[v12.0/forgejo] fix: consistently enforce 2FA on OpenID 2.0 (#9097)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9073  ## Release notes  - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/9073): consistently enforce 2FA on OpenID 2.0  Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9097 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2025-10-05 19:30:58 +00:00 · 2025-08-30 18:45:00 +02:00 · 2025-08-30 18:45:00 +02:00 · 192018324f
commit 192018324f
parent 48505123c7
6 changed files with 79 additions and 16 deletions
--- a/models/user/openid.go
+++ b/models/user/openid.go
@ -40,8 +40,8 @@ func GetUserOpenIDs(ctx context.Context, uid int64) ([]*UserOpenID, error) {
 	return openids, nil
 }

-// isOpenIDUsed returns true if the openid has been used.
-func isOpenIDUsed(ctx context.Context, uri string) (bool, error) {
+// IsOpenIDUsed returns true if the openid has been used.
+func IsOpenIDUsed(ctx context.Context, uri string) (bool, error) {
 	if len(uri) == 0 {
 		return true, nil
 	}
@ -71,7 +71,7 @@ func (err ErrOpenIDAlreadyUsed) Unwrap() error {
 // AddUserOpenID adds an pre-verified/normalized OpenID URI to given user.
 // NOTE: make sure openid.URI is normalized already
 func AddUserOpenID(ctx context.Context, openid *UserOpenID) error {
-	used, err := isOpenIDUsed(ctx, openid.URI)
+	used, err := IsOpenIDUsed(ctx, openid.URI)
 	if err != nil {
 		return err
 	} else if used {