
import (
"context"
"crypto/md5"
"encoding/hex"
"fmt"
"net/url"
"path"
"strconv"
"strings"
"sync/atomic"
"gitea.dev/models/db"
"gitea.dev/modules/cache"
"gitea.dev/modules/log"
"gitea.dev/modules/setting"
"strk.kbt.io/projects/go/libravatar"
"xorm.io/builder"
)
const (
// DefaultAvatarClass is the default class of a rendered avatar
DefaultAvatarClass = "ui avatar tw-align-middle"
// DefaultAvatarPixelSize is the default size in pixels of a rendered avatar
DefaultAvatarPixelSize = 28
)
// EmailHash represents a pre-generated hash map (mainly used by LibravatarURL, it queries email server's DNS records)
type EmailHash struct {
Hash string `xorm:"pk varchar(32)"`
Email string `xorm:"UNIQUE NOT NULL"`
}
func init() {
db.RegisterModel(new(EmailHash))
}
type avatarSettingStruct struct {
defaultAvatarLink string
gravatarSource string
gravatarSourceURL *url.URL
libravatar *libravatar.Libravatar
}
var avatarSettingAtomic atomic.Pointer[avatarSettingStruct]
func loadAvatarSetting() (*avatarSettingStruct, error) {
s := avatarSettingAtomic.Load()
if s == nil || s.gravatarSource != setting.GravatarSource {
s = &avatarSettingStruct{}
u, err := url.Parse(setting.AppSubURL)
if err != nil {
return nil, fmt.Errorf("unable to parse AppSubURL: %w", err)
}
u.Path = path.Join(u.Path, "/assets/img/avatar_default.png")
s.defaultAvatarLink = u.String()
s.gravatarSourceURL, err = url.Parse(setting.GravatarSource)
if err != nil {
return nil, fmt.Errorf("unable to parse GravatarSource %q: %w", setting.GravatarSource, err)
}
s.libravatar = libravatar.New()
if s.gravatarSourceURL.Scheme == "https" {
s.libravatar.SetUseHTTPS(true)
s.libravatar.SetSecureFallbackHost(s.gravatarSourceURL.Host)
} else {
s.libravatar.SetUseHTTPS(false)
s.libravatar.SetFallbackHost(s.gravatarSourceURL.Host)
}
avatarSettingAtomic.Store(s)
}
return s, nil
}
// DefaultAvatarLink the default avatar link
func DefaultAvatarLink() string {
a, err := loadAvatarSetting()
if err != nil {
log.Error("Failed to loadAvatarSetting: %v", err)
return ""
}
return a.defaultAvatarLink
}
// HashEmail hashes email address to MD5 string. https://en.gravatar.com/site/implement/hash/
func HashEmail(email string) string {
m := md5.New()
_, _ = m.Write([]byte(strings.ToLower(strings.TrimSpace(email))))
return hex.EncodeToString(m.Sum(nil))
}
// GetEmailForHash converts a provided md5sum to the email
func GetEmailForHash(ctx context.Context, md5Sum string) (string, error) {
return cache.GetString("Avatar:"+md5Sum, func() (string, error) {
emailHash, has, err := db.Get[EmailHash](ctx, builder.Eq{"`hash`": strings.ToLower(strings.TrimSpace(md5Sum))})
if err != nil {
return "", err
} else if !has {
return "", nil
}
return emailHash.Email, nil
})
}
// LibravatarURL returns the URL for the given email. Slow due to the DNS lookup.
// This function should only be called if a federated avatar service is enabled.
