From 58f0598388027094f5234ace2adc5caf65523017 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 8 Jun 2023 23:25:04 -0400
Subject: [PATCH 01/84]  feat(auth): add SAML

---
 models/auth/saml.go                           |  27 ++++
 models/auth/source.go                         |   7 +
 routers/init.go                               |   2 +
 routers/web/admin/auths.go                    |  77 +++++++++++
 routers/web/auth/saml.go                      |  48 +++++++
 routers/web/web.go                            |   5 +
 .../auth/source/saml/assert_interface_test.go |  19 +++
 services/auth/source/saml/init.go             |  25 ++++
 services/auth/source/saml/name_id_format.go   |  35 +++++
 services/auth/source/saml/providers.go        | 124 ++++++++++++++++++
 services/auth/source/saml/source.go           |  61 +++++++++
 .../auth/source/saml/source_authenticate.go   |  11 ++
 services/auth/source/saml/source_callout.go   |  31 +++++
 services/auth/source/saml/source_metadata.go  |  29 ++++
 services/auth/source/saml/source_register.go  |  23 ++++
 services/forms/auth_form.go                   |  11 +-
 templates/admin/auth/edit.tmpl                |  50 +++++++
 templates/admin/auth/new.tmpl                 |   3 +
 templates/admin/auth/source/saml.tmpl         |  49 +++++++
 web_src/js/features/admin/common.js           |   4 +-
 20 files changed, 638 insertions(+), 3 deletions(-)
 create mode 100644 models/auth/saml.go
 create mode 100644 routers/web/auth/saml.go
 create mode 100644 services/auth/source/saml/assert_interface_test.go
 create mode 100644 services/auth/source/saml/init.go
 create mode 100644 services/auth/source/saml/name_id_format.go
 create mode 100644 services/auth/source/saml/providers.go
 create mode 100644 services/auth/source/saml/source.go
 create mode 100644 services/auth/source/saml/source_authenticate.go
 create mode 100644 services/auth/source/saml/source_callout.go
 create mode 100644 services/auth/source/saml/source_metadata.go
 create mode 100644 services/auth/source/saml/source_register.go
 create mode 100644 templates/admin/auth/source/saml.tmpl

diff --git a/models/auth/saml.go b/models/auth/saml.go
new file mode 100644
index 0000000000000..e0dca70ec7d1b
--- /dev/null
+++ b/models/auth/saml.go
@@ -0,0 +1,27 @@
+package auth
+
+import (
+	"code.gitea.io/gitea/models/db"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+)
+
+// GetActiveSAMLProviderLoginSources returns all actived LoginSAML sources
+func GetActiveSAMLProviderLoginSources() ([]*auth_model.Source, error) {
+	sources := make([]*auth_model.Source, 0, 1)
+	if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, auth_model.SAML).Find(&sources); err != nil {
+		return nil, err
+	}
+	return sources, nil
+}
+
+// GetActiveSAMLLoginSourceByName returns a OAuth2 LoginSource based on the given name
+func GetActiveSAMLLoginSourceByName(name string) (*auth_model.Source, error) {
+	loginSource := new(auth_model.Source)
+	has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, auth_model.SAML, true).Get(loginSource)
+	if !has || err != nil {
+		return nil, err
+	}
+
+	return loginSource, nil
+}
diff --git a/models/auth/source.go b/models/auth/source.go
index 0a904b7772394..f1142c714ac97 100644
--- a/models/auth/source.go
+++ b/models/auth/source.go
@@ -30,6 +30,7 @@ const (
 	DLDAP       // 5
 	OAuth2      // 6
 	SSPI        // 7
+	SAML        // 8
 )
 
 // String returns the string name of the LoginType
@@ -50,6 +51,7 @@ var Names = map[Type]string{
 	PAM:    "PAM",
 	OAuth2: "OAuth2",
 	SSPI:   "SPNEGO with SSPI",
+	SAML:   "SAML",
 }
 
 // Config represents login config as far as the db is concerned
@@ -178,6 +180,11 @@ func (source *Source) IsSSPI() bool {
 	return source.Type == SSPI
 }
 
