LFS: make HTTP auth period configurable (#4035)

* LFS: make HTTP auth period configurable * Formatting: Removed semicolon Due to automated fmt-check failure (drone.gitea.io) * applying code reviews * Applied code review comment: Change HTTPAuthExpiry to time.Duration * Updated config cheat sheet
6 years ago · 15f6ec9632
parent 832ca509d3
commit 15f6ec9632
4 changed files with 12 additions and 5 deletions
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -268,7 +268,7 @@ func runServ(c *cli.Context) error {
 		claims := jwt.MapClaims{
 			"repo": repo.ID,
 			"op":   lfsVerb,
-			"exp":  now.Add(5 * time.Minute).Unix(),
+			"exp":  now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
 			"nbf":  now.Unix(),
 		}
 		if user != nil {
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
@ -189,6 +189,8 @@ LFS_START_SERVER = false
 LFS_CONTENT_PATH = data/lfs
 ; LFS authentication secret, change this yourself
 LFS_JWT_SECRET =
+; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
+LFS_HTTP_AUTH_EXPIRY = 20m

 ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 [ssh.minimum_key_sizes]
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@ -115,6 +115,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `LFS_START_SERVER`: **false**: Enables git-lfs support.
 - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files.
 - `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
+- `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
 - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests
   on another (https) port.
 - `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true.
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -136,10 +136,11 @@ var (
 	}

 	LFS struct {
-		StartServer     bool   `ini:"LFS_START_SERVER"`
-		ContentPath     string `ini:"LFS_CONTENT_PATH"`
-		JWTSecretBase64 string `ini:"LFS_JWT_SECRET"`
-		JWTSecretBytes  []byte `ini:"-"`
+		StartServer     bool          `ini:"LFS_START_SERVER"`
+		ContentPath     string        `ini:"LFS_CONTENT_PATH"`
+		JWTSecretBase64 string        `ini:"LFS_JWT_SECRET"`
+		JWTSecretBytes  []byte        `ini:"-"`
+		HTTPAuthExpiry  time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
 	}

 	// Security settings
@ -828,6 +829,9 @@ func NewContext() {
 		LFS.ContentPath = filepath.Join(AppWorkPath, LFS.ContentPath)
 	}

+	sec = Cfg.Section("LFS")
+	LFS.HTTPAuthExpiry = sec.Key("LFS_HTTP_AUTH_EXPIRY").MustDuration(20 * time.Minute)
+
 	if LFS.StartServer {

 		if err := os.MkdirAll(LFS.ContentPath, 0700); err != nil {