conf: overhaul auth and user settings (#5942)

* conf: overhaul auth and user settings * ci: update travis Go versions
2020-02-27 18:06:38 +08:00 · 2020-02-27 18:06:38 +08:00 · 7950f2d17d
parent cf3d55fa10
commit 7950f2d17d
27 changed files with 242 additions and 200 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,8 +1,8 @@
 os: linux
 language: go
 go:
  - 1.12.x
  - 1.13.x
  - 1.14.x
 go_import_path: gogs.io/gogs
 env:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,7 +22,13 @@ All notable changes to Gogs are documented in this file.
 - Configuration option `[server] LANDING_PAGE` is deprecated and will end support in 0.13.0, please start using `[server] LANDING_URL`.
 - Configuration option `[database] DB_TYPE` is deprecated and will end support in 0.13.0, please start using `[database] TYPE`.
 - Configuration option `[database] PASSWD` is deprecated and will end support in 0.13.0, please start using `[database] PASSWORD`.
 - Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is deprecated and will end support in 0.13.0, please start using `[auth] REVERSE_PROXY_AUTHENTICATION_HEADER`.
 - Configuration section `[mailer]` is deprecated and will end support in 0.13.0, please start using `[email]`.
 - Configuration section `[service]` is deprecated and will end support in 0.13.0, please start using `[auth]`.
 - Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] ACTIVATE_CODE_LIVES`.
 - Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] RESET_PASSWORD_CODE_LIVES`.
 - Configuration option `[auth] ENABLE_CAPTCHA` is deprecated and will end support in 0.13.0, please start using `[auth] ENABLE_REGISTRATION_CAPTCHA`.
 - Configuration option `[auth] ENABLE_NOTIFY_MAIL` is deprecated and will end support in 0.13.0, please start using `[user] ENABLE_EMAIL_NOTIFICATION`.
 ### Fixed
--- a/conf/app.ini
+++ b/conf/app.ini
@ -160,8 +160,6 @@ COOKIE_REMEMBER_NAME = gogs_incredible
 COOKIE_USERNAME = gogs_awesome
 ; Whether to set secure cookie.
 COOKIE_SECURE = false
 ; The HTTP header for reverse proxy authentication via username.
 REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
 ; Whether to set cookie to indicate user login status.
 ENABLE_LOGIN_STATUS_COOKIE = false
 ; The cookie name to store user login status.
@ -201,6 +199,32 @@ USE_PLAIN_TEXT = false
 ; It is used to support older mail clients and make spam filters happier.
 ADD_PLAIN_TEXT_ALT = false
 [auth]
 ; The valid duration of activate code in minutes.
 ACTIVATE_CODE_LIVES = 180
 ; The valid duration of reset password code in minutes.
 RESET_PASSWORD_CODE_LIVES = 180
 ; Whether to require email confirmation for adding new email addresses.
 ; Enable this option will also require user to confirm the email for registration.
 REQUIRE_EMAIL_CONFIRMATION = false
 ; Whether to disallow anonymous users visiting the site.
 REQUIRE_SIGNIN_VIEW = false
 ; Whether to disable self-registration. When disabled, accounts would have to be created by admins.
 DISABLE_REGISTRATION = false
 ; Whether to enable captcha validation for registration
 ENABLE_REGISTRATION_CAPTCHA = true
 ; Whether to enable reverse proxy authentication via HTTP header.
 ENABLE_REVERSE_PROXY_AUTHENTICATION = false
 ; Whether to automatically create new users for reverse proxy authentication.
 ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
 ; The HTTP header used as username for reverse proxy authentication.
 REVERSE_PROXY_AUTHENTICATION_HEADER = X-WEBAUTH-USER
 [user]
 ; Whether to enable email notifications for users.
 ENABLE_EMAIL_NOTIFICATION = false
 ; Attachment settings for releases
 [release.attachment]
 ; Whether attachments are enabled. Defaults to `true`
@ -239,23 +263,6 @@ ACCESS_CONTROL_ALLOW_ORIGIN =
 ; Disable regular (non-admin) users to create organizations
 DISABLE_REGULAR_ORG_CREATION = false
 [service]
 ACTIVE_CODE_LIVE_MINUTES = 180
 RESET_PASSWD_CODE_LIVE_MINUTES = 180
 ; User need to confirm e-mail for registration
 REGISTER_EMAIL_CONFIRM = false
 ; Does not allow register and admin create account only
 DISABLE_REGISTRATION = false
 ; User must sign in to view anything.