+// IsSAML returns true of this source is of the SAML type.
+func (source *Source) IsSAML() bool {
+	return source.Type == SAML
+}
+
 // HasTLS returns true of this source supports TLS.
 func (source *Source) HasTLS() bool {
 	hasTLSer, ok := source.Cfg.(HasTLSer)
diff --git a/routers/init.go b/routers/init.go
index 5737ef3dc06a4..9183f33521a56 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -39,6 +39,7 @@ import (
 	actions_service "code.gitea.io/gitea/services/actions"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
+	"code.gitea.io/gitea/services/auth/source/saml"
 	"code.gitea.io/gitea/services/automerge"
 	"code.gitea.io/gitea/services/cron"
 	"code.gitea.io/gitea/services/mailer"
@@ -142,6 +143,7 @@ func GlobalInitInstalled(ctx context.Context) {
 	log.Info("ORM engine initialization successful!")
 	mustInit(system.Init)
 	mustInit(oauth2.Init)
+	mustInit(saml.Init)
 
 	mustInitCtx(ctx, models.Init)
 	mustInit(repo_service.Init)
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index b6ea3ff40300a..1061a74f406d3 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -24,6 +24,7 @@ import (
 	"code.gitea.io/gitea/services/auth/source/ldap"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 	pam_service "code.gitea.io/gitea/services/auth/source/pam"
+	"code.gitea.io/gitea/services/auth/source/saml"
 	"code.gitea.io/gitea/services/auth/source/smtp"
 	"code.gitea.io/gitea/services/auth/source/sspi"
 	"code.gitea.io/gitea/services/forms"
@@ -71,6 +72,7 @@ var (
 			{auth.SMTP.String(), auth.SMTP},
 			{auth.OAuth2.String(), auth.OAuth2},
 			{auth.SSPI.String(), auth.SSPI},
+			{auth.SAML.String(), auth.SAML},
 		}
 		if pam.Supported {
 			items = append(items, dropdownItem{auth.Names[auth.PAM], auth.PAM})
@@ -83,6 +85,16 @@ var (
 		{ldap.SecurityProtocolNames[ldap.SecurityProtocolLDAPS], ldap.SecurityProtocolLDAPS},
 		{ldap.SecurityProtocolNames[ldap.SecurityProtocolStartTLS], ldap.SecurityProtocolStartTLS},
 	}
+
+	nameIDFormats = []dropdownItem{
+		{saml.NameIDFormatNames[saml.SAML20Persistent], saml.SAML20Persistent}, // use this as default value
+		{saml.NameIDFormatNames[saml.SAML11Email], saml.SAML11Email},
+		{saml.NameIDFormatNames[saml.SAML11Persistent], saml.SAML11Persistent},
+		{saml.NameIDFormatNames[saml.SAML11Unspecified], saml.SAML11Unspecified},
+		{saml.NameIDFormatNames[saml.SAML20Email], saml.SAML20Email},
+		{saml.NameIDFormatNames[saml.SAML20Transient], saml.SAML20Transient},
+		{saml.NameIDFormatNames[saml.SAML20Unspecified], saml.SAML20Unspecified},
+	}
 )
 
 // NewAuthSource render adding a new auth source page
@@ -98,6 +110,8 @@ func NewAuthSource(ctx *context.Context) {
 	ctx.Data["is_sync_enabled"] = true
 	ctx.Data["AuthSources"] = authSources
 	ctx.Data["SecurityProtocols"] = securityProtocols
+	ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[saml.SAML20Persistent]
+	ctx.Data["NameIDFormats"] = nameIDFormats
 	ctx.Data["SMTPAuths"] = smtp.Authenticators
 	oauth2providers := oauth2.GetOAuth2Providers()
 	ctx.Data["OAuth2Providers"] = oauth2providers
@@ -231,6 +245,48 @@ func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*sspi
 	}, nil
 }
 
