From 772c17e21439762c66d16d605c4920e718b5641e Mon Sep 17 00:00:00 2001
From: fnetx <git@fralix.ovh>
Date: Fri, 26 Nov 2021 04:06:17 +0100
Subject: [PATCH] Pass Gitea API token to requests

This allows to display repos that aren't fully public. Some users seem
to be very interested in not having their pages viewable, and it might
make even sense to avoid e.g. search engines to read them.
If set to some random user string, this could allow to set the
visibility at least to limited (so only logged users see the repo), and
should allow to view private repos in the future with another API token.
---
 README.md  |  1 +
 domains.go |  2 +-
 handler.go | 10 +++++-----
 main.go    |  2 ++
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index f545228..b6b1b98 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@
 - `PAGES_DOMAIN` (default: `codeberg.page`): main domain for pages.
 - `RAW_DOMAIN` (default: `raw.codeberg.org`): domain for raw resources.
 - `GITEA_ROOT` (default: `https://codeberg.org`): root of the upstream Gitea instance.
+- `GITEA_API_TOKEN` (default: empty): API token for the Gitea instance to access non-public (e.g. limited) repos.
 - `REDIRECT_BROKEN_DNS` (default: https://docs.codeberg.org/pages/custom-domains/): info page for setting up DNS, shown for invalid DNS setups.
 - `REDIRECT_RAW_INFO` (default: https://docs.codeberg.org/pages/raw-content/): info page for raw resources, shown if no resource is provided.
 - `ACME_API` (default: https://acme-v02.api.letsencrypt.org/directory): set this to https://acme.mock.director to use invalid certificates without any verification (great for debugging).  
diff --git a/domains.go b/domains.go
index 4dcaaee..0699f0f 100644
--- a/domains.go
+++ b/domains.go
@@ -81,7 +81,7 @@ func checkCanonicalDomain(targetOwner, targetRepo, targetBranch, actualDomain st
 		}
 	} else {
 		req := fasthttp.AcquireRequest()
-		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + targetOwner + "/" + targetRepo + "/raw/" + targetBranch + "/.domains")
+		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + targetOwner + "/" + targetRepo + "/raw/" + targetBranch + "/.domains" + "?access_token=" + string(GiteaApiToken))
 		res := fasthttp.AcquireResponse()
 
 		err := upstreamClient.Do(req, res)
diff --git a/handler.go b/handler.go
index cbfb958..2df2096 100644
--- a/handler.go
+++ b/handler.go
@@ -152,7 +152,7 @@ func handler(ctx *fasthttp.RequestCtx) {
 		if len(pathElements) > 2 && strings.HasPrefix(pathElements[2], "@") {
 			s.Step("raw domain preparations, now trying with specified branch")
 			if tryBranch(targetRepo, pathElements[2][1:], pathElements[3:],
-				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",
+				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),
 			) {
 				s.Step("tryBranch, now trying upstream")
 				tryUpstream()
@@ -164,7 +164,7 @@ func handler(ctx *fasthttp.RequestCtx) {
 		} else {
 			s.Step("raw domain preparations, now trying with default branch")
 			tryBranch(targetRepo, "", pathElements[2:],
-				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",
+				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),
 			)
 			s.Step("tryBranch, now trying upstream")
 			tryUpstream()
@@ -345,7 +345,7 @@ func getBranchTimestamp(owner, repo, branch string) *branchTimestamp {
 	if branch == "" {
 		// Get default branch
 		var body = make([]byte, 0)
-		status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo, 5*time.Second)
+		status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"?access_token="+string(GiteaApiToken), 5*time.Second)
 		if err != nil || status != 200 {
 			_ = branchTimestampCache.Set(owner+"/"+repo+"/"+branch, nil, DefaultBranchCacheTimeout)
 			return nil
@@ -354,7 +354,7 @@ func getBranchTimestamp(owner, repo, branch string) *branchTimestamp {
 	}
 
 	var body = make([]byte, 0)
-	status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"/branches/"+branch, 5*time.Second)
+	status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"/branches/"+branch+"?access_token="+string(GiteaApiToken), 5*time.Second)
 	if err != nil || status != 200 {
 		return nil
 	}
@@ -416,7 +416,7 @@ func upstream(ctx *fasthttp.RequestCtx, targetOwner string, targetRepo string, t
 		cachedResponse = cachedValue.(fileResponse)
 	} else {
 		req = fasthttp.AcquireRequest()
-		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + uri)
+		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + uri + "?access_token=" + string(GiteaApiToken))
 		res = fasthttp.AcquireResponse()
 		res.SetBodyStream(&strings.Reader{}, -1)
 		err = upstreamClient.Do(req, res)
diff --git a/main.go b/main.go
index 64f6447..331a81c 100644
--- a/main.go
+++ b/main.go
@@ -39,6 +39,8 @@ var MainDomainSuffix = []byte("." + envOr("PAGES_DOMAIN", "codeberg.page"))
 // GiteaRoot specifies the root URL of the Gitea instance, without a trailing slash.
 var GiteaRoot = []byte(envOr("GITEA_ROOT", "https://codeberg.org"))
 
+var GiteaApiToken = []byte(envOr("GITEA_API_TOKEN", ""))
+
 //go:embed 404.html
 var NotFoundPage []byte