 REQUIRE_SIGNIN_VIEW = false
 ; Mail notification
 ENABLE_NOTIFY_MAIL = false
 ; More detail: https://github.com/gogits/gogs/issues/165
 ENABLE_REVERSE_PROXY_AUTHENTICATION = false
 ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
 ; Enable captcha validation for registration
 ENABLE_CAPTCHA = true
 [webhook]
 ; Types are enabled for users to use, can be "gogs", "slack", "discord", "dingtalk"
 TYPES = gogs, slack, discord, dingtalk
--- a/conf/locale/locale_en-US.ini
+++ b/conf/locale/locale_en-US.ini
@ -1253,21 +1253,25 @@ config.email.send_test_mail = Send test email
 config.email.test_mail_failed = Failed to send test email to '%s': %v
 config.email.test_mail_sent = Test email has been sent to '%s'.
 config.auth_config = Authentication configuration
 config.auth.activate_code_lives = Activate code lives
 config.auth.reset_password_code_lives = Reset password code lives
 config.auth.require_email_confirm = Require email confirmation
 config.auth.require_sign_in_view = Require sign in view
 config.auth.disable_registration = Disable registration
 config.auth.enable_registration_captcha = Enable registration captcha
 config.auth.enable_reverse_proxy_authentication = Enable reverse proxy authentication
 config.auth.enable_reverse_proxy_auto_registration = Enable reverse proxy auto registration
 config.auth.reverse_proxy_authentication_header = Reverse proxy authentication header
 config.user_config = User configuration
 config.user.enable_email_notify = Enable email notification
 config.log_file_root_path = Log File Root Path
 config.http_config = HTTP Configuration
 config.http_access_control_allow_origin = Access Control Allow Origin
 config.service_config = Service Configuration
 config.register_email_confirm = Require Email Confirmation
 config.disable_register = Disable Registration
 config.show_registration_button = Show Register Button
 config.require_sign_in_view = Require Sign In View
 config.mail_notify = Mail Notification
 config.disable_key_size_check = Disable Minimum Key Size Check
 config.enable_captcha = Enable Captcha
 config.active_code_lives = Active Code Lives
 config.reset_password_code_lives = Reset Password Code Lives
 config.webhook_config = Webhook Configuration
 config.queue_length = Queue Length
--- a/internal/assets/conf/conf_gen.go
+++ b/internal/assets/conf/conf_gen.go
--- a/internal/assets/templates/templates_gen.go
+++ b/internal/assets/templates/templates_gen.go
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@ -90,7 +90,7 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (_ *db.User, isBasic
 	uid, isTokenAuth := SignedInID(ctx, sess)
 	if uid <= 0 {
-		if conf.Service.EnableReverseProxyAuth {
+		if conf.Auth.EnableReverseProxyAuthentication {
 			webAuthUser := ctx.Req.Header.Get(conf.Security.ReverseProxyAuthenticationUser)
 			if len(webAuthUser) > 0 {
 				u, err := db.GetUserByName(webAuthUser)
@ -101,7 +101,7 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (_ *db.User, isBasic
 					}
 					// Check if enabled auto-registration.
-					if conf.Service.EnableReverseProxyAutoRegister {
+					if conf.Auth.EnableReverseProxyAutoRegistration {
 						u := &db.User{
 							Name:     webAuthUser,
 							Email:    gouuid.NewV4().String() + "@localhost",
--- a/internal/cmd/hook.go
+++ b/internal/cmd/hook.go
@ -23,8 +23,8 @@ import (
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/db/errors"
 	"gogs.io/gogs/internal/httplib"
 	"gogs.io/gogs/internal/email"
 	"gogs.io/gogs/internal/httplib"
 	"gogs.io/gogs/internal/template"
 )
@ -198,7 +198,6 @@ func runHookPostReceive(c *cli.Context) error {
 	// Post-receive hook does more than just gather Git information,
 	// so we need to setup additional services for email notifications.
 	conf.NewPostReceiveHookServices()
 	email.NewContext()
 	isWiki := strings.Contains(os.Getenv(db.ENV_REPO_CUSTOM_HOOKS_PATH), ".wiki.git/")
--- a/internal/cmd/serv.go
+++ b/internal/cmd/serv.go
@ -220,12 +220,11 @@ func runServ(c *cli.Context) error {
 			}
 		}
 	} else {
 		conf.NewService()
 		// Check if the key can access to the repository in case of it is a deploy key (a deploy keys != user key).
-		// A deploy key doesn't represent a signed in user, so in a site with Service.RequireSignInView activated
+		// A deploy key doesn't represent a signed in user, so in a site with Auth.RequireSignInView enabled,
-		// we should give read access only in repositories where this deploy key is in use. In other case, a server
+		// we should give read access only in repositories where this deploy key is in use. In other cases,
-		// or system using an active deploy key can get read access to all the repositories in a Gogs service.
+		// a server or system using an active deploy key can get read access to all repositories on a Gogs instace.
