Respond with a 401 on git push when password isn't changed yet

Fixes #19090 If the user-agent starts with git and user must change password but hasn't return a 401 with the message. It must be a 401, git doesn't seem to show the contents of the error message when we return a 403
go-gitea · zeripath · Jun 19, 2022 · Jun 18, 2022 · Jun 19, 2022 · Jun 19, 2022
commit 4587b1d3f6ae7d7ca92db2b882d2ef31a6776361
diff --git a/modules/context/auth.go b/modules/context/auth.go
@@ -7,6 +7,7 @@ package context
 
 import (
 	"net/http"
+	"strings"
 
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/log"
@@ -41,6 +42,10 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 
 			if ctx.Doer.MustChangePassword {
 				if ctx.Req.URL.Path != "/user/settings/change_password" {
+					if strings.HasPrefix(ctx.Req.UserAgent(), "git") {
+						ctx.Error(http.StatusUnauthorized, ctx.Tr("auth.must_change_password"))
+						return
+					}
 					ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
 					ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
 					if ctx.Req.URL.Path != "/user/events" {