Add a new method Match for auth

routers/api/packages/chef/auth.go

@@ -52,6 +52,10 @@ func (a *Auth) Name() string {
 	return "chef"
 }
 
+func (a *Auth) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify extracts the user from the signed request
 // If the request is signed with the user private key the user is verified.
 func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {

routers/api/packages/conan/auth.go

@@ -20,6 +20,10 @@ func (a *Auth) Name() string {
 	return "conan"
 }
 
+func (a *Auth) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify extracts the user from the Bearer token
 func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
 	packageMeta, err := packages.ParseAuthorizationRequest(req)

routers/api/packages/container/auth.go

@@ -20,6 +20,10 @@ func (a *Auth) Name() string {
 	return "container"
 }
 
+func (a *Auth) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify extracts the user from the Bearer token
 // If it's an anonymous session a ghost user is returned
 func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {

routers/api/packages/nuget/auth.go

@@ -21,6 +21,10 @@ func (a *Auth) Name() string {
 	return "nuget"
 }
 
+func (a *Auth) Match(req *http.Request) bool {
+	return true
+}
+
 // https://docs.microsoft.com/en-us/nuget/api/package-publish-resource#request-parameters
 func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
 	token, err := auth_model.GetAccessTokenBySHA(req.Context(), req.Header.Get("X-NuGet-ApiKey"))

services/auth/basic.go

@@ -42,6 +42,10 @@ func (b *Basic) Name() string {
 	return BasicMethodName
 }
 
+func (b *Basic) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify extracts and validates Basic data (username and password/token) from the
 // "Authorization" header of the request and returns the corresponding user object for that
 // name/token on successful validation.

services/auth/group.go

@@ -41,10 +41,22 @@ func (b *Group) Name() string {
 	return strings.Join(names, ",")
 }
 
+func (b *Group) Match(req *http.Request) bool {
+	return true
+}
+
 func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
-	// Try to sign in with each of the enabled plugins
+	// find all methods that match the request
-	var retErr error
+	matchedMethods := make([]Method, 0, len(b.methods))
 	for _, m := range b.methods {
+		if m.Match(req) {
+			matchedMethods = append(matchedMethods, m)
+		}
+	}
+
+	var retErr error
+	// Try to sign in with each of the matched plugins
+	for _, m := range matchedMethods {
 		user, err := m.Verify(req, w, store, sess)
 		if err != nil {
 			if retErr == nil {

services/auth/httpsign.go

@@ -36,6 +36,10 @@ func (h *HTTPSign) Name() string {
 	return "httpsign"
 }
 
+func (h *HTTPSign) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify extracts and validates HTTPsign from the Signature header of the request and returns
 // the corresponding user object on successful validation.
 // Returns nil if header is empty or validation fails.

services/auth/interface.go

@@ -24,10 +24,12 @@ type Method interface {
 	// If verification is successful returns either an existing user object (with id > 0)
 	// or a new user object (with id = 0) populated with the information that was found
 	// in the authentication data (username or email).
-	// Second argument returns err if verification fails, otherwise
+	// Third argument returns err if verification fails, otherwise
+	// Second return argument returns true
 	// First return argument returns nil if no matched verification condition
 	Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error)
-
+	// Match returns true if the request is a match for this method
+	Match(*http.Request) bool
 	Name() string
 }
 

services/auth/oauth2.go

@@ -131,6 +131,10 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat
 	return t.UID
 }
 
+func (o *OAuth2) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify extracts the user ID from the OAuth token in the query parameters
 // or the "Authorization" header and returns the corresponding user object for that ID.
 // If verification is successful returns an existing user object.

services/auth/reverseproxy.go

@@ -100,6 +100,10 @@ func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) *user_model.User
 	return user
 }
 
+func (r *ReverseProxy) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify attempts to load a user object based on headers sent by the reverse proxy.
 // First it will attempt to load it based on the username (see docs for getUserFromAuthUser),
 // and failing that it will attempt to load it based on the email (see docs for getUserFromAuthEmail).

services/auth/session.go

@@ -24,6 +24,10 @@ func (s *Session) Name() string {
 	return "session"
 }
 
+func (s *Session) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify checks if there is a user uid stored in the session and returns the user
 // object for that uid.
 // Returns nil if there is no user uid stored in the session.

services/auth/sspi.go

@@ -54,6 +54,10 @@ func (s *SSPI) Name() string {
 	return "sspi"
 }
 
+func (s *SSPI) Match(req *http.Request) bool {
+	return true
+}
+
 // Verify uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
 // If authentication is successful, returns the corresponding user object.
 // If negotiation should continue or authentication fails, immediately returns a 401 HTTP