+func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml.Source, error) {
+	// TODO: verify form here
+	// if util.IsEmptyString(form.ServiceProviderCertificate) {
+	// 	ctx.Data["Err_SSPISeparatorReplacement"] = true
+	// 	// TODO: need sp cert
+	// 	return nil, errors.New(ctx.Tr("form.require_error"))
+	// }
+	// if util.IsEmptyString(form.ServiceProviderPrivateKey) {
+	// 	ctx.Data["Err_SSPISeparatorReplacement"] = true
+	// 	// TODO: need sp key
+	// 	return nil, errors.New(ctx.Tr("form.require_error"))
+	// }
+	if util.IsEmptyString(form.IdentityProviderMetadata) && util.IsEmptyString(form.IdentityProviderMetadataURL) {
+		return nil, fmt.Errorf("Identity Provider Metadata needed (either raw XML or URL)")
+	}
+	if !util.IsEmptyString(form.IdentityProviderMetadataURL) {
+		_, err := url.Parse(form.IdentityProviderMetadataURL)
+		if err != nil {
+			return nil, fmt.Errorf("Identity Provider Metadata URL is an invalid URL")
+		}
+	}
+	if !util.IsEmptyString(form.ServiceProviderCertificate) && !util.IsEmptyString(form.ServiceProviderPrivateKey) {
+		keyPair, err := tls.X509KeyPair([]byte(form.ServiceProviderCertificate), []byte(form.ServiceProviderPrivateKey))
+		if err != nil {
+			return nil, err
+		}
+		keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &saml.Source{
+		IdentityProviderMetadata:                 form.IdentityProviderMetadata,
+		IdentityProviderMetadataURL:              form.IdentityProviderMetadataURL,
+		InsecureSkipAssertionSignatureValidation: form.InsecureSkipAssertionSignatureValidation,
+		NameIDFormat:                             saml.NameIDFormat(form.NameIDFormat),
+		ServiceProviderCertificate:               form.ServiceProviderCertificate,
+		ServiceProviderPrivateKey:                form.ServiceProviderPrivateKey,
+		SignRequests:                             form.SignRequests,
+	}, nil
+}
+
 // NewAuthSourcePost response for adding an auth source
 func NewAuthSourcePost(ctx *context.Context) {
 	form := *web.GetForm(ctx).(*forms.AuthenticationForm)
@@ -244,6 +300,8 @@ func NewAuthSourcePost(ctx *context.Context) {
 	ctx.Data["SMTPAuths"] = smtp.Authenticators
 	oauth2providers := oauth2.GetOAuth2Providers()
 	ctx.Data["OAuth2Providers"] = oauth2providers
+	ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[saml.NameIDFormat(form.NameIDFormat)]
+	ctx.Data["NameIDFormats"] = nameIDFormats
 
 	ctx.Data["SSPIAutoCreateUsers"] = true
 	ctx.Data["SSPIAutoActivateUsers"] = true
@@ -290,6 +348,13 @@ func NewAuthSourcePost(ctx *context.Context) {
 			ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_of_type_exist"), tplAuthNew, form)
 			return
 		}
+	case auth.SAML:
+		var err error
+		config, err = parseSAMLConfig(ctx, form)
+		if err != nil {
+			ctx.RenderWithErr(err.Error(), tplAuthNew, form)
+			return
+		}
 	default:
 		ctx.Error(http.StatusBadRequest)
 		return
@@ -336,6 +401,7 @@ func EditAuthSource(ctx *context.Context) {
 	ctx.Data["SMTPAuths"] = smtp.Authenticators
 	oauth2providers := oauth2.GetOAuth2Providers()
 	ctx.Data["OAuth2Providers"] = oauth2providers
+	ctx.Data["NameIDFormats"] = nameIDFormats
 
 	source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid"))
 	if err != nil {
@@ -344,6 +410,9 @@ func EditAuthSource(ctx *context.Context) {
 	}
 	ctx.Data["Source"] = source
 	ctx.Data["HasTLS"] = source.HasTLS()
+	if source.IsSAML() {
+		ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[source.Cfg.(*saml.Source).NameIDFormat]
+	}
 
 	if source.IsOAuth2() {
 		type Named interface {
@@ -378,6 +447,8 @@ func EditAuthSourcePost(ctx *context.Context) {
 	}
 	ctx.Data["Source"] = source
 	ctx.Data["HasTLS"] = source.HasTLS()
+	ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[saml.SAML20Persistent]
+	ctx.Data["NameIDFormats"] = nameIDFormats
 
