Refactor merge conan and container auth preserve actions taskID (go-gitea#36560)

* Remove duplicated code
* Allow further ActionsUser package permission checks

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

Author: 2 people

routers/api/packages/api.go

@@ -117,7 +117,7 @@ func CommonRoutes() *web.Router {
 		&auth.OAuth2{},
 		&auth.Basic{},
 		&nuget.Auth{},
-		&conan.Auth{},
+		&Auth{},
 		&chef.Auth{},
 	})
 
@@ -537,7 +537,8 @@ func ContainerRoutes() *web.Router {
 
 	verifyAuth(r, []auth.Method{
 		&auth.Basic{},
-		&container.Auth{},
+		// container auth requires an token, so container.Authenticate issues a Ghost user token for anonymous access
+		&Auth{AllowGhostUser: true},
 	})
 
 	// TODO: Content Discovery / References (not implemented yet)

routers/api/packages/conan/auth.go routers/api/packages/auth.gorouters/api/packages/conan/auth.go renamed to routers/api/packages/auth.go

@@ -1,7 +1,7 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package conan
+package packages
 
 import (
 	"net/http"
@@ -14,10 +14,13 @@ import (
 
 var _ auth.Method = &Auth{}
 
-type Auth struct{}
+// Auth is for conan and container
+type Auth struct {
+	AllowGhostUser bool
+}
 
 func (a *Auth) Name() string {
-	return "conan"
+	return "packages"
 }
 
 // Verify extracts the user from the Bearer token
@@ -32,10 +35,22 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 		return nil, nil
 	}
 
-	u, err := user_model.GetUserByID(req.Context(), packageMeta.UserID)
-	if err != nil {
-		return nil, err
+	var u *user_model.User
+	switch packageMeta.UserID {
+	case user_model.GhostUserID:
+		if !a.AllowGhostUser {
+			return nil, nil
+		}
+		u = user_model.NewGhostUser()
+	case user_model.ActionsUserID:
+		u = user_model.NewActionsUserWithTaskID(packageMeta.ActionsUserTaskID)
+	default:
+		u, err = user_model.GetUserByID(req.Context(), packageMeta.UserID)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	if packageMeta.Scope != "" {
 		store.GetData()["IsApiToken"] = true
 		store.GetData()["ApiTokenScope"] = packageMeta.Scope

routers/api/packages/container/auth.go

@@ -23,21 +23,24 @@ type packageClaims struct {
 	PackageMeta
 }
 type PackageMeta struct {
-	UserID int64
-	Scope  auth_model.AccessTokenScope
+	UserID            int64
+	Scope             auth_model.AccessTokenScope
+	ActionsUserTaskID int64
 }
 
 func CreateAuthorizationToken(u *user_model.User, packageScope auth_model.AccessTokenScope) (string, error) {
 	now := time.Now()
 
+	actionsUserTaskID, _ := user_model.GetActionsUserTaskID(u)
 	claims := packageClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)),
 			NotBefore: jwt.NewNumericDate(now),
 		},
 		PackageMeta: PackageMeta{
-			UserID: u.ID,
-			Scope:  packageScope,
+			UserID:            u.ID,
+			Scope:             packageScope,
+			ActionsUserTaskID: actionsUserTaskID,
 		},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)