-		if key.IsDeployKey() && conf.Service.RequireSignInView {
+		if key.IsDeployKey() && conf.Auth.RequireSigninView {
 			checkDeployKey(key, repo)
 		}
 	}
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@ -171,7 +171,7 @@ func runWeb(c *cli.Context) error {
 	m := newMacaron()
 	reqSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: true})
-	ignSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: conf.Service.RequireSignInView})
+	ignSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: conf.Auth.RequireSigninView})
 	ignSignInAndCsrf := context.Toggle(&context.ToggleOptions{DisableCSRF: true})
 	reqSignOut := context.Toggle(&context.ToggleOptions{SignOutRequired: true})
--- a/internal/conf/conf.go
+++ b/internal/conf/conf.go
@ -61,6 +61,8 @@ var File *ini.File
 // It is safe to call this function multiple times with desired `customConf`, but it is
 // not concurrent safe.
 //
 // NOTE: The order of loading configuration sections matters as one may depend on another.
 //
 // ⚠️ WARNING: Do not print anything in this function other than wanrings.
 func Init(customConf string) error {
 	var err error
@ -232,6 +234,26 @@ func Init(customConf string) error {
 		Email.FromEmail = parsed.Address
 	}
 	// ***********************************
 	// ----- Authentication settings -----
 	// ***********************************
 	if err = File.Section("auth").MapTo(&Auth); err != nil {
 		return errors.Wrap(err, "mapping [auth] section")
 	}
 	// LEGACY [0.13]: In case there are values with old section name.
 	if err = File.Section("service").MapTo(&Auth); err != nil {
 		return errors.Wrap(err, "mapping [service] section")
 	}
 	// ***********************************
 	// ----- User settings -----
 	// ***********************************
 	if err = File.Section("user").MapTo(&User); err != nil {
 		return errors.Wrap(err, "mapping [user] section")
 	}
 	handleDeprecated()
 	// TODO
@ -659,31 +681,6 @@ func InitLogging() {
 	}
 }
 var Service struct {
 	ActiveCodeLives                int
 	ResetPwdCodeLives              int
 	RegisterEmailConfirm           bool
 	DisableRegistration            bool
 	ShowRegistrationButton         bool
 	RequireSignInView              bool
 	EnableNotifyMail               bool
 	EnableReverseProxyAuth         bool
 	EnableReverseProxyAutoRegister bool
 	EnableCaptcha                  bool
 }
 func newService() {
 	sec := File.Section("service")
 	Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
 	Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
 	Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
 	Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!Service.DisableRegistration)
 	Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool()
 	Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
 	Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
 	Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool()
 }
 func newCacheService() {
 	CacheAdapter = File.Section("cache").Key("ADAPTER").In("memory", []string{"memory", "redis", "memcache"})
 	switch CacheAdapter {
@ -713,53 +710,11 @@ func newSessionService() {
 	log.Trace("Session service is enabled")
 }
 func newRegisterMailService() {
 	if !File.Section("service").Key("REGISTER_EMAIL_CONFIRM").MustBool() {
 		return
 	} else if !Email.Enabled {
 		log.Warn("Email confirmation is not enabled due to the mail service is not available")
 		return
 	}
 	Service.RegisterEmailConfirm = true
 	log.Trace("Email confirmation is enabled")
 }
 // newNotifyMailService initializes notification email service options from configuration.
 // No non-error log will be printed in hook mode.
 func newNotifyMailService() {
 	if !File.Section("service").Key("ENABLE_NOTIFY_MAIL").MustBool() {
 		return
 	} else if !Email.Enabled {
 		log.Warn("Email notification is not enabled due to the mail service is not available")
 		return
 	}
 	Service.EnableNotifyMail = true
 	if HookMode {
 		return
 	}
 	log.Trace("Email notification is enabled")
 }
 func NewService() {
 	newService()
 }
 func NewServices() {
 	newService()
 	newCacheService()
 	newSessionService()
 	newRegisterMailService()
 	newNotifyMailService()
 }
 // HookMode indicates whether program starts as Git server-side hook callback.
 // All operations should be done synchronously to prevent program exits before finishing.
 var HookMode bool
 // NewPostReceiveHookServices initializes all services that are needed by
 // Git server-side post-receive hook callback.
 func NewPostReceiveHookServices() {
 	HookMode = true
 	newService()
 	newNotifyMailService()
 }
--- a/internal/conf/static.go
+++ b/internal/conf/static.go
@ -148,9 +148,11 @@ var (
 		CookieRememberName      string
 		CookieUsername          string
 		CookieSecure            bool
 		ReverseProxyAuthenticationUser string
 		EnableLoginStatusCookie bool
 		LoginStatusCookieName   string
 		// Deprecated: Use Auth.ReverseProxyAuthenticationHeader instead, will be removed in 0.13.
