fix

wxiaoguang · wxiaoguang · commit 0092b3f8b4f0 · 2025-03-26T18:13:36.000+08:00
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -780,6 +780,9 @@ LEVEL = Info
 ;ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ;;
 ;; User must sign in to view anything.
+;; It could be set to "expensive" to block anonymous users accessing some pages which consume a lot of resources,
+;; for example: block anonymous AI crawlers from accessing repo code pages.
+;; The "expensive" mode is experimental and subject to change.
 ;REQUIRE_SIGNIN_VIEW = false
 ;;
 ;; Mail notification
diff --git a/modules/setting/config_provider.go b/modules/setting/config_provider.go
@@ -26,6 +26,7 @@ type ConfigKey interface {
 	In(defaultVal string, candidates []string) string
 	String() string
 	Strings(delim string) []string
+	Bool() (bool, error)
 
 	MustString(defaultVal string) string
 	MustBool(defaultVal ...bool) bool
diff --git a/modules/setting/service.go b/modules/setting/service.go
@@ -43,7 +43,8 @@ var Service = struct {
 	ShowRegistrationButton                  bool
 	EnablePasswordSignInForm                bool
 	ShowMilestonesDashboardPage             bool
-	RequireSignInView                       bool
+	RequireSignInViewStrict                 bool
+	BlockAnonymousAccessExpensive           bool
 	EnableNotifyMail                        bool
 	EnableBasicAuth                         bool
 	EnablePasskeyAuth                       bool
@@ -159,7 +160,18 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 	Service.EmailDomainBlockList = CompileEmailGlobList(sec, "EMAIL_DOMAIN_BLOCKLIST")
 	Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!(Service.DisableRegistration || Service.AllowOnlyExternalRegistration))
 	Service.ShowMilestonesDashboardPage = sec.Key("SHOW_MILESTONES_DASHBOARD_PAGE").MustBool(true)
-	Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool()
+
+	// boolean values are considered as "strict"
+	var err error
+	Service.RequireSignInViewStrict, err = sec.Key("REQUIRE_SIGNIN_VIEW").Bool()
+	if s := sec.Key("REQUIRE_SIGNIN_VIEW").String(); err != nil && s != "" {
+		// non-boolean value only supports "expensive" at the moment
+		Service.BlockAnonymousAccessExpensive = s == "expensive"
+		if !Service.BlockAnonymousAccessExpensive {
+			log.Fatal("Invalid config option: REQUIRE_SIGNIN_VIEW = %s", s)
+		}
+	}
+
 	Service.EnableBasicAuth = sec.Key("ENABLE_BASIC_AUTHENTICATION").MustBool(true)
 	Service.EnablePasswordSignInForm = sec.Key("ENABLE_PASSWORD_SIGNIN_FORM").MustBool(true)
 	Service.EnablePasskeyAuth = sec.Key("ENABLE_PASSKEY_AUTHENTICATION").MustBool(true)
diff --git a/routers/api/packages/cargo/cargo.go b/routers/api/packages/cargo/cargo.go
@@ -51,7 +51,7 @@ func apiError(ctx *context.Context, status int, obj any) {
 
 // https://rust-lang.github.io/rfcs/2789-sparse-index.html
 func RepositoryConfig(ctx *context.Context) {
-	ctx.JSON(http.StatusOK, cargo_service.BuildConfig(ctx.Package.Owner, setting.Service.RequireSignInView || ctx.Package.Owner.Visibility != structs.VisibleTypePublic))
+	ctx.JSON(http.StatusOK, cargo_service.BuildConfig(ctx.Package.Owner, setting.Service.RequireSignInViewStrict || ctx.Package.Owner.Visibility != structs.VisibleTypePublic))
 }
 
 func EnumeratePackageVersions(ctx *context.Context) {
diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
@@ -126,7 +126,7 @@ func apiUnauthorizedError(ctx *context.Context) {
 
 // ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
 func ReqContainerAccess(ctx *context.Context) {
-	if ctx.Doer == nil || (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) {
+	if ctx.Doer == nil || (setting.Service.RequireSignInViewStrict && ctx.Doer.IsGhost()) {
 		apiUnauthorizedError(ctx)
 	}
 }
@@ -152,7 +152,7 @@ func Authenticate(ctx *context.Context) {
 	u := ctx.Doer
 	packageScope := auth_service.GetAccessScope(ctx.Data)
 	if u == nil {
-		if setting.Service.RequireSignInView {
+		if setting.Service.RequireSignInViewStrict {
 			apiUnauthorizedError(ctx)
 			return
 		}
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -355,7 +355,7 @@ func reqToken() func(ctx *context.APIContext) {
 
