composer · glaubinix · Feb 10, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 24, 2025
diff --git a/doc/06-config.md b/doc/06-config.md
@@ -246,6 +246,22 @@ private repositories which will later be cloned in GitLab CI jobs with a
 using HTTP basic auth. By default, Composer will generate a git-over-SSH
 URL for private repositories and HTTP(S) only for public.
 
+## forgejo-domains
+
+Defaults to `["codeberg.org"]`. A list of domains of Forgejo servers.
+This is used if you use the `forgejo` repository type.
+
+## forgejo-token
+
+A list of domain names and username/access-tokens to authenticate against them. For
+example using `{"codeberg.org": {"username": "forgejo-user", "token": "access-token"}}` as the
+value of this option will let Composer authenticate against codeberg.org.
+Please note: If the package is not hosted at
+codeberg.org the domain names must be also specified with the
+[`forgejo-domains`](06-config.md#forgejo-domains) option.
+Further info can also be found [here](articles/authentication-for-private-packages.md#forgejo-token)
+
+
 ## disable-tls
 
 Defaults to `false`. If set to true all HTTPS URLs will be tried with HTTP

diff --git a/doc/articles/authentication-for-private-packages.md b/doc/articles/authentication-for-private-packages.md
@@ -360,3 +360,41 @@ php composer.phar config [--global] --editor --auth
     }
 }
 ```
+
+## forgejo-token
+
+> **Note:** For the forge authentication to work on private Forgejo instances, the
+> [`forgejo-domains`](../06-config.md#forgejo-domains) section should also contain the URL.
+
+To create a new access token, go to your [applications section on Forgejo](https://codeberg.org/user/settings/applications)
+(or the equivalent URL on your private instance) and create a new access token. See also [the Forgejo access token documentation](https://docs.codeberg.org/advanced/access-token/) for more information.
+
+When creating a Forgejo access token, make sure it has the `read:repository` scope.
+
+### Command line forgejo-token
+
+```shell
+php composer.phar config [--global] forgejo-token.forgejo.example.org username access-token
+```
+
+In the above command, the config key `forgejo-token.forgejo.example.org` consists of two parts:
+
+- `forgejo-token` is the authentication method.
+- `forgejo.example.org` is the host name of your Forgejo instance, you should replace it with the host name of your Forgejo instance or use `codeberg.org` if you don't have a self-hosted Forgejo instance.
+
+### Manual forgejo-token
+
+```shell
+php composer.phar config [--global] --editor --auth
+```
+
+```json
+{
+    "forgejo-token": {
+        "forgejo.example.org": {
+            "username": "forgejo-user",
+            "token": "access-token"
+        }
+    }
+}
+```
diff --git a/res/composer-schema.json b/res/composer-schema.json
@@ -513,6 +513,24 @@
                         "type": "string"
                     }
                 },
+                "forgejo-token": {
+                    "type": "object",
+                    "description": "An object of domain name => forgejo username/access token, typically {\"codeberg.org\":{\"username\": \"<username>\", \"token\": \"<access-token>\"}}.",
+                    "additionalProperties": {
+                        "type": ["object"],
+                        "required": ["username", "token"],
+                        "properties": {
+                            "username": {
+                                "type": "string",
+                                "description": "The username used for Forgejo authentication"
+                            },
+                            "token": {
+                                "type": "string",
+                                "description": "The access token used for Forgejo authentication"
+                            }
+                        }
+                    }
+                },
                 "disable-tls": {
                     "type": "boolean",
                     "description": "Defaults to `false`. If set to true all HTTPS URLs will be tried with HTTP instead and no network level encryption is performed. Enabling this is a security risk and is NOT recommended. The better way is to enable the php_openssl extension in php.ini."
