From 2ef95ab66b3e38e530e3e86543b6764337f7031b Mon Sep 17 00:00:00 2001
From: Josh <josh@macawls.dev>
Date: Fri, 9 Jan 2026 00:44:35 +0200
Subject: [PATCH] fix: resolve Woodpecker-Forgejo OAuth integration issues

- Enable Forgejo registration for OAuth users (DISABLE_REGISTRATION=false)
- Use public URL for Woodpecker OAuth redirects instead of internal hostname
- Add WOODPECKER_OPEN=true to allow new user registrations
- Bcrypt hash OAuth client secret before storing in database

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 files/cloud-init/ops.yml            | 6 +++++-
 files/stacks/docker-compose.ops.yml | 5 +++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/files/cloud-init/ops.yml b/files/cloud-init/ops.yml
index ff354ca..f16c08a 100644
--- a/files/cloud-init/ops.yml
+++ b/files/cloud-init/ops.yml
@@ -9,6 +9,8 @@ packages:
   - git
   - curl
   - sqlite3
+  - python3
+  - python3-bcrypt
 
 users:
   - name: deploy
@@ -63,12 +65,14 @@ write_files:
 
       sleep 10
 
+      HASHED_SECRET=$$(python3 -c "import bcrypt; print(bcrypt.hashpw(b'$$WOODPECKER_FORGEJO_SECRET', bcrypt.gensalt()).decode())")
+
       sqlite3 "$$DB" <<EOF
       INSERT OR IGNORE INTO login_source (type, name, is_active, is_sync_enabled, cfg, created_unix, updated_unix)
       VALUES (6, 'GitHub', 1, 0, '{"Provider":"github","ClientID":"$$GITHUB_CLIENT_ID","ClientSecret":"$$GITHUB_CLIENT_SECRET","OpenIDConnectAutoDiscoveryURL":"","CustomURLMapping":null,"IconURL":"","Scopes":["read:user","user:email"],"RequiredClaimName":"","RequiredClaimValue":"","GroupClaimName":"","AdminGroup":"","RestrictedGroup":"","GroupTeamMap":"","GroupTeamMapRemoval":false}', strftime('%s','now'), strftime('%s','now'));
 
       INSERT OR IGNORE INTO oauth2_application (uid, name, client_id, client_secret, confidential_client, redirect_uris, created_unix, updated_unix)
-      VALUES (0, 'Woodpecker CI', '$$WOODPECKER_FORGEJO_CLIENT', '$$WOODPECKER_FORGEJO_SECRET', 1, 'https://ci.$$DOMAIN/authorize', strftime('%s','now'), strftime('%s','now'));
+      VALUES (0, 'Woodpecker CI', '$$WOODPECKER_FORGEJO_CLIENT', '$$HASHED_SECRET', 1, 'https://ci.$$DOMAIN/authorize', strftime('%s','now'), strftime('%s','now'));
       EOF
 
   - path: /opt/writekit/promote-admin.sh
diff --git a/files/stacks/docker-compose.ops.yml b/files/stacks/docker-compose.ops.yml
index 918350c..069e473 100644
--- a/files/stacks/docker-compose.ops.yml
+++ b/files/stacks/docker-compose.ops.yml
@@ -50,7 +50,7 @@ services:
       - FORGEJO__server__SSH_PORT=22
       - FORGEJO__server__SSH_LISTEN_PORT=2222
       - FORGEJO__database__DB_TYPE=sqlite3
-      - FORGEJO__service__DISABLE_REGISTRATION=true
+      - FORGEJO__service__DISABLE_REGISTRATION=false
       - FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
       - FORGEJO__webhook__ALLOWED_HOST_LIST=external,loopback,10.0.0.0/24
       - FORGEJO__security__INSTALL_LOCK=true
@@ -74,7 +74,8 @@ services:
     environment:
       - WOODPECKER_HOST=https://ci.$${DOMAIN}
       - WOODPECKER_FORGEJO=true
-      - WOODPECKER_FORGEJO_URL=http://forgejo:3000
+      - WOODPECKER_FORGEJO_URL=https://source.$${DOMAIN}
+      - WOODPECKER_OPEN=true
       - WOODPECKER_FORGEJO_CLIENT=$${WOODPECKER_FORGEJO_CLIENT}
       - WOODPECKER_FORGEJO_SECRET=$${WOODPECKER_FORGEJO_SECRET}
       - WOODPECKER_AGENT_SECRET=$${WOODPECKER_AGENT_SECRET}