From 772c17e21439762c66d16d605c4920e718b5641e Mon Sep 17 00:00:00 2001
From: fnetx <git@fralix.ovh>
Date: Fri, 26 Nov 2021 04:06:17 +0100
Subject: [PATCH 1/4] Pass Gitea API token to requests

This allows to display repos that aren't fully public. Some users seem
to be very interested in not having their pages viewable, and it might
make even sense to avoid e.g. search engines to read them.
If set to some random user string, this could allow to set the
visibility at least to limited (so only logged users see the repo), and
should allow to view private repos in the future with another API token.
---
 README.md  |  1 +
 domains.go |  2 +-
 handler.go | 10 +++++-----
 main.go    |  2 ++
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index f545228..b6b1b98 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@
 - `PAGES_DOMAIN` (default: `codeberg.page`): main domain for pages.
 - `RAW_DOMAIN` (default: `raw.codeberg.org`): domain for raw resources.
 - `GITEA_ROOT` (default: `https://codeberg.org`): root of the upstream Gitea instance.
+- `GITEA_API_TOKEN` (default: empty): API token for the Gitea instance to access non-public (e.g. limited) repos.
 - `REDIRECT_BROKEN_DNS` (default: https://docs.codeberg.org/pages/custom-domains/): info page for setting up DNS, shown for invalid DNS setups.
 - `REDIRECT_RAW_INFO` (default: https://docs.codeberg.org/pages/raw-content/): info page for raw resources, shown if no resource is provided.
 - `ACME_API` (default: https://acme-v02.api.letsencrypt.org/directory): set this to https://acme.mock.director to use invalid certificates without any verification (great for debugging).  
diff --git a/domains.go b/domains.go
index 4dcaaee..0699f0f 100644
--- a/domains.go
+++ b/domains.go
@@ -81,7 +81,7 @@ func checkCanonicalDomain(targetOwner, targetRepo, targetBranch, actualDomain st
 		}
 	} else {
 		req := fasthttp.AcquireRequest()
-		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + targetOwner + "/" + targetRepo + "/raw/" + targetBranch + "/.domains")
+		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + targetOwner + "/" + targetRepo + "/raw/" + targetBranch + "/.domains" + "?access_token=" + string(GiteaApiToken))
 		res := fasthttp.AcquireResponse()
 
 		err := upstreamClient.Do(req, res)
diff --git a/handler.go b/handler.go
index cbfb958..2df2096 100644
--- a/handler.go
+++ b/handler.go
@@ -152,7 +152,7 @@ func handler(ctx *fasthttp.RequestCtx) {
 		if len(pathElements) > 2 && strings.HasPrefix(pathElements[2], "@") {
 			s.Step("raw domain preparations, now trying with specified branch")
 			if tryBranch(targetRepo, pathElements[2][1:], pathElements[3:],
-				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",
+				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),
 			) {
 				s.Step("tryBranch, now trying upstream")
 				tryUpstream()
@@ -164,7 +164,7 @@ func handler(ctx *fasthttp.RequestCtx) {
 		} else {
 			s.Step("raw domain preparations, now trying with default branch")
 			tryBranch(targetRepo, "", pathElements[2:],
-				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",
+				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),
 			)
 			s.Step("tryBranch, now trying upstream")
 			tryUpstream()
@@ -345,7 +345,7 @@ func getBranchTimestamp(owner, repo, branch string) *branchTimestamp {
 	if branch == "" {
 		// Get default branch
 		var body = make([]byte, 0)
-		status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo, 5*time.Second)
+		status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"?access_token="+string(GiteaApiToken), 5*time.Second)
 		if err != nil || status != 200 {
 			_ = branchTimestampCache.Set(owner+"/"+repo+"/"+branch, nil, DefaultBranchCacheTimeout)
 			return nil
@@ -354,7 +354,7 @@ func getBranchTimestamp(owner, repo, branch string) *branchTimestamp {
 	}
 
 	var body = make([]byte, 0)
-	status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"/branches/"+branch, 5*time.Second)
+	status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"/branches/"+branch+"?access_token="+string(GiteaApiToken), 5*time.Second)
 	if err != nil || status != 200 {
 		return nil
 	}
@@ -416,7 +416,7 @@ func upstream(ctx *fasthttp.RequestCtx, targetOwner string, targetRepo string, t
 		cachedResponse = cachedValue.(fileResponse)
 	} else {
 		req = fasthttp.AcquireRequest()
-		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + uri)
+		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + uri + "?access_token=" + string(GiteaApiToken))
 		res = fasthttp.AcquireResponse()
 		res.SetBodyStream(&strings.Reader{}, -1)
 		err = upstreamClient.Do(req, res)
diff --git a/main.go b/main.go
index 64f6447..331a81c 100644
--- a/main.go
+++ b/main.go
@@ -39,6 +39,8 @@ var MainDomainSuffix = []byte("." + envOr("PAGES_DOMAIN", "codeberg.page"))
 // GiteaRoot specifies the root URL of the Gitea instance, without a trailing slash.
 var GiteaRoot = []byte(envOr("GITEA_ROOT", "https://codeberg.org"))
 
+var GiteaApiToken = []byte(envOr("GITEA_API_TOKEN", ""))
+
 //go:embed 404.html
 var NotFoundPage []byte
 

From 455f65216c6c3175c8f2a2dd96384bd5c1beed6b Mon Sep 17 00:00:00 2001
From: fnetx <git@fralix.ovh>
Date: Fri, 26 Nov 2021 17:03:58 +0100
Subject: [PATCH 2/4] Remove access token from canonicalLink as per momar