 		ReverseProxyAuthenticationUser string
 	}
 	// Email settings
@ -179,6 +181,36 @@ var (
 		// Deprecated: Use Password instead, will be removed in 0.13.
 		Passwd string
 	}
 	// Authentication settings
 	Auth struct {
 		ActivateCodeLives         int
 		ResetPasswordCodeLives    int
 		RequireEmailConfirmation  bool
 		RequireSigninView         bool
 		DisableRegistration       bool
 		EnableRegistrationCaptcha bool
 		EnableReverseProxyAuthentication   bool
 		EnableReverseProxyAutoRegistration bool
 		ReverseProxyAuthenticationHeader   string
 		// Deprecated: Use ActivateCodeLives instead, will be removed in 0.13.
 		ActiveCodeLiveMinutes int
 		// Deprecated: Use ResetPasswordCodeLives instead, will be removed in 0.13.
 		ResetPasswdCodeLiveMinutes int
 		// Deprecated: Use RequireEmailConfirmation instead, will be removed in 0.13.
 		RegisterEmailConfirm bool
 		// Deprecated: Use EnableRegistrationCaptcha instead, will be removed in 0.13.
 		EnableCaptcha bool
 		// Deprecated: Use User.EnableEmailNotification instead, will be removed in 0.13.
 		EnableNotifyMail bool
 	}
 	// User settings
 	User struct {
 		EnableEmailNotification bool
 	}
 )
 // handleDeprecated transfers deprecated values to the new ones when set.
@ -210,4 +242,30 @@ func handleDeprecated() {
 		Email.Password = Email.Passwd
 		Email.Passwd = ""
 	}
 	if Auth.ActiveCodeLiveMinutes > 0 {
 		Auth.ActivateCodeLives = Auth.ActiveCodeLiveMinutes
 		Auth.ActiveCodeLiveMinutes = 0
 	}
 	if Auth.ResetPasswdCodeLiveMinutes > 0 {
 		Auth.ResetPasswordCodeLives = Auth.ResetPasswdCodeLiveMinutes
 		Auth.ResetPasswdCodeLiveMinutes = 0
 	}
 	if Auth.RegisterEmailConfirm {
 		Auth.RequireEmailConfirmation = true
 		Auth.RegisterEmailConfirm = false
 	}
 	if Auth.EnableCaptcha {
 		Auth.EnableRegistrationCaptcha = true
 		Auth.EnableCaptcha = false
 	}
 	if Security.ReverseProxyAuthenticationUser != "" {
 		Auth.ReverseProxyAuthenticationHeader = Security.ReverseProxyAuthenticationUser
 		Security.ReverseProxyAuthenticationUser = ""
 	}
 	if Auth.EnableNotifyMail {
 		User.EnableEmailNotification = true
 		Auth.EnableNotifyMail = false
 	}
 }
--- a/internal/context/auth.go
+++ b/internal/context/auth.go
@ -71,7 +71,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 				c.SetCookie("redirect_to", url.QueryEscape(conf.Server.Subpath+c.Req.RequestURI), 0, conf.Server.Subpath)
 				c.Redirect(conf.Server.Subpath + "/user/login")
 				return
-			} else if !c.User.IsActive && conf.Service.RegisterEmailConfirm {
+			} else if !c.User.IsActive && conf.Auth.RequireEmailConfirmation {
 				c.Data["Title"] = c.Tr("auth.active_your_account")
 				c.HTML(200, "user/auth/activate")
 				return
--- a/internal/context/context.go
+++ b/internal/context/context.go
@ -323,7 +323,7 @@ func Contexter() macaron.Handler {
 		log.Trace("Session ID: %s", sess.ID())
 		log.Trace("CSRF Token: %v", c.Data["CSRFToken"])
-		c.Data["ShowRegistrationButton"] = conf.Service.ShowRegistrationButton
+		c.Data["ShowRegistrationButton"] = !conf.Auth.DisableRegistration
 		c.Data["ShowFooterBranding"] = conf.ShowFooterBranding
 		c.renderNoticeBanner()
--- a/internal/db/issue_mail.go
+++ b/internal/db/issue_mail.go
@ -10,9 +10,9 @@ import (
 	"github.com/unknwon/com"
 	log "unknwon.dev/clog/v2"
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/email"
 	"gogs.io/gogs/internal/markup"
 	"gogs.io/gogs/internal/conf"
 )
 func (issue *Issue) MailSubject() string {
@ -95,7 +95,7 @@ func NewMailerIssue(issue *Issue) email.Issue {
 // 1. Repository watchers, users who participated in comments and the assignee.
