2026-02-19 22:26:45 +00:00
6 changed files with 78 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,12 @@
 # 5.5.0 (2026-02-19)
 ## New features
 - Forgejo authentication sources now generate incoming labels that are unique
  to the user and the Forgejo instance. This keeps incoming areas of users on
  different Forgejo instances separate, even if the user names are identical.
 # 5.4.0 (2026-02-02)
 ## New features
--- a/README.md
+++ b/README.md
@ -292,6 +292,10 @@ collections:
        # is `user`, the incoming label will be 
        # `forgejo-user-<user-login>`
        label_type: team
        # An optional instance id. This is used to disambiguate identical
        # user IDs on different Forgejo instances. If not set, a hash of
        # `url` will be used instead.
        instance_id: forgejo-server-1
        # An optional repository. The token will only be authorized
        # if the team has access to the repository. Note: if `repository`
        # is set, the token must have at least repository read
--- a/dump_things_service/about.py
+++ b/dump_things_service/about.py
@ -1 +1 @@
-__version__ = '5.4.0'
+__version__ = '5.5.0'
--- a/dump_things_service/auth/forgejo.py
+++ b/dump_things_service/auth/forgejo.py
@ -9,6 +9,7 @@ will emit a complete repository-record including the complete owner-record.
 """
 from __future__ import annotations
 import hashlib
 import logging
 import time
 from functools import wraps
@ -74,6 +75,7 @@ class ForgejoAuthenticationSource(AuthenticationSource, MethodCache):
        organization: str,
        team: str,
        label_type: str,
        instance_id: str | None = None,
        repository: str | None = None,
    ):
        """
@ -90,6 +92,8 @@ class ForgejoAuthenticationSource(AuthenticationSource, MethodCache):
        :param team:  The name of the team
        :param label_type:  'team' or 'user', determines how the incoming label
            is created.
        :param instance_id: Optional instance ID. If present, will be used to
            disambig
        :param repository:  Optional repository. If this is provided, access
            will only be granted if the team has access to the repository.
        """
@ -98,6 +102,7 @@ class ForgejoAuthenticationSource(AuthenticationSource, MethodCache):
        self.organization = organization
        self.team = team
        self.label_type = label_type
        self.instance_id = instance_id
        self.repository = repository
    def _get_json_from_endpoint(
@ -210,6 +215,11 @@ class ForgejoAuthenticationSource(AuthenticationSource, MethodCache):
            )
        return permissions
    def _instance_label(self) -> str:
        return self.instance_id or hashlib.md5(
            self.api_url.encode()
        ).hexdigest()
    @MethodCache.cache_temporary(duration=60)
    def authenticate(
        self,
@ -272,7 +282,7 @@ class ForgejoAuthenticationSource(AuthenticationSource, MethodCache):
            ),
            user_id=user_info['email'],
            incoming_label=
-                f'forgejo-team-{organization["name"]}-{team["name"]}'
+                f'forgejo-{self._instance_label()}-team-{organization["name"]}-{team["name"]}'
                if self.label_type == 'team'
-                else f'forgejo-user-{user_info["login"]}',
+                else f'forgejo-{self._instance_label()}-user-{user_info["login"]}',
        )
--- a/dump_things_service/config.py
+++ b/dump_things_service/config.py
@ -121,6 +121,7 @@ class ForgejoAuthConfig(StrictModel):
    organization: str
    team: str
    label_type: Literal['team', 'user']
    instance_id: str | None = None
    repository: str | None = None
--- a/dump_things_service/tests/test_auth.py
+++ b/dump_things_service/tests/test_auth.py
@ -42,12 +42,14 @@ team_1 = json.loads(team_template.format(id=1, action='none'))
 team_2 = json.loads(team_template.format(id=2, action='none'))