 	if ctx.HasError() {
 		ctx.HTML(http.StatusOK, tplAuthEdit)
@@ -412,6 +483,12 @@ func EditAuthSourcePost(ctx *context.Context) {
 			ctx.RenderWithErr(err.Error(), tplAuthEdit, form)
 			return
 		}
+	case auth.SAML:
+		config, err = parseSAMLConfig(ctx, form)
+		if err != nil {
+			ctx.RenderWithErr(err.Error(), tplAuthEdit, form)
+			return
+		}
 	default:
 		ctx.Error(http.StatusBadRequest)
 		return
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
new file mode 100644
index 0000000000000..59715c966beee
--- /dev/null
+++ b/routers/web/auth/saml.go
@@ -0,0 +1,48 @@
+package auth
+
+import (
+	"net/http"
+	"strings"
+
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/services/auth/source/saml"
+)
+
+// SignInSAML
+func SignInSAML(ctx *context.Context) {
+	provider := ctx.Params(":provider")
+
+	loginSource, err := auth.GetActiveSAMLLoginSourceByName(provider)
+	if err != nil || loginSource == nil {
+		ctx.NotFound("SAMLMetadata", err)
+		return
+	}
+
+	if err = loginSource.Cfg.(*saml.Source).Callout(ctx.Req, ctx.Resp); err != nil {
+		if strings.Contains(err.Error(), "no provider for ") {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+		ctx.ServerError("SignIn", err)
+	}
+}
+
+// SignInSAMLCallback
+func SignInSAMLCallback(ctx *context.Context) {
+	// provider := ctx.Params(":provider")
+	// TODO: complete SAML Callback
+}
+
+// SAMLMetadata
+func SAMLMetadata(ctx *context.Context) {
+	provider := ctx.Params(":provider")
+	loginSource, err := auth.GetActiveSAMLLoginSourceByName(provider)
+	if err != nil || loginSource == nil {
+		ctx.NotFound("SAMLMetadata", err)
+		return
+	}
+	if err = loginSource.Cfg.(*saml.Source).Metadata(ctx.Req, ctx.Resp); err != nil {
+		ctx.ServerError("SAMLMetadata", err)
+	}
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index f5037a848ea59..06009be662350 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -529,6 +529,11 @@ func registerRoutes(m *web.Route) {
 			m.Get("/{provider}", auth.SignInOAuth)
 			m.Get("/{provider}/callback", auth.SignInOAuthCallback)
 		})
+		m.Group("/saml", func() {
+			m.Get("/{provider}", auth.SignInSAML)              // redir to SAML IDP
+			m.Post("/{provider}/acs", auth.SignInSAMLCallback) // TODO: Confirm if POST/GET
+			m.Get("/{provider}/metadata", auth.SAMLMetadata)
+		})
 	})
 	// ***** END: User *****
 
