Support HEAD requests

[lapin-b]

• Gitea version (or commit ref): 1.5.2
• Git version: 2.11.10
• Operating system: Debian 9.5 (stretch)
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:
  Not relevant

Description

I regularly toot links to my repositories on Mastodon. Of course, the Federation effect kicks in and tons of HEAD requests arrive on my front server.

While I was watching them fail with a 404, I was thinking about HEAD requests support. "Why ?" you might ask. Because one could want to have a card displayed below their toot with a preview image, the repository name and description.

Basically, Mastodon first fires a HEAD requests to make sure the link leads to somewhere. Then, when the HEAD request has been successfully executed, it fires a GET request to get the contents of the page and generate an embed for the said link as shown below:

As we can see in the cURL output below, a HEAD request fails even though the repository really exists.

$ curl -I https://try.gitea.io/test_user1234/test-repository
HTTP/2 404 
content-type: text/html; charset=UTF-8
date: Tue, 23 Oct 2018 20:19:57 GMT
set-cookie: lang=en-US; Path=/; Max-Age=2147483647
set-cookie: i_like_gitea=[REDACTED]; Path=/; HttpOnly
set-cookie: _csrf=[REDACTED]; Path=/; Expires=Wed, 24 Oct 2018 20:19:57 GMT; HttpOnly
x-frame-options: SAMEORIGIN

PS: English is not my native language. Some sentences can look weird or not as crystal clear as I would like.

Screenshots

Not relevant

[zeripath]

Macaron provides a very simple way to add HEAD methods to every GET method:

m.SetAutoHead(true)

Which should just provide HEAD support for every GET on that router. However, each GET method would have to be checked to ensure it's idempotent. Another option would be to add HEAD methods to select methods that are require it.

[sapk]

GET request should always be idempotent (if not it should be fix) so using m.SetAutoHead(true) should be the good solution.

[zeripath]

@sapk for HEAD it should probably be completely idempotent - GET doesn't always have to be completely idempotent due to tracking. If you're sure that the GETs are idempotent or idempotent enough then autohead should just solve this.

[sapk]

@zeripath we shouldn't have action made when you click on a link or load ressources (that will generate a GET request) for security reason. If not we should fix it so I am ok for autohead.

[zeripath]

@sapk The below patch would be the correct place to call SetAutoHead.

diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index 4ca421065..5e54934a3 100644
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -134,6 +134,7 @@ func NewMacaron() *macaron.Macaron {
                DisableDebug: !setting.EnablePprof,
        }))
        m.Use(context.Contexter())
+       m.SetAutoHead(true)
        return m
 }

I guess the question is what tests do we need to do to check that this is a safe option.