 team_3 = json.loads(team_template.format(id=3, action='write'))
 def setup_http_server(http_server) -> None:
-    http_server.expect_request('/api/v1/user').respond_with_json(user_1)
+    for instance in ('1', '2'):
-    http_server.expect_request('/api/v1/user/teams').respond_with_json([team_1, team_3])
+        http_server.expect_request(f'/api/v{instance}/user').respond_with_json(user_1)
-    http_server.expect_request('/api/v1/orgs/org_1').respond_with_json(org_1)
+        http_server.expect_request(f'/api/v{instance}/user/teams').respond_with_json([team_1, team_3])
-    http_server.expect_request('/api/v1/orgs/org_1/teams').respond_with_json([team_1, team_2, team_3])
+        http_server.expect_request(f'/api/v{instance}/orgs/org_1').respond_with_json(org_1)
-    http_server.expect_request('/api/v1/repos/org_1/repo_1/teams').respond_with_json([team_1, team_2, team_3])
+        http_server.expect_request(f'/api/v{instance}/orgs/org_1/teams').respond_with_json([team_1, team_2, team_3])
        http_server.expect_request(f'/api/v{instance}/repos/org_1/repo_1/teams').respond_with_json([team_1, team_2, team_3])
@pytest.mark.parametrize('repository', ['repo_1', None])
@ -61,13 +63,14 @@ def test_forgejo_auth_team(httpserver, label_type, repository):
        team='team_1',
        label_type=label_type,
        repository=repository,
        instance_id='inst_1',
    )
    r = forgejo_auth_source.authenticate(token='something')
    if label_type == 'team':
-        assert r.incoming_label == 'forgejo-team-org_1-team_1'
+        assert r.incoming_label == 'forgejo-inst_1-team-org_1-team_1'
    else:
-        assert r.incoming_label == 'forgejo-user-user_1'
+        assert r.incoming_label == 'forgejo-inst_1-user-user_1'
    assert r.token_permission == TokenPermission(
        curated_read=True,
        incoming_read=True,
@ -86,14 +89,15 @@ def test_forgejo_auth_curator(httpserver, label_type, repository):
        organization='org_1',
        team='team_3',
        label_type=label_type,
        instance_id='inst_1',
        repository=repository,
    )
    r = forgejo_auth_source.authenticate(token='something')
    if label_type == 'team':
-        assert r.incoming_label == 'forgejo-team-org_1-team_3'
+        assert r.incoming_label == 'forgejo-inst_1-team-org_1-team_3'
    else:
-        assert r.incoming_label == 'forgejo-user-user_1'
+        assert r.incoming_label == 'forgejo-inst_1-user-user_1'
    assert r.token_permission == TokenPermission(
        curated_read=True,
        incoming_read=True,
@ -102,3 +106,41 @@ def test_forgejo_auth_curator(httpserver, label_type, repository):
        zones_access=True,
    )
    assert r.user_id == 'user_1@example.com'
@pytest.mark.parametrize('label_type', ['user', 'team'])
 def test_forgejo_disambiguate(httpserver, label_type):
    setup_http_server(httpserver)
    forgejo_authentication_results = [
        ForgejoAuthenticationSource(
            api_url=httpserver.url_for(f'/api/v{instance}'),
            organization='org_1',
            team='team_1',
            label_type=label_type,
        ).authenticate(token='something')
        for instance in ('1', '2')
    ]
    assert (
        forgejo_authentication_results[0].incoming_label
        != forgejo_authentication_results[1].incoming_label
    )
    forgejo_authentication_results = [
        ForgejoAuthenticationSource(
            api_url=httpserver.url_for(f'/api/v{instance}'),
            organization='org_1',
            team='team_1',
            label_type=label_type,
            instance_id=f'instance_{instance}',
        ).authenticate(token='something')
        for instance in ('1', '2')
    ]
    assert (
        forgejo_authentication_results[0].incoming_label
        != forgejo_authentication_results[1].incoming_label
    )
    assert 'instance_1' in forgejo_authentication_results[0].incoming_label
    assert 'instance_2' in forgejo_authentication_results[1].incoming_label