diff --git a/services/auth/source/saml/assert_interface_test.go b/services/auth/source/saml/assert_interface_test.go
new file mode 100644
index 0000000000000..77cf185ece4cc
--- /dev/null
+++ b/services/auth/source/saml/assert_interface_test.go
@@ -0,0 +1,19 @@
+package saml_test
+
+import (
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/auth/source/saml"
+)
+
+// This test file exists to assert that our Source exposes the interfaces that we expect
+// It tightly binds the interfaces and implementation without breaking go import cycles
+
+type sourceInterface interface {
+	auth_model.Config
+	auth_model.SourceSettable
+	auth_model.RegisterableSource
+	auth.PasswordAuthenticator
+}
+
+var _ (sourceInterface) = &saml.Source{}
diff --git a/services/auth/source/saml/init.go b/services/auth/source/saml/init.go
new file mode 100644
index 0000000000000..6440d1d2e9d41
--- /dev/null
+++ b/services/auth/source/saml/init.go
@@ -0,0 +1,25 @@
+package saml
+
+import (
+	"sync"
+
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/log"
+)
+
+var samlRWMutex = sync.RWMutex{}
+
+func Init() error {
+	loginSources, _ := auth.GetActiveSAMLProviderLoginSources()
+	for _, source := range loginSources {
+		samlSource, ok := source.Cfg.(*Source)
+		if !ok {
+			continue
+		}
+		err := samlSource.RegisterSource()
+		if err != nil {
+			log.Error("Unable to register source: %s due to Error: %v.", source.Name, err)
+		}
+	}
+	return nil
+}
diff --git a/services/auth/source/saml/name_id_format.go b/services/auth/source/saml/name_id_format.go
new file mode 100644
index 0000000000000..38a8163cdc3c7
--- /dev/null
+++ b/services/auth/source/saml/name_id_format.go
@@ -0,0 +1,35 @@
+package saml
+
+type NameIDFormat int
+
+const (
+	SAML11Email NameIDFormat = iota
+	SAML11Persistent
+	SAML11Unspecified
+	SAML20Email
+	SAML20Persistent
+	SAML20Transient
+	SAML20Unspecified
+)
+
+const DefaultNameIDFormat NameIDFormat = SAML20Persistent
+
+var NameIDFormatNames = map[NameIDFormat]string{
+	SAML11Email:       "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+	SAML11Persistent:  "urn:oasis:names:tc:SAML:1.1:nameid-format:persistent",
+	SAML11Unspecified: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+	SAML20Email:       "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
+	SAML20Persistent:  "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+	SAML20Transient:   "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+	SAML20Unspecified: "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
+}
+
+// String returns the name of the NameIDFormat
+func (n NameIDFormat) String() string {
+	return NameIDFormatNames[n]
+}
+
+// Int returns the int value of the NameIDFormat
+func (n NameIDFormat) Int() int {
+	return int(n)
+}
diff --git a/services/auth/source/saml/providers.go b/services/auth/source/saml/providers.go
new file mode 100644
index 0000000000000..37c88972421ff
--- /dev/null
+++ b/services/auth/source/saml/providers.go
@@ -0,0 +1,124 @@
+package saml
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+
+	"code.gitea.io/gitea/modules/httplib"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	saml2 "github.com/russellhaering/gosaml2"
+	"github.com/russellhaering/gosaml2/types"
+	dsig "github.com/russellhaering/goxmldsig"
+)
+
+// Providers is list of known/available providers.
+type Providers map[string]Source
+
+var providers = Providers{}
+
+// used to create different types of goth providers
+func createProvider(ctx context.Context, source *Source) (*Source, error) {
+	source.CallbackURL = setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/acs"
+
+	idpMetadata, err := readIdentityProviderMetadata(ctx, source)
+	if err != nil {
+		return source, err
+	}
+	{
+		if source.IdentityProviderMetadataURL != "" {
+			log.Trace(fmt.Sprintf("Identity Provider metadata: %s", source.IdentityProviderMetadataURL), string(idpMetadata))
+		}
+	}
+
+	metadata := &types.EntityDescriptor{}
+	err = xml.Unmarshal(idpMetadata, metadata)
+	if err != nil {
+		return source, err
+	}
+
+	certStore := dsig.MemoryX509CertificateStore{
+		Roots: []*x509.Certificate{},
+	}
+
+	for _, kd := range metadata.IDPSSODescriptor.KeyDescriptors {
+		for idx, xcert := range kd.KeyInfo.X509Data.X509Certificates {
+			if xcert.Data == "" {
+				return source, fmt.Errorf("metadata certificate(%d) must not be empty", idx)
+			}
+			certData, err := base64.StdEncoding.DecodeString(xcert.Data)
+			if err != nil {
+				return source, err
+			}
+
+			idpCert, err := x509.ParseCertificate(certData)
+			if err != nil {
+				return source, err
+			}
+
+			certStore.Roots = append(certStore.Roots, idpCert)
+		}
+	}
+
+	var keyStore dsig.X509KeyStore
+
+	if source.ServiceProviderCertificate != "" && source.ServiceProviderPrivateKey != "" {
+		keyPair, err := tls.X509KeyPair([]byte(source.ServiceProviderCertificate), []byte(source.ServiceProviderPrivateKey))
+		if err != nil {
+			return nil, err
+		}
+		keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
+		if err != nil {
+			return nil, err
+		}
+		keyStore = dsig.TLSCertKeyStore(keyPair)
+	} else {
+		keyStore = dsig.RandomKeyStoreForTest()
+	}
+
+	source.samlSP = &saml2.SAMLServiceProvider{
+		IdentityProviderSSOURL:      metadata.IDPSSODescriptor.SingleSignOnServices[0].Location,
+		IdentityProviderIssuer:      metadata.EntityID,
+		AudienceURI:                 setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
+		AssertionConsumerServiceURL: source.CallbackURL,
+		SignAuthnRequests:           !source.InsecureSkipAssertionSignatureValidation,
+		NameIdFormat:                source.NameIDFormat.String(),
+		IDPCertificateStore:         &certStore,
+		SPKeyStore:                  keyStore,
+		ServiceProviderIssuer:       setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
+	}
+
+	return source, err
+}
+
+func readIdentityProviderMetadata(ctx context.Context, source *Source) ([]byte, error) {
+	if source.IdentityProviderMetadata != "" {
+		return []byte(source.IdentityProviderMetadata), nil
+	}
+
+	req := httplib.NewRequest(source.IdentityProviderMetadataURL, "GET")
+	req.SetTimeout(20*time.Second, time.Minute)
+	resp, err := req.Response()
+	if err != nil {
+		return nil, fmt.Errorf("Unable to contact gitea: %v", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, err
+	}
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
new file mode 100644
index 0000000000000..3a2da635e0709
--- /dev/null
+++ b/services/auth/source/saml/source.go
@@ -0,0 +1,61 @@
+package saml
+
+import (
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/json"
+
+	saml2 "github.com/russellhaering/gosaml2"
+)
+
+//  _________   _____      _____  .____
+// /   _____/  /  _  \    /     \ |    |
+// \_____  \  /  /_\  \  /  \ /  \|    |
+// /        \/    |    \/    Y    \    |___
+///_______  /\____|__  /\____|__  /_______ \
+//        \/         \/         \/        \/
+
+// Source holds configuration for the SAML login source.
+type Source struct {
+	// IdentityProviderMetadata description: The SAML Identity Provider metadata XML contents (for static configuration of the SAML Service Provider). The value of this field should be an XML document whose root element is `<EntityDescriptor>` or `<EntityDescriptors>`. To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