 // 2. Users who are not in 1. but get mentioned in current issue/comment.
 func mailIssueCommentToParticipants(issue *Issue, doer *User, mentions []string) error {
-	if !conf.Service.EnableNotifyMail {
+	if !conf.User.EnableEmailNotification {
 		return nil
 	}
--- a/internal/db/user.go
+++ b/internal/db/user.go
@ -202,7 +202,7 @@ func (u *User) HTMLURL() string {
 func (u *User) GenerateEmailActivateCode(email string) string {
 	code := tool.CreateTimeLimitCode(
 		com.ToStr(u.ID)+email+u.LowerName+u.Passwd+u.Rands,
-		conf.Service.ActiveCodeLives, nil)
+		conf.Auth.ActivateCodeLives, nil)
 	// Add tail hex username
 	code += hex.EncodeToString([]byte(u.LowerName))
@ -617,7 +617,7 @@ func parseUserFromCode(code string) (user *User) {
 // verify active code when active account
 func VerifyUserActiveCode(code string) (user *User) {
-	minutes := conf.Service.ActiveCodeLives
+	minutes := conf.Auth.ActivateCodeLives
 	if user = parseUserFromCode(code); user != nil {
 		// time limit code
@ -633,7 +633,7 @@ func VerifyUserActiveCode(code string) (user *User) {
 // verify active code when active account
 func VerifyActiveEmailCode(code, email string) *EmailAddress {
-	minutes := conf.Service.ActiveCodeLives
+	minutes := conf.Auth.ActivateCodeLives
 	if user := parseUserFromCode(code); user != nil {
 		// time limit code
--- a/internal/email/email.go
+++ b/internal/email/email.go
@ -105,8 +105,8 @@ type Issue interface {
 func SendUserMail(c *macaron.Context, u User, tpl, code, subject, info string) {
 	data := map[string]interface{}{
 		"Username":          u.DisplayName(),
-		"ActiveCodeLives":   conf.Service.ActiveCodeLives / 60,
+		"ActiveCodeLives":   conf.Auth.ActivateCodeLives / 60,
-		"ResetPwdCodeLives": conf.Service.ResetPwdCodeLives / 60,
+		"ResetPwdCodeLives": conf.Auth.ResetPasswordCodeLives / 60,
 		"Code":              code,
 	}
 	body, err := render(tpl, data)
@ -133,7 +133,7 @@ func SendResetPasswordMail(c *macaron.Context, u User) {
 func SendActivateEmailMail(c *macaron.Context, u User, email string) {
 	data := map[string]interface{}{
 		"Username":        u.DisplayName(),
-		"ActiveCodeLives": conf.Service.ActiveCodeLives / 60,
+		"ActiveCodeLives": conf.Auth.ActivateCodeLives / 60,
 		"Code":            u.GenerateEmailActivateCode(email),
 		"Email":           email,
 	}
--- a/internal/route/admin/admin.go
+++ b/internal/route/admin/admin.go
@ -203,12 +203,13 @@ func Config(c *context.Context) {
 	c.Data["Database"] = conf.Database
 	c.Data["Security"] = conf.Security
 	c.Data["Email"] = conf.Email
 	c.Data["Auth"] = conf.Auth
 	c.Data["User"] = conf.User
 	c.Data["LogRootPath"] = conf.LogRootPath
 	c.Data["HTTP"] = conf.HTTP
 	c.Data["Service"] = conf.Service
 	c.Data["Webhook"] = conf.Webhook
 	c.Data["CacheAdapter"] = conf.CacheAdapter
--- a/internal/route/api/v1/user/email.go
+++ b/internal/route/api/v1/user/email.go
@ -10,9 +10,9 @@ import (
 	api "github.com/gogs/go-gogs-client"
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/context"
 	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/conf"
 )
 func ListEmails(c *context.APIContext) {
@ -39,7 +39,7 @@ func AddEmail(c *context.APIContext, form api.CreateEmailOption) {
 		emails[i] = &db.EmailAddress{
 			UID:         c.User.ID,
 			Email:       form.Emails[i],
-			IsActivated: !conf.Service.RegisterEmailConfirm,
+			IsActivated: !conf.Auth.RequireEmailConfirmation,
 		}
 	}
--- a/internal/route/dev/template.go
+++ b/internal/route/dev/template.go
@ -16,8 +16,8 @@ func TemplatePreview(c *context.Context) {
 	c.Data["AppVersion"] = conf.App.Version
 	c.Data["AppURL"] = conf.Server.ExternalURL
 	c.Data["Code"] = "2014031910370000009fff6782aadb2162b4a997acb69d4400888e0b9274657374"
-	c.Data["ActiveCodeLives"] = conf.Service.ActiveCodeLives / 60
+	c.Data["ActiveCodeLives"] = conf.Auth.ActivateCodeLives / 60
-	c.Data["ResetPwdCodeLives"] = conf.Service.ResetPwdCodeLives / 60
+	c.Data["ResetPwdCodeLives"] = conf.Auth.ResetPasswordCodeLives / 60