@@ -648,6 +666,13 @@
                         "type": "string"
                     }
                 },
+                "forgejo-domains": {
+                    "type": "array",
+                    "description": "A list of domains to use in forgejo mode. This is used for custom Forgejo setups, defaults to [\"codeberg.org\"].",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "bitbucket-oauth": {
                     "type": "object",
                     "description": "An object of domain name => {\"consumer-key\": \"...\", \"consumer-secret\": \"...\"}.",

diff --git a/src/Composer/Command/ConfigCommand.php b/src/Composer/Command/ConfigCommand.php
@@ -210,7 +210,7 @@ protected function initialize(InputInterface $input, OutputInterface $output): v
         }
         if ($input->getOption('global') && !$this->authConfigFile->exists()) {
             touch($this->authConfigFile->getPath());
-            $this->authConfigFile->write(['bitbucket-oauth' => new \ArrayObject, 'github-oauth' => new \ArrayObject, 'gitlab-oauth' => new \ArrayObject, 'gitlab-token' => new \ArrayObject, 'http-basic' => new \ArrayObject, 'bearer' => new \ArrayObject]);
+            $this->authConfigFile->write(['bitbucket-oauth' => new \ArrayObject, 'github-oauth' => new \ArrayObject, 'gitlab-oauth' => new \ArrayObject, 'gitlab-token' => new \ArrayObject, 'http-basic' => new \ArrayObject, 'bearer' => new \ArrayObject, 'forgejo-token' => new \ArrayObject()]);
             Silencer::call('chmod', $this->authConfigFile->getPath(), 0600);
         }
 
@@ -838,7 +838,7 @@ static function ($vals) {
         }
 
         // handle auth
-        if (Preg::isMatch('/^(bitbucket-oauth|github-oauth|gitlab-oauth|gitlab-token|http-basic|bearer)\.(.+)/', $settingKey, $matches)) {
+        if (Preg::isMatch('/^(bitbucket-oauth|github-oauth|gitlab-oauth|gitlab-token|http-basic|bearer|forgejo-token)\.(.+)/', $settingKey, $matches)) {
             if ($input->getOption('unset')) {
                 $this->authConfigSource->removeConfigSetting($matches[1].'.'.$matches[2]);
                 $this->configSource->removeConfigSetting($matches[1].'.'.$matches[2]);
@@ -867,6 +867,12 @@ static function ($vals) {
                 }
                 $this->configSource->removeConfigSetting($matches[1].'.'.$matches[2]);
                 $this->authConfigSource->addConfigSetting($matches[1].'.'.$matches[2], ['username' => $values[0], 'password' => $values[1]]);
+            } elseif ($matches[1] === 'forgejo-token') {
+                if (2 !== count($values)) {
+                    throw new \RuntimeException('Expected two arguments (username, access token), got '.count($values));
+                }
+                $this->configSource->removeConfigSetting($matches[1].'.'.$matches[2]);
+                $this->authConfigSource->addConfigSetting($matches[1].'.'.$matches[2], ['username' => $values[0], 'token' => $values[1]]);
             }
 
             return 0;

diff --git a/src/Composer/Config.php b/src/Composer/Config.php
@@ -86,6 +86,8 @@ class Config
         'bearer' => [],
         'bump-after-update' => false,
         'allow-missing-requirements' => false,
+        'forgejo-domains' => ['codeberg.org'],
+        'forgejo-token' => [],
     ];
 
     /** @var array<string, mixed> */
@@ -191,7 +193,7 @@ public function merge(array $config, string $source = self::SOURCE_UNKNOWN): voi
         // override defaults with given config
         if (!empty($config['config']) && is_array($config['config'])) {
             foreach ($config['config'] as $key => $val) {
-                if (in_array($key, ['bitbucket-oauth', 'github-oauth', 'gitlab-oauth', 'gitlab-token', 'http-basic', 'bearer'], true) && isset($this->config[$key])) {
+                if (in_array($key, ['bitbucket-oauth', 'github-oauth', 'gitlab-oauth', 'gitlab-token', 'http-basic', 'bearer', 'forgejo-token'], true) && isset($this->config[$key])) {