+	IdentityProviderMetadata string
+	// IdentityProviderMetadataURL description: The SAML Identity Provider metadata URL (for dynamic configuration of the SAML Service Provider).
+	IdentityProviderMetadataURL string
+	// InsecureSkipAssertionSignatureValidation description: Whether the Service Provider should (insecurely) accept assertions from the Identity Provider without a valid signature.
+	InsecureSkipAssertionSignatureValidation bool
+	// NameIDFormat description: The SAML NameID format to use when performing user authentication.
+	NameIDFormat NameIDFormat
+	// ServiceProviderCertificate description: The SAML Service Provider certificate in X.509 encoding (begins with "-----BEGIN CERTIFICATE-----"). This certificate is used by the Identity Provider to validate the Service Provider's AuthnRequests and LogoutRequests. It corresponds to the Service Provider's private key (`serviceProviderPrivateKey`). To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
+	ServiceProviderCertificate string
+	// ServiceProviderIssuer description: The SAML Service Provider name, used to identify this Service Provider. This is required if the "externalURL" field is not set (as the SAML metadata endpoint is computed as "<externalURL>.auth/saml/metadata"), or when using multiple SAML authentication providers.
+	ServiceProviderIssuer string
+	// ServiceProviderPrivateKey description: The SAML Service Provider private key in PKCS#8 encoding (begins with "-----BEGIN PRIVATE KEY-----"). This private key is used to sign AuthnRequests and LogoutRequests. It corresponds to the Service Provider's certificate (`serviceProviderCertificate`). To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
+	ServiceProviderPrivateKey string
+	// SignRequests description: Sign AuthnRequests and LogoutRequests sent to the Identity Provider using the Service Provider's private key (`serviceProviderPrivateKey`). It defaults to true if the `serviceProviderPrivateKey` and `serviceProviderCertificate` are set, and false otherwise.
+	SignRequests bool
+
+	CallbackURL string
+
+	// reference to the authSource
+	authSource *auth.Source
+
+	samlSP *saml2.SAMLServiceProvider
+}
+
+// FromDB fills up a SAML from serialized format.
+func (source *Source) FromDB(bs []byte) error {
+	return json.UnmarshalHandleDoubleEncode(bs, &source)
+}
+
+// ToDB exports a SAML to a serialized format.
+func (source *Source) ToDB() ([]byte, error) {
+	return json.Marshal(source)
+}
+
+// SetAuthSource sets the related AuthSource
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+	source.authSource = authSource
+}
+
+func init() {
+	auth.RegisterTypeConfig(auth.SAML, &Source{})
+}
diff --git a/services/auth/source/saml/source_authenticate.go b/services/auth/source/saml/source_authenticate.go
new file mode 100644
index 0000000000000..8edd5cb3894ce
--- /dev/null
+++ b/services/auth/source/saml/source_authenticate.go
@@ -0,0 +1,11 @@
+package saml
+
+import (
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/services/auth/source/db"
+)
+
+// Authenticate falls back to the db authenticator
+func (source *Source) Authenticate(user *user_model.User, login, password string) (*user_model.User, error) {
+	return db.Authenticate(user, login, password)
+}
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
new file mode 100644
index 0000000000000..0fa464f5f1332
--- /dev/null
+++ b/services/auth/source/saml/source_callout.go
@@ -0,0 +1,31 @@
+package saml
+
+import (
+	"fmt"
+	"net/http"
+)
+
+// Callout redirects request/response pair to authenticate against the provider
+func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error {
+	samlRWMutex.RLock()
+	defer samlRWMutex.RUnlock()
+	if _, ok := providers[source.authSource.Name]; !ok {
+		return fmt.Errorf("no provider for this saml")
+	}
+
+	authURL, err := providers[source.authSource.Name].samlSP.BuildAuthURL("")
+	if err == nil {
+		http.Redirect(response, request, authURL, http.StatusTemporaryRedirect)
+	}
+	return err
+}
+
+// Callback handles SAML callback, resolve to a goth user and send back to original url
+// this will trigger a new authentication request, but because we save it in the session we can use that
+func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (error, error) {
+	samlRWMutex.RLock()
+	defer samlRWMutex.RUnlock()
+
+	// TODO: complete
+	return nil, nil
+}
diff --git a/services/auth/source/saml/source_metadata.go b/services/auth/source/saml/source_metadata.go
new file mode 100644
index 0000000000000..57c4fc82e72e5
--- /dev/null
+++ b/services/auth/source/saml/source_metadata.go
@@ -0,0 +1,29 @@
+package saml
+
+import (
+	"encoding/xml"
+	"fmt"
+	"net/http"
+)
+
+// Metadata redirects request/response pair to authenticate against the provider
+func (source *Source) Metadata(request *http.Request, response http.ResponseWriter) error {
+	samlRWMutex.RLock()
+	defer samlRWMutex.RUnlock()
+	if _, ok := providers[source.authSource.Name]; !ok {
+		return fmt.Errorf("provider does not exist")
+	}
+
+	metadata, err := providers[source.authSource.Name].samlSP.Metadata()
+	if err != nil {
+		return err
+	}
+	buf, err := xml.MarshalIndent(metadata, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	response.Header().Set("Content-Type", "application/samlmetadata+xml; charset=utf-8")
+	_, _ = response.Write(buf)
+	return nil
+}
diff --git a/services/auth/source/saml/source_register.go b/services/auth/source/saml/source_register.go
new file mode 100644
index 0000000000000..7ee390259ce2f
--- /dev/null
+++ b/services/auth/source/saml/source_register.go
@@ -0,0 +1,23 @@
+package saml
+
+import "context"
+
+// RegisterSource causes an OAuth2 configuration to be registered
+func (source *Source) RegisterSource() error {
+	samlRWMutex.Lock()
+	defer samlRWMutex.Unlock()
+	var err error
+	source, err = createProvider(context.Background(), source)
+	if err == nil {
+		providers[source.authSource.Name] = *source
+	}
+	return err
+}
+
+// UnregisterSource causes an SAML configuration to be unregistered
+func (source *Source) UnregisterSource() error {
+	samlRWMutex.Lock()
+	defer samlRWMutex.Unlock()
+	delete(providers, source.authSource.Name)
+	return nil
+}
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index 25acbbb99e877..5db6f3fafa02b 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -15,7 +15,7 @@ import (
 // AuthenticationForm form for authentication
 type AuthenticationForm struct {
 	ID                            int64
-	Type                          int    `binding:"Range(2,7)"`
+	Type                          int    `binding:"Range(2,9)"`
 	Name                          string `binding:"Required;MaxSize(30)"`
 	Host                          string
 	Port                          int
@@ -82,6 +82,15 @@ type AuthenticationForm struct {
 	SSPIDefaultLanguage           string
 	GroupTeamMap                  string `binding:"ValidGroupTeamMap"`
 	GroupTeamMapRemoval           bool
+
+	// SAML Settings
+	NameIDFormat                             int
+	IdentityProviderMetadata                 string
+	IdentityProviderMetadataURL              string
+	InsecureSkipAssertionSignatureValidation bool
+	ServiceProviderCertificate               string
+	ServiceProviderPrivateKey                string
+	SignRequests                             bool
 }
 
