From 977fc9db289bd740a0969d1af89c85dd95e6c7d4 Mon Sep 17 00:00:00 2001
From: Thomas Miceli <27960254+thomiceli@users.noreply.github.com>
Date: Thu, 7 Sep 2023 11:46:34 +0200
Subject: [PATCH] Improved git http semantics and repo obfuscation (#94)

---
 internal/web/git_http.go | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/internal/web/git_http.go b/internal/web/git_http.go
index 661e652..b6d65bd 100644
--- a/internal/web/git_http.go
+++ b/internal/web/git_http.go
@@ -47,30 +47,28 @@ func gitHttp(ctx echo.Context) error {
 
 			gist := getData(ctx, "gist").(*db.Gist)
 
-			// Shows basic auth if :
-			// - user wants to push the gist
-			// - user wants to clone a private gist
-			// - gist is not found (obfuscation)
-			// - admin setting to require login is set to true
-			noAuth := (ctx.QueryParam("service") == "git-upload-pack" ||
+			isInfoRefs := strings.HasSuffix(route.gitUrl, "/info/refs$")
+
+			isPull := ctx.QueryParam("service") == "git-upload-pack" ||
 				strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") ||
-				ctx.Request().Method == "GET") &&
-				gist.Private != 2 &&
-				gist.ID != 0 &&
-				!getData(ctx, "RequireLogin").(bool)
+				ctx.Request().Method == "GET" && !isInfoRefs
 
 			repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid)
-
 			if _, err := os.Stat(repositoryPath); os.IsNotExist(err) {
 				if err != nil {
+					log.Info().Err(err).Msg("Repository directory does not exist")
 					return errorRes(404, "Repository directory does not exist", err)
 				}
 			}
 
 			ctx.Set("repositoryPath", repositoryPath)
 
-			// Requires Basic Auth if we push the repository
-			if noAuth {
+			// Shows basic auth if :
+			// - user wants to push the gist
+			// - user wants to clone/pull a private gist
+			// - gist is not found (obfuscation)
+			// - admin setting to require login is set to true
+			if isPull && gist.Private != 2 && gist.ID != 0 && !getData(ctx, "RequireLogin").(bool) {
 				return route.handler(ctx)
 			}
 
@@ -90,7 +88,7 @@ func gitHttp(ctx echo.Context) error {
 			}
 
 			if gist.ID == 0 {
-				return errorRes(404, "Not found", nil)
+				return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
 			}
 
 			if ok, err := argon2id.verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
@@ -98,7 +96,7 @@ func gitHttp(ctx echo.Context) error {
 					return errorRes(500, "Cannot verify password", err)
 				}
 				log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
-				return errorRes(404, "Not found", nil)
+				return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
 			}
 
 			return route.handler(ctx)