fix

wxiaoguang · wxiaoguang · commit 7900b6cfde7c · 2025-11-24T16:30:10.000+08:00
diff --git a/modules/auth/webauthn/webauthn.go b/modules/auth/webauthn/webauthn.go
@@ -6,7 +6,6 @@ package webauthn
 import (
 	"context"
 	"encoding/binary"
-	"encoding/gob"
 
 	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
@@ -22,8 +21,6 @@ var WebAuthn *webauthn.WebAuthn
 
 // Init initializes the WebAuthn instance from the config.
 func Init() {
-	gob.Register(&webauthn.SessionData{})
-
 	appURL, _ := protocol.FullyQualifiedOrigin(setting.AppURL)
 
 	WebAuthn = &webauthn.WebAuthn{
diff --git a/routers/common/middleware.go b/routers/common/middleware.go
@@ -4,7 +4,9 @@
 package common
 
 import (
+	"encoding/gob"
 	"fmt"
+	"log"
 	"net/http"
 	"strings"
 
@@ -14,11 +16,14 @@ import (
 	"code.gitea.io/gitea/modules/reqctx"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/routing"
+	"code.gitea.io/gitea/routers/web/auth"
 	"code.gitea.io/gitea/services/context"
 
 	"gitea.com/go-chi/session"
 	"github.com/chi-middleware/proxy"
 	"github.com/go-chi/chi/v5"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/gorilla/sessions"
 )
 
 // ProtocolMiddlewares returns HTTP protocol related middlewares, and it provides a global panic recovery
@@ -107,7 +112,14 @@ func ForwardedHeadersHandler(limit int, trustedProxies []string) func(h http.Han
 	return proxy.ForwardedHeaders(opt)
 }
 
-func Sessioner() (func(next http.Handler) http.Handler, error) {
+func MuseInitSessioner() func(next http.Handler) http.Handler {
+	// TODO: chi-session has a design problem: it calls gob.Register for "Set"
+	// But if the server restarts, then the first "Get" will fail to decode the previously stored session data because the structs are not registered yet.
+	// So here we register all session structs ahead.
+	gob.Register(auth.LinkAccountData{})  // used by oauth link account
+	gob.Register(&webauthn.SessionData{}) // used by webauthn
+	gob.Register(&sessions.Session{})     // used by oauth2's SessionsStore. FIXME: it seems to be an abuse, why the Session struct itself is stored in session store again?
+
 	middleware, err := session.Sessioner(session.Options{
 		Provider:       setting.SessionConfig.Provider,
 		ProviderConfig: setting.SessionConfig.ProviderConfig,
@@ -120,8 +132,7 @@ func Sessioner() (func(next http.Handler) http.Handler, error) {
 		Domain:         setting.SessionConfig.Domain,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to create session middleware: %w", err)
+		log.Fatal("common.Sessioner failed: %v", err)
 	}
-
-	return middleware, nil
+	return middleware
 }
diff --git a/routers/install/install.go b/routers/install/install.go
@@ -55,8 +55,8 @@ func getSupportedDbTypeNames() (dbTypeNames []map[string]string) {
 	return dbTypeNames
 }
 
-// Contexter prepare for rendering installation page
-func Contexter() func(next http.Handler) http.Handler {
+// installContexter prepare for rendering installation page
+func installContexter() func(next http.Handler) http.Handler {
 	rnd := templates.HTMLRenderer()
 	dbTypeNames := getSupportedDbTypeNames()
 	envConfigKeys := setting.CollectEnvConfigKeys()
diff --git a/routers/install/routes.go b/routers/install/routes.go
@@ -8,7 +8,6 @@ import (
 	"html"
 	"net/http"
 
-	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web"
@@ -25,11 +24,8 @@ func Routes() *web.Router {
 	base.Methods("GET, HEAD", "/assets/*", public.FileHandlerFunc())
 
 	r := web.NewRouter()
-	if sessionMid, err := common.Sessioner(); err == nil && sessionMid != nil {
-		r.Use(sessionMid, Contexter())
-	} else {
-		log.Fatal("common.Sessioner failed: %v", err)
-	}
+	r.Use(common.MuseInitSessioner(), installContexter())
+
 	r.Get("/", Install) // it must be on the root, because the "install.js" use the window.location to replace the "localhost" AppURL
 	r.Post("/", web.Bind(forms.InstallForm{}), SubmitInstall)
 	r.Get("/post-install", InstallDone)
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
@@ -4,7 +4,6 @@
 package auth
 
 import (
-	"encoding/gob"
 	"errors"
 	"fmt"
 	"html"
@@ -278,7 +277,7 @@ type LinkAccountData struct {
 }
 
 func oauth2GetLinkAccountData(ctx *context.Context) *LinkAccountData {
-	gob.Register(LinkAccountData{})
+
 	v, ok := ctx.Session.Get("linkAccountData").(LinkAccountData)
 	if !ok {
 		return nil
@@ -287,7 +286,6 @@ func oauth2GetLinkAccountData(ctx *context.Context) *LinkAccountData {
 }
 
 func Oauth2SetLinkAccountData(ctx *context.Context, linkAccountData LinkAccountData) error {
-	gob.Register(LinkAccountData{})
 	return updateSession(ctx, nil, map[string]any{
 		"linkAccountData": linkAccountData,
 	})
diff --git a/routers/web/web.go b/routers/web/web.go
@@ -267,11 +267,7 @@ func Routes() *web.Router {
 	routes.Get("/ssh_info", misc.SSHInfo)
 	routes.Get("/api/healthz", healthcheck.Check)
 
-	if sessionMid, err := common.Sessioner(); err == nil && sessionMid != nil {
-		mid = append(mid, sessionMid, context.Contexter())
-	} else {
-		log.Fatal("common.Sessioner failed: %v", err)
-	}
+	mid = append(mid, common.MuseInitSessioner(), context.Contexter())
 
 	// Get user from session if logged in.
 	mid = append(mid, webAuth(buildAuthGroup()))
diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go
@@ -33,8 +33,6 @@ func Init(ctx context.Context) error {
 	// Lock our mutex
 	gothRWMutex.Lock()
 
-	gob.Register(&sessions.Session{})
-
 	gothic.Store = &SessionsStore{
 		maxLength: int64(setting.OAuth2.MaxTokenLength),
 	}

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,6 @@ func Init(ctx context.Context) error {`
`33`	`33`	`// Lock our mutex`
`34`	`34`	`gothRWMutex.Lock()`
`35`	`35`
`36`		`- gob.Register(&sessions.Session{})`
`37`		`-`
`38`	`36`	`gothic.Store = &SessionsStore{`
`39`	`37`	`maxLength: int64(setting.OAuth2.MaxTokenLength),`
`40`	`38`	`}`