feat: consider WebAuthn & SSH for instance signing (#7693)

- Currently the options `pubkey` and `twofa` only consider TOTP and GPG keys respectively. Adjust the code to also consider WebAuthn credentials and SSH keys. - While adding the new unified functions I noticed that certain places also benefited from using these unified functions and took the liberty (where it was either a trivial translation or it was covered under testing) to use the new unified functions. - Resolves forgejo/forgejo#7658 - Adds unit and integration tests. Documentation PR: https://codeberg.org/forgejo/docs/pulls/1166 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7693 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-06-20 16:10:50 +00:00 · 2025-04-29 10:34:07 +00:00 · 2025-04-29 10:34:07 +00:00 · df5d656827
commit df5d656827
parent 386e7f8208
15 changed files with 222 additions and 65 deletions
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@ -1243,12 +1243,11 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model

 	needs2FA := false
 	if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA {
-		_, err := auth.GetTwoFactorByUID(ctx, u.ID)
-		if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
+		needs2FA, err = auth.HasTwoFactorByUID(ctx, u.ID)
+		if err != nil {
 			ctx.ServerError("UserSignIn", err)
 			return
 		}
-		needs2FA = err == nil
 	}

 	oauth2Source := source.Cfg.(*oauth2.Source)