 // Validate validates fields
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index af9d4c4bc5024..df1127241bbc3 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -368,6 +368,56 @@
 					</div>
 				{{end}}
 
+				<!-- SAML -->
+				{{if .Source.IsSAML}}
+					{{ $cfg:=.Source.Cfg }}
+					<div class="inline required field">
+						<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
+						<div class="ui selection type dropdown">
+							<input type="hidden" id="name_id_format" name="name_id_format" value="{{$cfg.NameIDFormat}}">
+							<div class="text">{{.CurrentNameIDFormat}}</div>
+							{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+							<div class="menu">
+								{{range .NameIDFormats}}
+									<div class="item" data-value="{{.Type.Int}}">{{.Name}}</div>
+								{{end}}
+							</div>
+						</div>
+					</div>
+
+					<div class="field">
+						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadataURL"}}</label>
+						<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{$cfg.IdentityProviderMetadataURL}}">
+					</div>
+					<div class="field">
+						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadata"}}</label>
+						<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata">{{$cfg.IdentityProviderMetadata}}</textarea>
+					</div>
+
+					<div class="inline field">
+						<div class="ui checkbox">
+							<label><strong>{{.locale.Tr "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
+							<input name="insecure_skip_assertion_signature_validation" type="checkbox" {{if $cfg.InsecureSkipAssertionSignatureValidation}}checked{{end}}>
+						</div>
+					</div>
+
+					<div class=" field">
+						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_ServiceProviderCertificate"}}</label>
+						<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate">{{$cfg.ServiceProviderCertificate}}</textarea>
+					</div>
+					<div class=" field">
+						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_ServiceProviderPrivateKey"}}</label>
+						<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key">{{$cfg.ServiceProviderPrivateKey}}</textarea>
+					</div>
+
+					<div class="inline field">
+						<div class="ui checkbox">
+							<label><strong>{{.locale.Tr "admin.auths.SignRequests"}}</strong></label>
+							<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
+						</div>
+					</div>
+				{{end}}
+
 				<!-- SSPI -->
 				{{if .Source.IsSSPI}}
 					{{$cfg:=.Source.Cfg}}
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index 5d9a9083c5c87..f0a007c68fcf3 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -53,6 +53,9 @@
 				<!-- SSPI -->
 				{{template "admin/auth/source/sspi" .}}
 