func LibravatarURL(email string) (*url.URL, error) {
a, err := loadAvatarSetting()
if err != nil {
return nil, err
}
urlStr, err := a.libravatar.FromEmail(email)
if err != nil {
log.Error("LibravatarService.FromEmail(email=%s): error %v", email, err)
return nil, err
}
u, err := url.Parse(urlStr)
if err != nil {
log.Error("Failed to parse libravatar url(%s): error %v", urlStr, err)
return nil, err
}
return u, nil
}
// saveEmailHash returns an avatar link for a provided email,
// the email and hash are saved into database, which will be used by GetEmailForHash later
func saveEmailHash(ctx context.Context, email string) string {
lowerEmail := strings.ToLower(strings.TrimSpace(email))
emailHash := HashEmail(lowerEmail)
_, _ = cache.GetString("Avatar:"+emailHash, func() (string, error) {
emailHash := &EmailHash{
Email: lowerEmail,
Hash: emailHash,
}
// OK we're going to open a session just because I think that that might hide away any problems with postgres reporting errors
if err := db.WithTx(ctx, func(ctx context.Context) error {
has, err := db.GetEngine(ctx).Where("email = ? AND hash = ?", emailHash.Email, emailHash.Hash).Get(new(EmailHash))
if has || err != nil {
// Seriously we don't care about any DB problems just return the lowerEmail - we expect the transaction to fail most of the time
return nil
}
_, _ = db.GetEngine(ctx).Insert(emailHash)
return nil
}); err != nil {
// Seriously we don't care about any DB problems just return the lowerEmail - we expect the transaction to fail most of the time
return lowerEmail, nil
}
return lowerEmail, nil
})
return emailHash
}
// GenerateUserAvatarFastLink returns a fast link (302) to the user's avatar: "/user/avatar/${User.Name}/${size}"
func GenerateUserAvatarFastLink(userName string, size int) string {
if size < 0 {
size = 0
}
return setting.AppSubURL + "/user/avatar/" + url.PathEscape(userName) + "/" + strconv.Itoa(size)
}
// GenerateUserAvatarImageLink returns a link for `User.Avatar` image file: "/avatars/${User.Avatar}"
func GenerateUserAvatarImageLink(userAvatar string, size int) string {
if size > 0 {
return setting.AppSubURL + "/avatars/" + url.PathEscape(userAvatar) + "?size=" + strconv.Itoa(size)
}
return setting.AppSubURL + "/avatars/" + url.PathEscape(userAvatar)
}
// generateRecognizedAvatarURL generate a recognized avatar (Gravatar/Libravatar) URL, it modifies the URL so the parameter is passed by a copy
func generateRecognizedAvatarURL(u url.URL, size int) string {
urlQuery := u.Query()
urlQuery.Set("d", "identicon")
if size > 0 {
urlQuery.Set("s", strconv.Itoa(size))
}
u.RawQuery = urlQuery.Encode()
return u.String()
}
// generateEmailAvatarLink returns a email avatar link.
// if final is true, it may use a slow path (eg: query DNS).
// if final is false, it always uses a fast path.
func generateEmailAvatarLink(ctx context.Context, email string, size int, final bool) string {
email = strings.TrimSpace(email)
if email == "" {
return DefaultAvatarLink()
}
avatarSetting, err := loadAvatarSetting()
if err != nil {
return DefaultAvatarLink()
}
enableFederatedAvatar := setting.Config().Picture.EnableFederatedAvatar.Value(ctx)
if enableFederatedAvatar {
emailHash := saveEmailHash(ctx, email)
if final {
// for final link, we can spend more time on slow external query
var avatarURL *url.URL
if avatarURL, err = LibravatarURL(email); err != nil {
return DefaultAvatarLink()
}
return generateRecognizedAvatarURL(*avatarURL, size)
}
// for non-final link, we should return fast (use a 302 redirection link)
urlStr := setting.AppSubURL + "/avatar/" + url.PathEscape(emailHash)
if size > 0 {
urlStr += "?size=" + strconv.Itoa(size)
}
return urlStr
}
disableGravatar := setting.Config().Picture.DisableGravatar.Value(ctx)
if !disableGravatar {
// copy GravatarSourceURL, because we will modify its Path.
avatarURLCopy := *avatarSetting.gravatarSourceURL
avatarURLCopy.Path = path.Join(avatarURLCopy.Path, HashEmail(email))
return generateRecognizedAvatarURL(avatarURLCopy, size)
}
return DefaultAvatarLink()
}
// GenerateEmailAvatarFastLink returns a avatar link (fast, the link may be a delegated one: "/avatar/${hash}")
func GenerateEmailAvatarFastLink(ctx context.Context, email string, size int) string {
return generateEmailAvatarLink(ctx, email, size, false)
}
// GenerateEmailAvatarFinalLink returns a avatar final link (maybe slow)
func GenerateEmailAvatarFinalLink(ctx context.Context, email string, size int) string {
return generateEmailAvatarLink(ctx, email, size, true)
}