From ee585ef6b445f4e1a7f2b05cbd0afef51ab1f08f Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 19:21:47 +0100 Subject: [PATCH] 1c/E2E-TESTME: bootstrap-drone-oauth.sh handles OAuth auto-approve (re-auth: no consent form -> follow 302 callback) Found during the e2e: when the bot already granted the shared Drone OAuth app, Gitea 302s straight to the code callback (no consent form), so the consent-form parse yielded empty _csrf/state and set -e aborted. Now: if authorize returns a Location, use it directly; else POST the consent form. Co-Authored-By: Claude Opus 4.7 (1M context) --- scripts/bootstrap-drone-oauth.sh | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/scripts/bootstrap-drone-oauth.sh b/scripts/bootstrap-drone-oauth.sh index 609a27b..78137b3 100644 --- a/scripts/bootstrap-drone-oauth.sh +++ b/scripts/bootstrap-drone-oauth.sh @@ -33,16 +33,22 @@ curl -s -b "$cj" -c "$cj" -o /dev/null \ # 2) Drone /login -> Gitea authorize URL. loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" \ | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r') -curl -sk -b "$cj" -c "$cj" -o "$az" "$loc" +azh=$(mktemp); trap 'rm -f "$cj" "$dj" "$az" "$azh"' EXIT +curl -sk -b "$cj" -c "$cj" -o "$az" -D "$azh" "$loc" -# 3) Grant consent -> code callback -> complete Drone login (sets Drone session). -acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/') -state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/') -cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \ - --data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \ - --data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \ - --data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \ - "$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r') +# 3) Either the OAuth app auto-approves (bot already granted it earlier => Gitea 302s straight to the +# code callback, no consent form) or it shows a consent form we must POST. Handle both. +cb=$(awk 'tolower($1)=="location:"{print $2}' "$azh" | tr -d '\r') +if [ -z "$cb" ]; then + acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/') + state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/') + cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \ + --data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \ + --data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \ + --data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \ + "$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r') +fi +# code callback -> complete Drone login (sets Drone session + persists the token in Drone's volume). curl -sk -b "$dj" -c "$dj" -o /dev/null -L "${RES[@]}" "$cb" # 4) Verify + sync + activate the repo.