From 64272a2befa418592b2b8b4329ce6cd9fdfb96fa Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Mon, 24 Nov 2025 08:57:24 -0800
Subject: [PATCH] gitweb: Use OpenID Connect instead of pubtkt based SSO

- Regression: Users who to don't have git-access permission can't access the
public repositories.

Tests:

- Functional tests work.

- Admin user is able to view and access the repos when there are some public
repos and when there no public repos.

- User belonging to git-access are regular usrs are unable to access private
repos. But they are also not able to access the public repos. They have to
logout to be able to do that.

- Anonymous user is not able to access the application if all repos are private.
If there is at least one public repo, the repo listing can be accessed and
public repos can be seen and accessed.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 .../apache2/conf-available/gitweb-freedombox-auth.conf   | 6 ++----
 .../etc/apache2/conf-available/gitweb-freedombox.conf    | 9 ++++-----
 .../data/usr/share/freedombox/etc/gitweb-freedombox.conf | 2 +-
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox-auth.conf b/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox-auth.conf
index 4bf4bef7e..953c8802d 100644
--- a/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox-auth.conf
+++ b/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox-auth.conf
@@ -4,8 +4,6 @@
 ## is to be enabled when there are no public git projects.
 ##
 <Directory /usr/share/gitweb>
-    Include includes/freedombox-single-sign-on.conf
-    <IfModule mod_auth_pubtkt.c>
-        TKTAuthToken "git-access" "admin"
-    </IfModule>
+    Use AuthOpenIDConnect
+    Use RequireGroup git-access
 </Directory>
diff --git a/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox.conf b/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox.conf
index 21bdd2469..334937986 100644
--- a/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox.conf
+++ b/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox.conf
@@ -24,11 +24,10 @@ Alias /gitweb /usr/share/gitweb
     # Make gitweb work with custom FreedomBox configuration.
     SetEnv GITWEB_CONFIG /etc/gitweb-freedombox.conf
 
-    <If "%{HTTP_COOKIE} =~ /auth_pubtkt=.*tokens.*(admin|git-access)/">
-        Include includes/freedombox-single-sign-on.conf
-        <IfModule mod_auth_pubtkt.c>
-            TKTAuthToken "git-access" "admin"
-        </IfModule>
+    # Authentication is required for any operation if repository is private.
+    <If "%{HTTP_COOKIE} =~ /sessionid=/">
+        Use AuthOpenIDConnect
+        Use RequireGroup git-access
     </If>
 
     # Allow index.cgi symlink to gitweb.cgi to work. Treat gitweb.cgi as CGI
diff --git a/plinth/modules/gitweb/data/usr/share/freedombox/etc/gitweb-freedombox.conf b/plinth/modules/gitweb/data/usr/share/freedombox/etc/gitweb-freedombox.conf
index 9bed257f1..1bf2fb64a 100644
--- a/plinth/modules/gitweb/data/usr/share/freedombox/etc/gitweb-freedombox.conf
+++ b/plinth/modules/gitweb/data/usr/share/freedombox/etc/gitweb-freedombox.conf
@@ -52,7 +52,7 @@ our $project_maxdepth = 1;
 
 # export private repos only if authorized
 our $per_request_config = sub {
-    if(defined $ENV{'REMOTE_USER_TOKENS'}){
+    if(defined $ENV{'REMOTE_USER'}){
         our $export_auth_hook = sub { return 1; };
     }
     else {