                     $this->config[$key] = array_merge($this->config[$key], $val);
                     $this->setSourceOfConfigValue($val, $key, $source);
                 } elseif (in_array($key, ['allow-plugins'], true) && isset($this->config[$key]) && is_array($this->config[$key]) && is_array($val)) {

diff --git a/src/Composer/Config/JsonConfigSource.php b/src/Composer/Config/JsonConfigSource.php
@@ -100,7 +100,7 @@ public function addConfigSetting(string $name, $value): void
     {
         $authConfig = $this->authConfig;
         $this->manipulateJson('addConfigSetting', static function (&$config, $key, $val) use ($authConfig): void {
-            if (Preg::isMatch('{^(bitbucket-oauth|github-oauth|gitlab-oauth|gitlab-token|bearer|http-basic|platform)\.}', $key)) {
+            if (Preg::isMatch('{^(bitbucket-oauth|github-oauth|gitlab-oauth|gitlab-token|bearer|http-basic|forgejo-token|platform)\.}', $key)) {
                 [$key, $host] = explode('.', $key, 2);
                 if ($authConfig) {
                     $config[$key][$host] = $val;
@@ -120,7 +120,7 @@ public function removeConfigSetting(string $name): void
     {
         $authConfig = $this->authConfig;
         $this->manipulateJson('removeConfigSetting', static function (&$config, $key) use ($authConfig): void {
-            if (Preg::isMatch('{^(bitbucket-oauth|github-oauth|gitlab-oauth|gitlab-token|bearer|http-basic|platform)\.}', $key)) {
+            if (Preg::isMatch('{^(bitbucket-oauth|github-oauth|gitlab-oauth|gitlab-token|bearer|http-basic|forgejo-token|platform)\.}', $key)) {
                 [$key, $host] = explode('.', $key, 2);
                 if ($authConfig) {
                     unset($config[$key][$host]);
@@ -262,7 +262,7 @@ private function manipulateJson(string $method, callable $fallback, ...$args): v
                     $config['autoload-dev'][$prop] = new \stdClass;
                 }
             }
-            foreach (['platform', 'http-basic', 'bearer', 'gitlab-token', 'gitlab-oauth', 'github-oauth', 'preferred-install'] as $prop) {
+            foreach (['platform', 'http-basic', 'bearer', 'gitlab-token', 'gitlab-oauth', 'github-oauth', 'forgejo-token', 'preferred-install'] as $prop) {
                 if (isset($config['config'][$prop]) && $config['config'][$prop] === []) {
                     $config['config'][$prop] = new \stdClass;
                 }

diff --git a/src/Composer/IO/BaseIO.php b/src/Composer/IO/BaseIO.php
@@ -119,6 +119,7 @@ public function loadConfiguration(Config $config)
         $githubOauth = $config->get('github-oauth');
         $gitlabOauth = $config->get('gitlab-oauth');
         $gitlabToken = $config->get('gitlab-token');
+        $forgejoToken = $config->get('forgejo-token');
         $httpBasic = $config->get('http-basic');
         $bearerToken = $config->get('bearer');
 
@@ -163,6 +164,15 @@ public function loadConfiguration(Config $config)
             $this->checkAndSetAuthentication($domain, $username, $password);
         }
 
+        foreach ($forgejoToken as $domain => $cred) {
+            if (!in_array($domain, $config->get('forgejo-domains'), true)) {
+                $this->debug($domain.' is not in the configured forgejo-domains, adding it implicitly as authentication is configured for this domain');
+                $config->merge(['config' => ['forgejo-domains' => array_merge($config->get('forgejo-domains'), [$domain])]], 'implicit-due-to-auth');
+            }
+
+            $this->checkAndSetAuthentication($domain, $cred['username'], $cred['token']);
+        }
+
         // reload http basic credentials from config if available
         foreach ($httpBasic as $domain => $cred) {
             $this->checkAndSetAuthentication($domain, $cred['username'], $cred['password']);