---
 handler.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/handler.go b/handler.go
index 2df2096..af6497d 100644
--- a/handler.go
+++ b/handler.go
@@ -152,7 +152,7 @@ func handler(ctx *fasthttp.RequestCtx) {
 		if len(pathElements) > 2 && strings.HasPrefix(pathElements[2], "@") {
 			s.Step("raw domain preparations, now trying with specified branch")
 			if tryBranch(targetRepo, pathElements[2][1:], pathElements[3:],
-				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),
+				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",
 			) {
 				s.Step("tryBranch, now trying upstream")
 				tryUpstream()
@@ -164,7 +164,7 @@ func handler(ctx *fasthttp.RequestCtx) {
 		} else {
 			s.Step("raw domain preparations, now trying with default branch")
 			tryBranch(targetRepo, "", pathElements[2:],
-				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p"+"?access_token="+string(GiteaApiToken),
+				string(GiteaRoot)+"/"+targetOwner+"/"+targetRepo+"/src/branch/%b/%p",
 			)
 			s.Step("tryBranch, now trying upstream")
 			tryUpstream()

From 73da80adc1b61712407a9f9d116300cbdf0f686f Mon Sep 17 00:00:00 2001
From: fnetx <git@fralix.ovh>
Date: Fri, 26 Nov 2021 17:10:31 +0100
Subject: [PATCH 3/4] Switch GiteaApiToken from byte to string

---
 domains.go | 2 +-
 handler.go | 6 +++---
 main.go    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/domains.go b/domains.go
index 0699f0f..0a5abc1 100644
--- a/domains.go
+++ b/domains.go
@@ -81,7 +81,7 @@ func checkCanonicalDomain(targetOwner, targetRepo, targetBranch, actualDomain st
 		}
 	} else {
 		req := fasthttp.AcquireRequest()
-		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + targetOwner + "/" + targetRepo + "/raw/" + targetBranch + "/.domains" + "?access_token=" + string(GiteaApiToken))
+		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + targetOwner + "/" + targetRepo + "/raw/" + targetBranch + "/.domains" + "?access_token=" + GiteaApiToken)
 		res := fasthttp.AcquireResponse()
 
 		err := upstreamClient.Do(req, res)
diff --git a/handler.go b/handler.go
index af6497d..720ccde 100644
--- a/handler.go
+++ b/handler.go
@@ -345,7 +345,7 @@ func getBranchTimestamp(owner, repo, branch string) *branchTimestamp {
 	if branch == "" {
 		// Get default branch
 		var body = make([]byte, 0)
-		status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"?access_token="+string(GiteaApiToken), 5*time.Second)
+		status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"?access_token="+GiteaApiToken, 5*time.Second)
 		if err != nil || status != 200 {
 			_ = branchTimestampCache.Set(owner+"/"+repo+"/"+branch, nil, DefaultBranchCacheTimeout)
 			return nil
@@ -354,7 +354,7 @@ func getBranchTimestamp(owner, repo, branch string) *branchTimestamp {
 	}
 
 	var body = make([]byte, 0)
-	status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"/branches/"+branch+"?access_token="+string(GiteaApiToken), 5*time.Second)
+	status, body, err := fasthttp.GetTimeout(body, string(GiteaRoot)+"/api/v1/repos/"+owner+"/"+repo+"/branches/"+branch+"?access_token="+GiteaApiToken, 5*time.Second)
 	if err != nil || status != 200 {
 		return nil
 	}
@@ -416,7 +416,7 @@ func upstream(ctx *fasthttp.RequestCtx, targetOwner string, targetRepo string, t
 		cachedResponse = cachedValue.(fileResponse)
 	} else {
 		req = fasthttp.AcquireRequest()
-		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + uri + "?access_token=" + string(GiteaApiToken))
+		req.SetRequestURI(string(GiteaRoot) + "/api/v1/repos/" + uri + "?access_token=" + GiteaApiToken)
 		res = fasthttp.AcquireResponse()
 		res.SetBodyStream(&strings.Reader{}, -1)
 		err = upstreamClient.Do(req, res)
diff --git a/main.go b/main.go
index 331a81c..1d73e33 100644
--- a/main.go
+++ b/main.go
@@ -39,7 +39,7 @@ var MainDomainSuffix = []byte("." + envOr("PAGES_DOMAIN", "codeberg.page"))
 // GiteaRoot specifies the root URL of the Gitea instance, without a trailing slash.
 var GiteaRoot = []byte(envOr("GITEA_ROOT", "https://codeberg.org"))
 
-var GiteaApiToken = []byte(envOr("GITEA_API_TOKEN", ""))
+var GiteaApiToken = envOr("GITEA_API_TOKEN", "")
 
 //go:embed 404.html
 var NotFoundPage []byte

From 6d520c2a40d9f6fe86f800a8371f9d4adad34001 Mon Sep 17 00:00:00 2001
From: Moritz Marquardt <git@momar.de>
Date: Wed, 1 Dec 2021 21:44:54 +0100
Subject: [PATCH 4/4] Update error message for private repo access

---
 handler.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handler.go b/handler.go
index 720ccde..a731412 100644
--- a/handler.go
+++ b/handler.go
@@ -293,7 +293,7 @@ func returnErrorPage(ctx *fasthttp.RequestCtx, code int) {
 		message += " - domain not specified in <code>.domains</code> file"
 	}
 	if code == fasthttp.StatusFailedDependency {
-		message += " - owner, repo or branch doesn't exist (if everything's set up correctly, wait up to 15 minutes for cache invalidation)"
+		message += " - target repo/branch doesn't exist or is private"
 	}
 	ctx.Response.SetBody(bytes.ReplaceAll(NotFoundPage, []byte("%status"), []byte(strconv.Itoa(code)+" "+message)))
 }