 func reqExploreSignIn() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
-		if (setting.Service.RequireSignInView || setting.Service.Explore.RequireSigninView) && !ctx.IsSigned {
+		if (setting.Service.RequireSignInViewStrict || setting.Service.Explore.RequireSigninView) && !ctx.IsSigned {
 			ctx.APIError(http.StatusUnauthorized, "you must be signed in to search for users")
 		}
 	}
@@ -886,7 +886,7 @@ func Routes() *web.Router {
 	m.Use(apiAuth(buildAuthGroup()))
 
 	m.Use(verifyAuthWithOptions(&common.VerifyOptions{
-		SignInRequired: setting.Service.RequireSignInView,
+		SignInRequired: setting.Service.RequireSignInViewStrict,
 	}))
 
 	addActionsRoutes := func(
diff --git a/routers/common/blockexpensive.go b/routers/common/blockexpensive.go
@@ -0,0 +1,88 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"net/http"
+	"strings"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/reqctx"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web/middleware"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func BlockExpensive() func(next http.Handler) http.Handler {
+	if !setting.Service.BlockAnonymousAccessExpensive {
+		return nil
+	}
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			ret := determineRequestPriority(reqctx.FromContext(req.Context()))
+			if !ret.SignIn {
+				if ret.Expensive || ret.LongPolling {
+					http.Redirect(w, req, setting.AppSubURL+"/user/login", http.StatusSeeOther)
+					return
+				}
+			}
+			next.ServeHTTP(w, req)
+		})
+	}
+}
+
+func isRoutePathExpensive(routePattern string) bool {
+	if strings.HasPrefix(routePattern, "/user/") || strings.HasPrefix(routePattern, "/login/") {
+		return false
+	}
+
+	expensivePaths := []string{
+		// code related
+		"/{username}/{reponame}/archive/",
+		"/{username}/{reponame}/blame/",
+		"/{username}/{reponame}/commit/",
+		"/{username}/{reponame}/commits/",
+		"/{username}/{reponame}/media/",
+		"/{username}/{reponame}/raw/",
+		"/{username}/{reponame}/src/",
+
+		// issue & PR related (no trailing slash)
+		"/{username}/{reponame}/issues",
+		"/{username}/{reponame}/{type:issues}",
+		"/{username}/{reponame}/pulls",
+		"/{username}/{reponame}/{type:pulls}",
+
+		// wiki
+		"/{username}/{reponame}/wiki/",
+	}
+	for _, path := range expensivePaths {
+		if strings.HasPrefix(routePattern, path) {
+			return true
+		}
+	}
+	return false
+}
+
+func isRoutePathForLongPolling(routePattern string) bool {
+	return routePattern == "/user/events"
+}
+
+// TODO: add some tests
+
+func determineRequestPriority(reqCtx reqctx.RequestContext) (ret struct {
+	SignIn      bool
+	Expensive   bool
+	LongPolling bool
+},
+) {
+	chiRoutePath := chi.RouteContext(reqCtx).RoutePattern()
+	if _, ok := reqCtx.GetData()[middleware.ContextDataKeySignedUser].(*user_model.User); ok {
+		ret.SignIn = true
+	} else {
+		ret.Expensive = isRoutePathExpensive(chiRoutePath)
+		ret.LongPolling = isRoutePathForLongPolling(chiRoutePath)
+	}
+	return ret
+}
diff --git a/routers/install/install.go b/routers/install/install.go
@@ -151,7 +151,7 @@ func Install(ctx *context.Context) {
 	form.DisableRegistration = setting.Service.DisableRegistration
 	form.AllowOnlyExternalRegistration = setting.Service.AllowOnlyExternalRegistration
 	form.EnableCaptcha = setting.Service.EnableCaptcha
-	form.RequireSignInView = setting.Service.RequireSignInView
+	form.RequireSignInView = setting.Service.RequireSignInViewStrict
 	form.DefaultKeepEmailPrivate = setting.Service.DefaultKeepEmailPrivate
 	form.DefaultAllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization
 	form.DefaultEnableTimetracking = setting.Service.DefaultEnableTimetracking
diff --git a/routers/private/serv.go b/routers/private/serv.go
@@ -286,7 +286,7 @@ func ServCommand(ctx *context.PrivateContext) {
 			repo.IsPrivate ||
 			owner.Visibility.IsPrivate() ||
 			(user != nil && user.IsRestricted) || // user will be nil if the key is a deploykey
-			setting.Service.RequireSignInView) {
+			setting.Service.RequireSignInViewStrict) {
 		if key.Type == asymkey_model.KeyTypeDeploy {
 			if deployKey.Mode < mode {
 				ctx.JSON(http.StatusUnauthorized, private.Response{
diff --git a/routers/web/githttp.go b/routers/web/githttp.go
@@ -14,7 +14,7 @@ import (
 