 	c.Data["CurDbValue"] = ""
 	c.HTML(200, (c.Params("*")))
--- a/internal/route/home.go
+++ b/internal/route/home.go
@ -22,7 +22,7 @@ const (
 func Home(c *context.Context) {
 	if c.IsLogged {
-		if !c.User.IsActive && conf.Service.RegisterEmailConfirm {
+		if !c.User.IsActive && conf.Auth.RequireEmailConfirmation {
 			c.Data["Title"] = c.Tr("auth.active_your_account")
 			c.Success(user2.ACTIVATE)
 		} else {
--- a/internal/route/install.go
+++ b/internal/route/install.go
@ -180,16 +180,16 @@ func Install(c *context.Context) {
 		f.SMTPFrom = conf.Email.From
 		f.SMTPUser = conf.Email.User
 	}
-	f.RegisterConfirm = conf.Service.RegisterEmailConfirm
+	f.RegisterConfirm = conf.Auth.RequireEmailConfirmation
-	f.MailNotify = conf.Service.EnableNotifyMail
+	f.MailNotify = conf.User.EnableEmailNotification
 	// Server and other services settings
 	f.OfflineMode = conf.Server.OfflineMode
 	f.DisableGravatar = conf.DisableGravatar
 	f.EnableFederatedAvatar = conf.EnableFederatedAvatar
-	f.DisableRegistration = conf.Service.DisableRegistration
+	f.DisableRegistration = conf.Auth.DisableRegistration
-	f.EnableCaptcha = conf.Service.EnableCaptcha
+	f.EnableCaptcha = conf.Auth.EnableRegistrationCaptcha
-	f.RequireSignInView = conf.Service.RequireSignInView
+	f.RequireSignInView = conf.Auth.RequireSigninView
 	form.Assign(f, c.Data)
 	c.Success(INSTALL)
--- a/internal/route/repo/http.go
+++ b/internal/route/repo/http.go
@ -77,7 +77,7 @@ func HTTPContexter() macaron.Handler {
 		}
 		// Authentication is not required for pulling from public repositories.
-		if isPull && !repo.IsPrivate && !conf.Service.RequireSignInView {
+		if isPull && !repo.IsPrivate && !conf.Auth.RequireSigninView {
 			c.Map(&HTTPContext{
 				Context: c,
 			})
--- a/internal/route/repo/setting.go
+++ b/internal/route/repo/setting.go
@ -18,8 +18,8 @@ import (
 	"gogs.io/gogs/internal/context"
 	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/db/errors"
 	"gogs.io/gogs/internal/form"
 	"gogs.io/gogs/internal/email"
 	"gogs.io/gogs/internal/form"
 	"gogs.io/gogs/internal/tool"
 )
@ -398,7 +398,7 @@ func SettingsCollaborationPost(c *context.Context) {
 		return
 	}
-	if conf.Service.EnableNotifyMail {
+	if conf.User.EnableEmailNotification {
 		email.SendCollaboratorMail(db.NewMailerUser(u), db.NewMailerUser(c.User), db.NewMailerRepo(c.Repo.Repository))
 	}
--- a/internal/route/user/auth.go
+++ b/internal/route/user/auth.go
@ -292,9 +292,9 @@ func SignOut(c *context.Context) {
 func SignUp(c *context.Context) {
 	c.Title("sign_up")
-	c.Data["EnableCaptcha"] = conf.Service.EnableCaptcha
+	c.Data["EnableCaptcha"] = conf.Auth.EnableRegistrationCaptcha
-	if conf.Service.DisableRegistration {
+	if conf.Auth.DisableRegistration {
 		c.Data["DisableRegistration"] = true
 		c.Success(SIGNUP)
 		return
@ -306,9 +306,9 @@ func SignUp(c *context.Context) {
 func SignUpPost(c *context.Context, cpt *captcha.Captcha, f form.Register) {
 	c.Title("sign_up")
-	c.Data["EnableCaptcha"] = conf.Service.EnableCaptcha
+	c.Data["EnableCaptcha"] = conf.Auth.EnableRegistrationCaptcha
-	if conf.Service.DisableRegistration {
+	if conf.Auth.DisableRegistration {
 		c.Status(403)
 		return
 	}
@ -318,7 +318,7 @@ func SignUpPost(c *context.Context, cpt *captcha.Captcha, f form.Register) {
 		return
 	}
-	if conf.Service.EnableCaptcha && !cpt.VerifyReq(c.Req) {
+	if conf.Auth.EnableRegistrationCaptcha && !cpt.VerifyReq(c.Req) {
 		c.FormErr("Captcha")
 		c.RenderWithErr(c.Tr("form.captcha_incorrect"), SIGNUP, &f)
 		return
@ -334,7 +334,7 @@ func SignUpPost(c *context.Context, cpt *captcha.Captcha, f form.Register) {
 		Name:     f.UserName,
 		Email:    f.Email,
 		Passwd:   f.Password,
-		IsActive: !conf.Service.RegisterEmailConfirm,
+		IsActive: !conf.Auth.RequireEmailConfirmation,
 	}
 	if err := db.CreateUser(u); err != nil {
 		switch {
@ -368,11 +368,11 @@ func SignUpPost(c *context.Context, cpt *captcha.Captcha, f form.Register) {
 	}
 	// Send confirmation email, no need for social account.
