Add basic auth support to rss/atom feeds (#33371)

Allows RSS readers to access private feeds using their basic auth capabilities. Not all clients feature the ability to add cookies or headers. fixes #32458 Tested with miniflux no credentials: ![image](https://github.com/user-attachments/assets/8c3369f2-1cf6-4ce3-ac6e-84447e454928) basic auth entered: ![image](https://github.com/user-attachments/assets/c93ff22c-1429-4a80-898f-91d9f35c7c61) ![image](https://github.com/user-attachments/assets/60d83afd-9dde-4973-a440-ff8138799e87) --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-01-27 03:07:39 +01:00 · 2025-01-27 03:07:39 +01:00 · c79adf00b8
commit c79adf00b8
parent 26b51aa032
3 changed files with 57 additions and 19 deletions
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@ -26,13 +26,17 @@ type globalVarsStruct struct {
 	gitRawOrAttachPathRe *regexp.Regexp
 	lfsPathRe            *regexp.Regexp
 	archivePathRe        *regexp.Regexp
+	feedPathRe           *regexp.Regexp
+	feedRefPathRe        *regexp.Regexp
 }

 var globalVars = sync.OnceValue(func() *globalVarsStruct {
 	return &globalVarsStruct{
-		gitRawOrAttachPathRe: regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/)|(?:attachments/))`),
-		lfsPathRe:            regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`),
-		archivePathRe:        regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/archive/`),
+		gitRawOrAttachPathRe: regexp.MustCompile(`^/[-.\w]+/[-.\w]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/)|(?:attachments/))`),
+		lfsPathRe:            regexp.MustCompile(`^/[-.\w]+/[-.\w]+/info/lfs/`),
+		archivePathRe:        regexp.MustCompile(`^/[-.\w]+/[-.\w]+/archive/`),
+		feedPathRe:           regexp.MustCompile(`^/[-.\w]+(/[-.\w]+)?\.(rss|atom)$`), // "/owner.rss" or "/owner/repo.atom"
+		feedRefPathRe:        regexp.MustCompile(`^/[-.\w]+/[-.\w]+/(rss|atom)/`),     // "/owner/repo/rss/branch/..."
 	}
 })

@ -61,6 +65,16 @@ func (a *authPathDetector) isAttachmentDownload() bool {
 	return strings.HasPrefix(a.req.URL.Path, "/attachments/") && a.req.Method == "GET"
 }

+func (a *authPathDetector) isFeedRequest(req *http.Request) bool {
+	if !setting.Other.EnableFeed {
+		return false
+	}
+	if req.Method != "GET" {
+		return false
+	}
+	return a.vars.feedPathRe.MatchString(req.URL.Path) || a.vars.feedRefPathRe.MatchString(req.URL.Path)
+}
+
 // isContainerPath checks if the request targets the container endpoint
 func (a *authPathDetector) isContainerPath() bool {
 	return strings.HasPrefix(a.req.URL.Path, "/v2/")