From 2f1ed00fd1d14dfb1a49df25c7e842b2facaf83e Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Fri, 21 Aug 2020 22:16:10 +0100
Subject: [PATCH 1/2] Skip SSPI authentication attempts for /api/internal

SSPI fails badly on authentication attempts to /api/internal which
it can never succesfully authenticate.

Fix #11260

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/auth/sso/sso.go          | 5 +++++
 modules/auth/sso/sspi_windows.go | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go
index cf8148d89bc09..c2e36f3f5ebf2 100644
--- a/modules/auth/sso/sso.go
+++ b/modules/auth/sso/sso.go
@@ -100,6 +100,11 @@ func isAPIPath(ctx *macaron.Context) bool {
 	return strings.HasPrefix(ctx.Req.URL.Path, "/api/")
 }
 
+// isInternalPath returns true if the specified URL is an internal API path
+func isInternalPath(ctx *macaron.Context) bool {
+	return strings.HasPrefix(ctx.Req.URL.Path, "/api/internal/")
+}
+
 // isAttachmentDownload check if request is a file download (GET) with URL to an attachment
 func isAttachmentDownload(ctx *macaron.Context) bool {
 	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
diff --git a/modules/auth/sso/sspi_windows.go b/modules/auth/sso/sspi_windows.go
index 2bced4be28d63..00f15d97be5f7 100644
--- a/modules/auth/sso/sspi_windows.go
+++ b/modules/auth/sso/sspi_windows.go
@@ -148,6 +148,8 @@ func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) {
 		} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
 			shouldAuth = true
 		}
+	} else if isInternalPath(ctx) {
+		shouldAuth = false
 	} else if isAPIPath(ctx) || isAttachmentDownload(ctx) {
 		shouldAuth = true
 	}

From eb4784c4605d636101de21ef3317f07278458586 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 21 Aug 2020 23:17:46 +0100
Subject: [PATCH 2/2] Update oauth2.go

---
 modules/auth/sso/oauth2.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auth/sso/oauth2.go b/modules/auth/sso/oauth2.go
index 6860c12e3908b..3f530f036f256 100644
--- a/modules/auth/sso/oauth2.go
+++ b/modules/auth/sso/oauth2.go
@@ -121,7 +121,7 @@ func (o *OAuth2) VerifyAuthData(ctx *macaron.Context, sess session.Store) *model
 		return nil
 	}
 
-	if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
+	if isInternalPath(ctx) || !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
 		return nil
 	}