-	if conf.Service.RegisterEmailConfirm && u.ID > 1 {
+	if conf.Auth.RegisterEmailConfirm && u.ID > 1 {
 		email.SendActivateAccountMail(c.Context, db.NewMailerUser(u))
 		c.Data["IsSendRegisterMail"] = true
 		c.Data["Email"] = u.Email
-		c.Data["Hours"] = conf.Service.ActiveCodeLives / 60
+		c.Data["Hours"] = conf.Auth.ActivateCodeLives / 60
 		c.Success(ACTIVATE)
 		if err := c.Cache.Put(u.MailResendCacheKey(), 1, 180); err != nil {
@ -393,11 +393,11 @@ func Activate(c *context.Context) {
 			return
 		}
 		// Resend confirmation email.
-		if conf.Service.RegisterEmailConfirm {
+		if conf.Auth.RequireEmailConfirmation {
 			if c.Cache.IsExist(c.User.MailResendCacheKey()) {
 				c.Data["ResendLimited"] = true
 			} else {
-				c.Data["Hours"] = conf.Service.ActiveCodeLives / 60
+				c.Data["Hours"] = conf.Auth.ActivateCodeLives / 60
 				email.SendActivateAccountMail(c.Context, db.NewMailerUser(c.User))
 				if err := c.Cache.Put(c.User.MailResendCacheKey(), 1, 180); err != nil {
@ -482,7 +482,7 @@ func ForgotPasswdPost(c *context.Context) {
 	u, err := db.GetUserByEmail(emailAddr)
 	if err != nil {
 		if errors.IsUserNotExist(err) {
-			c.Data["Hours"] = conf.Service.ActiveCodeLives / 60
+			c.Data["Hours"] = conf.Auth.ActivateCodeLives / 60
 			c.Data["IsResetSent"] = true
 			c.Success(FORGOT_PASSWORD)
 			return
@ -509,7 +509,7 @@ func ForgotPasswdPost(c *context.Context) {
 		log.Error("Failed to put cache key 'mail resend': %v", err)
 	}
-	c.Data["Hours"] = conf.Service.ActiveCodeLives / 60
+	c.Data["Hours"] = conf.Auth.ActivateCodeLives / 60
 	c.Data["IsResetSent"] = true
 	c.Success(FORGOT_PASSWORD)
 }
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@ -262,7 +262,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 	emailAddr := &db.EmailAddress{
 		UID:         c.User.ID,
 		Email:       f.Email,
-		IsActivated: !conf.Service.RegisterEmailConfirm,
+		IsActivated: !conf.Auth.RequireEmailConfirmation,
 	}
 	if err := db.AddEmailAddress(emailAddr); err != nil {
 		if db.IsErrEmailAlreadyUsed(err) {
@ -274,13 +274,13 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 	}
 	// Send confirmation email
-	if conf.Service.RegisterEmailConfirm {
+	if conf.Auth.RequireEmailConfirmation {
 		email.SendActivateEmailMail(c.Context, db.NewMailerUser(c.User), emailAddr.Email)
 		if err := c.Cache.Put("MailResendLimit_"+c.User.LowerName, c.User.LowerName, 180); err != nil {
 			log.Error("Set cache 'MailResendLimit' failed: %v", err)
 		}
-		c.Flash.Info(c.Tr("settings.add_email_confirmation_sent", emailAddr.Email, conf.Service.ActiveCodeLives/60))
+		c.Flash.Info(c.Tr("settings.add_email_confirmation_sent", emailAddr.Email, conf.Auth.ActivateCodeLives/60))
 	} else {
 		c.Flash.Success(c.Tr("settings.add_email_success"))
 	}
--- a/templates/admin/config.tmpl
+++ b/templates/admin/config.tmpl
@ -194,8 +194,6 @@
 						<dd>{{.Security.CookieUsername}}</dd>
 						<dt>{{.i18n.Tr "admin.config.security.cookie_secure"}}</dt>
 						<dd><i class="fa fa{{if .Security.CookieSecure}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.security.reverse_proxy_auth_user"}}</dt>
 						<dd>{{.Security.ReverseProxyAuthenticationUser}}</dd>
 						<dt>{{.i18n.Tr "admin.config.security.enable_login_status_cookie"}}</dt>
 						<dd><i class="fa fa{{if .Security.EnableLoginStatusCookie}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.security.login_status_cookie_name"}}</dt>
@ -261,6 +259,48 @@
 					</dl>
 				</div>
 				{{/* Authentication settings */}}
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.auth_config"}}
 				</h4>
 				<div class="ui attached table segment">
 					<dl class="dl-horizontal admin-dl-horizontal">