 func addOwnerRepoGitHTTPRouters(m *web.Router) {
 	reqGitSignIn := func(ctx *context.Context) {
-		if !setting.Service.RequireSignInView {
+		if !setting.Service.RequireSignInViewStrict {
 			return
 		}
 		// rely on the results of Contexter
diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
@@ -127,7 +127,7 @@ func httpBase(ctx *context.Context) *serviceHandler {
 	// Only public pull don't need auth.
 	isPublicPull := repoExist && !repo.IsPrivate && isPull
 	var (
-		askAuth = !isPublicPull || setting.Service.RequireSignInView
+		askAuth = !isPublicPull || setting.Service.RequireSignInViewStrict
 		environ []string
 	)
 
diff --git a/routers/web/web.go b/routers/web/web.go
@@ -283,23 +283,23 @@ func Routes() *web.Router {
 	mid = append(mid, goGet)
 	mid = append(mid, common.PageTmplFunctions)
 
-	others := web.NewRouter()
-	others.Use(mid...)
-	registerRoutes(others)
-	routes.Mount("", others)
+	webRoutes := web.NewRouter()
+	webRoutes.Use(mid...)
+	webRoutes.Group("", func() { registerWebRoutes(webRoutes) }, common.BlockExpensive())
+	routes.Mount("", webRoutes)
 	return routes
 }
 
 var optSignInIgnoreCsrf = verifyAuthWithOptions(&common.VerifyOptions{DisableCSRF: true})
 
-// registerRoutes register routes
-func registerRoutes(m *web.Router) {
+// registerWebRoutes register routes
+func registerWebRoutes(m *web.Router) {
 	// required to be signed in or signed out
 	reqSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: true})
 	reqSignOut := verifyAuthWithOptions(&common.VerifyOptions{SignOutRequired: true})
 	// optional sign in (if signed in, use the user as doer, if not, no doer)
-	optSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInView})
-	optExploreSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInView || setting.Service.Explore.RequireSigninView})
+	optSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInViewStrict})
+	optExploreSignIn := verifyAuthWithOptions(&common.VerifyOptions{SignInRequired: setting.Service.RequireSignInViewStrict || setting.Service.Explore.RequireSigninView})
 
 	validation.AddBindingRules()
 
diff --git a/services/context/package.go b/services/context/package.go
@@ -93,7 +93,7 @@ func packageAssignment(ctx *packageAssignmentCtx, errCb func(int, any)) *Package
 }
 
 func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.AccessMode, error) {
-	if setting.Service.RequireSignInView && (doer == nil || doer.IsGhost()) {
+	if setting.Service.RequireSignInViewStrict && (doer == nil || doer.IsGhost()) {
 		return perm.AccessModeNone, nil
 	}
 
diff --git a/services/packages/cargo/index.go b/services/packages/cargo/index.go
@@ -247,7 +247,7 @@ func createOrUpdateConfigFile(ctx context.Context, repo *repo_model.Repository,
 		"Initialize Cargo Config",
 		func(t *files_service.TemporaryUploadRepository) error {
 			var b bytes.Buffer
-			err := json.NewEncoder(&b).Encode(BuildConfig(owner, setting.Service.RequireSignInView || owner.Visibility != structs.VisibleTypePublic || repo.IsPrivate))
+			err := json.NewEncoder(&b).Encode(BuildConfig(owner, setting.Service.RequireSignInViewStrict || owner.Visibility != structs.VisibleTypePublic || repo.IsPrivate))
 			if err != nil {
 				return err
 			}

