From 97d30ec93f0a16b518d992858071f19541b6692d Mon Sep 17 00:00:00 2001
From: M Hickford <mirth.hickford@gmail.com>
Date: Mon, 3 Jul 2023 20:12:06 +0100
Subject: [PATCH] preconfigure git-credential-oauth

---
 custom/conf/app.example.ini                   |  3 +++
 .../config-cheat-sheet.en-us.md               |  1 +
 models/auth/oauth2.go                         | 21 +++++++++++++++++++
 modules/setting/oauth2.go                     |  2 ++
 routers/init.go                               |  2 ++
 routers/web/repo/http.go                      |  2 +-
 6 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index db148c52ade48..b64f1024b6fe1 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -544,6 +544,9 @@ ENABLE = true
 ;;
 ;; Maximum length of oauth2 token/cookie stored on server
 ;MAX_TOKEN_LENGTH = 32767
+;;
+;; Register OAuth applications for Git credential helpers
+;GIT_CREDENTIAL_HELPERS = true
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md
index 6d5789ff0dc5a..d369ef2168c97 100644
--- a/docs/content/administration/config-cheat-sheet.en-us.md
+++ b/docs/content/administration/config-cheat-sheet.en-us.md
@@ -1099,6 +1099,7 @@ This section only does "set" config, a removed config key from this section won'
 - `JWT_SECRET_URI`: **_empty_**: Instead of defining JWT_SECRET in the configuration, this configuration option can be used to give Gitea a path to a file that contains the secret (example value: `file:/etc/gitea/oauth2_jwt_secret`)
 - `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `APP_DATA_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
 - `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider
+- `GIT_CREDENTIAL_HELPERS`: **true**: Register OAuth applications for Git credential helpers at startup.
 
 ## i18n (`i18n`)
 
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 0f64b56c1635b..7b77fbed6ad4f 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
@@ -46,6 +47,26 @@ func init() {
 	db.RegisterModel(new(OAuth2Grant))
 }
 
+func Init(ctx context.Context) error {
+	if setting.OAuth2.GitCredentialHelpers {
+		// the following Git credential helpers are universally useful
+		// https://git-scm.com/doc/credential-helpers
+		_ = db.Insert(ctx, []OAuth2Application{
+			{
+				Name:         "git-credential-oauth",
+				ClientID:     "a4792ccc-144e-407e-86c9-5e7d8d9c3269",
+				RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},
+			},
+			{
+				Name:         "Git Credential Manager",
+				ClientID:     "e90ee53c-94e2-48ac-9358-a874fb9e0662",
+				RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},
+			},
+		})
+	}
+	return nil
+}
+
 // TableName sets the table name to `oauth2_application`
 func (app *OAuth2Application) TableName() string {
 	return "oauth2_application"
diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index 78a9462de9a65..38a0532f4c7eb 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -100,6 +100,7 @@ var OAuth2 = struct {
 	JWTSecretBase64            string `ini:"JWT_SECRET"`
 	JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
 	MaxTokenLength             int
+	GitCredentialHelpers       bool
 }{
 	Enable:                     true,
 	AccessTokenExpirationTime:  3600,
@@ -108,6 +109,7 @@ var OAuth2 = struct {
 	JWTSigningAlgorithm:        "RS256",
 	JWTSigningPrivateKeyFile:   "jwt/private.pem",
 	MaxTokenLength:             math.MaxInt16,
+	GitCredentialHelpers:       true,
 }
 
 func loadOAuth2From(rootCfg ConfigProvider) {
diff --git a/routers/init.go b/routers/init.go
index ddbabcc397447..020fff31c0e38 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -10,6 +10,7 @@ import (
 
 	"code.gitea.io/gitea/models"
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
+	authmodel "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/cache"
 	"code.gitea.io/gitea/modules/eventsource"
 	"code.gitea.io/gitea/modules/git"
@@ -138,6 +139,7 @@ func InitWebInstalled(ctx context.Context) {
 	mustInit(oauth2.Init)
 
 	mustInitCtx(ctx, models.Init)
+	mustInitCtx(ctx, authmodel.Init)
 	mustInit(repo_service.Init)
 
 	// Booting long running goroutines.
diff --git a/routers/web/repo/http.go b/routers/web/repo/http.go
index 0cae9aeda4549..c8ecb3b1d8ad7 100644
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -147,7 +147,7 @@ func httpBase(ctx *context.Context) *serviceHandler {
 		// rely on the results of Contexter
 		if !ctx.IsSigned {
 			// TODO: support digit auth - which would be Authorization header with digit
-			ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"")
+			ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea"`)
 			ctx.Error(http.StatusUnauthorized)
 			return nil
 		}