 						<dt>{{.i18n.Tr "admin.config.auth.activate_code_lives"}}</dt>
 						<dd>{{.Auth.ActivateCodeLives}} {{.i18n.Tr "tool.raw_minutes"}}</dd>
 						<dt>{{.i18n.Tr "admin.config.auth.reset_password_code_lives"}}</dt>
 						<dd>{{.Auth.ResetPasswordCodeLives}} {{.i18n.Tr "tool.raw_minutes"}}</dd>
 						<dt>{{.i18n.Tr "admin.config.auth.require_email_confirm"}}</dt>
 						<dd><i class="fa fa{{if .Auth.RequireEmailConfirmation}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.auth.require_sign_in_view"}}</dt>
 						<dd><i class="fa fa{{if .Auth.RequireSigninView}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.auth.disable_registration"}}</dt>
 						<dd><i class="fa fa{{if .Auth.DisableRegistration}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.auth.enable_registration_captcha"}}</dt>
 						<dd><i class="fa fa{{if .Auth.EnableRegistrationCaptcha}}-check{{end}}-square-o"></i></dd>
 						<div class="ui divider"></div>
 						<dt>{{.i18n.Tr "admin.config.auth.enable_reverse_proxy_authentication"}}</dt>
 						<dd><i class="fa fa{{if .Auth.EnableReverseProxyAuthentication}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.auth.enable_reverse_proxy_auto_registration"}}</dt>
 						<dd><i class="fa fa{{if .Auth.EnableReverseProxyAutoRegistration}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.auth.reverse_proxy_authentication_header"}}</dt>
 						<dd><code>{{.Auth.ReverseProxyAuthenticationHeader}}</code></dd>
 					</dl>
 				</div>
 				{{/* User settings */}}
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.user_config"}}
 				</h4>
 				<div class="ui attached table segment">
 					<dl class="dl-horizontal admin-dl-horizontal">
 						<dt>{{.i18n.Tr "admin.config.user.enable_email_notify"}}</dt>
 						<dd><i class="fa fa{{if .User.EnableEmailNotification}}-check{{end}}-square-o"></i></dd>
 					</dl>
 				</div>
 				<!-- HTTP Configuration -->
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.http_config"}}
@ -278,33 +318,6 @@
 					</dl>
 				</div>
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.service_config"}}
 				</h4>
 				<div class="ui attached table segment">
 					<dl class="dl-horizontal admin-dl-horizontal">
 						<dt>{{.i18n.Tr "admin.config.register_email_confirm"}}</dt>
 						<dd><i class="fa fa{{if .Service.RegisterEmailConfirm}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.disable_register"}}</dt>
 						<dd><i class="fa fa{{if .Service.DisableRegistration}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt>
 						<dd><i class="fa fa{{if .Service.ShowRegistrationButton}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.require_sign_in_view"}}</dt>
 						<dd><i class="fa fa{{if .Service.RequireSignInView}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.mail_notify"}}</dt>
 						<dd><i class="fa fa{{if .Service.EnableNotifyMail}}-check{{end}}-square-o"></i></dd>
 						{{/*<dt>{{.i18n.Tr "admin.config.disable_key_size_check"}}</dt>
 						<dd><i class="fa fa{{if .Service.DisableMinimumKeySizeCheck}}-check{{end}}-square-o"></i></dd>*/}}
 						<dt>{{.i18n.Tr "admin.config.enable_captcha"}}</dt>
 						<dd><i class="fa fa{{if .Service.EnableCaptcha}}-check{{end}}-square-o"></i></dd>
 						<div class="ui divider"></div>
 						<dt>{{.i18n.Tr "admin.config.active_code_lives"}}</dt>
 						<dd>{{.Service.ActiveCodeLives}} {{.i18n.Tr "tool.raw_minutes"}}</dd>
 						<dt>{{.i18n.Tr "admin.config.reset_password_code_lives"}}</dt>
 						<dd>{{.Service.ResetPwdCodeLives}} {{.i18n.Tr "tool.raw_minutes"}}</dd>
 					</dl>
 				</div>
 				<h4 class="ui top attached header">
 					{{.i18n.Tr "admin.config.webhook_config"}}
 				</h4>