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func apiError(ctx *context.Context, status int, obj any) {`
`51`	`51`
`52`	`52`	`// https://rust-lang.github.io/rfcs/2789-sparse-index.html`
`53`	`53`	`func RepositoryConfig(ctx *context.Context) {`
`54`		`- ctx.JSON(http.StatusOK, cargo_service.BuildConfig(ctx.Package.Owner, setting.Service.RequireSignInView \|\| ctx.Package.Owner.Visibility != structs.VisibleTypePublic))`
	`54`	`+ ctx.JSON(http.StatusOK, cargo_service.BuildConfig(ctx.Package.Owner, setting.Service.RequireSignInViewStrict \|\| ctx.Package.Owner.Visibility != structs.VisibleTypePublic))`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`func EnumeratePackageVersions(ctx *context.Context) {`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ func apiUnauthorizedError(ctx *context.Context) {`
`126`	`126`
`127`	`127`	`// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)`
`128`	`128`	`func ReqContainerAccess(ctx *context.Context) {`
`129`		`- if ctx.Doer == nil \|\| (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) {`
	`129`	`+ if ctx.Doer == nil \|\| (setting.Service.RequireSignInViewStrict && ctx.Doer.IsGhost()) {`
`130`	`130`	`apiUnauthorizedError(ctx)`
`131`	`131`	`}`
`132`	`132`	`}`
`@@ -152,7 +152,7 @@ func Authenticate(ctx *context.Context) {`
`152`	`152`	`u := ctx.Doer`
`153`	`153`	`packageScope := auth_service.GetAccessScope(ctx.Data)`
`154`	`154`	`if u == nil {`
`155`		`- if setting.Service.RequireSignInView {`
	`155`	`+ if setting.Service.RequireSignInViewStrict {`
`156`	`156`	`apiUnauthorizedError(ctx)`
`157`	`157`	`return`
`158`	`158`	`}`
Original file line number	Diff line number	Diff line change
`@@ -355,7 +355,7 @@ func reqToken() func(ctx *context.APIContext) {`
`355`	`355`
`356`	`356`	`func reqExploreSignIn() func(ctx *context.APIContext) {`
`357`	`357`	`return func(ctx *context.APIContext) {`
`358`		`- if (setting.Service.RequireSignInView \|\| setting.Service.Explore.RequireSigninView) && !ctx.IsSigned {`
	`358`	`+ if (setting.Service.RequireSignInViewStrict \|\| setting.Service.Explore.RequireSigninView) && !ctx.IsSigned {`
`359`	`359`	`ctx.APIError(http.StatusUnauthorized, "you must be signed in to search for users")`
`360`	`360`	`}`
`361`	`361`	`}`
`@@ -886,7 +886,7 @@ func Routes() *web.Router {`
`886`	`886`	`m.Use(apiAuth(buildAuthGroup()))`
`887`	`887`
`888`	`888`	`m.Use(verifyAuthWithOptions(&common.VerifyOptions{`
`889`		`- SignInRequired: setting.Service.RequireSignInView,`
	`889`	`+ SignInRequired: setting.Service.RequireSignInViewStrict,`
`890`	`890`	`}))`
`891`	`891`
`892`	`892`	`addActionsRoutes := func(`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ import (`
`14`	`14`
`15`	`15`	`func addOwnerRepoGitHTTPRouters(m *web.Router) {`
`16`	`16`	`reqGitSignIn := func(ctx *context.Context) {`
`17`		`- if !setting.Service.RequireSignInView {`
	`17`	`+ if !setting.Service.RequireSignInViewStrict {`
`18`	`18`	`return`
`19`	`19`	`}`
`20`	`20`	`// rely on the results of Contexter`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ func httpBase(ctx context.Context) serviceHandler {`
`127`	`127`	`// Only public pull don't need auth.`
`128`	`128`	`isPublicPull := repoExist && !repo.IsPrivate && isPull`
`129`	`129`	`var (`
`130`		`- askAuth = !isPublicPull \|\| setting.Service.RequireSignInView`
	`130`	`+ askAuth = !isPublicPull \|\| setting.Service.RequireSignInViewStrict`
`131`	`131`	`environ []string`
`132`	`132`	`)`
`133`	`133`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func packageAssignment(ctx packageAssignmentCtx, errCb func(int, any)) Package`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`func determineAccessMode(ctx Base, pkg Package, doer *user_model.User) (perm.AccessMode, error) {`
`96`		`- if setting.Service.RequireSignInView && (doer == nil \|\| doer.IsGhost()) {`
	`96`	`+ if setting.Service.RequireSignInViewStrict && (doer == nil \|\| doer.IsGhost()) {`
`97`	`97`	`return perm.AccessModeNone, nil`
`98`	`98`	`}`
`99`	`99`
Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ func createOrUpdateConfigFile(ctx context.Context, repo *repo_model.Repository,`
`247`	`247`	`"Initialize Cargo Config",`
`248`	`248`	`func(t *files_service.TemporaryUploadRepository) error {`
`249`	`249`	`var b bytes.Buffer`
`250`		`- err := json.NewEncoder(&b).Encode(BuildConfig(owner, setting.Service.RequireSignInView \|\| owner.Visibility != structs.VisibleTypePublic \|\| repo.IsPrivate))`
	`250`	`+ err := json.NewEncoder(&b).Encode(BuildConfig(owner, setting.Service.RequireSignInViewStrict \|\| owner.Visibility != structs.VisibleTypePublic \|\| repo.IsPrivate))`
`251`	`251`	`if err != nil {`
`252`	`252`	`return err`
`253`	`253`	`}`