+				<!-- SAML -->
++				{{ template "admin/auth/source/saml" . }}
+
 				<div class="ldap field">
 					<div class="ui checkbox">
 						<label><strong>{{.locale.Tr "admin.auths.attributes_in_bind"}}</strong></label>
diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
new file mode 100644
index 0000000000000..f29852abf6603
--- /dev/null
+++ b/templates/admin/auth/source/saml.tmpl
@@ -0,0 +1,49 @@
+<div class="saml field {{if not (eq .type 99)}}hide{{end}}">
+
+	<div class="inline required field">
+		<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
+		<div class="ui selection type dropdown">
+			<input type="hidden" id="name_id_format" name="name_id_format" value="{{.name_id_format}}">
+			<div class="text">{{.CurrentNameIDFormat}}</div>
+			{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+			<div class="menu">
+				{{range .NameIDFormats}}
+					<div class="item" data-value="{{.Type.Int}}">{{.Name}}</div>
+				{{end}}
+			</div>
+		</div>
+	</div>
+
+	<div class="field">
+		<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
+		<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{.IdentityProviderMetadataURL}}">
+	</div>
+	<div class="field">
+		<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
+		<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata" value="{{.IdentityProviderMetadata}}"></textarea>
+	</div>
+
+	<div class="inline field">
+		<div class="ui checkbox">
+			<label><strong>{{.locale.Tr "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
+			<input name="insecure_skip_assertion_signature_validation" type="checkbox" {{if .InsecureSkipAssertionSignatureValidation}}checked{{end}}>
+		</div>
+	</div>
+
+	<div class=" field">
+		<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
+		<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate" value="{{.ServiceProviderCertificate}}"></textarea>
+	</div>
+	<div class=" field">
+		<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
+		<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key" value="{{.ServiceProviderPrivateKey}}"></textarea>
+	</div>
+
+	<div class="inline field">
+		<div class="ui checkbox">
+			<label><strong>{{.locale.Tr "admin.auths.sign_requests"}}</strong></label>
+			<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
+		</div>
+	</div>
+
+</div>
diff --git a/web_src/js/features/admin/common.js b/web_src/js/features/admin/common.js
index 84fd35e081046..0afae704f3950 100644
--- a/web_src/js/features/admin/common.js
+++ b/web_src/js/features/admin/common.js
@@ -104,9 +104,9 @@ export function initAdminCommon() {
   // New authentication
   if ($('.admin.new.authentication').length > 0) {
     $('#auth_type').on('change', function () {
-      hideElem($('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls, .search-page-size, .sspi'));
+      hideElem($('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls, .search-page-size, .sspi, .saml'));
 
-      $('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required], .sspi input[required]').removeAttr('required');
+      $('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required], .sspi input[required], .saml input[required]').removeAttr('required');
       $('.binddnrequired').removeClass('required');
 
       const authType = $(this).val();

From 83975b09f15f204d6637cb8cb97fb6f02efebcae Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 8 Jun 2023 23:33:32 -0400
Subject: [PATCH 02/84] make vendor & make fmt

---
 go.mod                         |  5 +++++
 go.sum                         | 14 ++++++++++++++
 models/auth/saml.go            |  3 +--
 templates/admin/auth/edit.tmpl |  2 +-
 templates/admin/auth/new.tmpl  |  2 +-
 5 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index e92c08836e23b..0053831eafaa3 100644
--- a/go.mod
+++ b/go.mod
@@ -144,6 +144,7 @@ require (
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/beevik/etree v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.7.0 // indirect
 	github.com/blevesearch/bleve_index_api v1.0.5 // indirect
@@ -215,6 +216,7 @@ require (
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jessevdk/go-flags v1.5.0 // indirect
+	github.com/jonboulle/clockwork v0.3.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
@@ -224,6 +226,7 @@ require (
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/markbates/going v1.0.0 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
@@ -256,6 +259,8 @@ require (
 	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
+	github.com/russellhaering/gosaml2 v0.9.1 // indirect
+	github.com/russellhaering/goxmldsig v1.3.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
diff --git a/go.sum b/go.sum
index 0a3e409690e3b..fe8f5800e1d45 100644
--- a/go.sum
+++ b/go.sum
@@ -157,6 +157,8 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
+github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
+github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -752,6 +754,9 @@ github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg=
+github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -799,6 +804,7 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -844,6 +850,8 @@ github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsI
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
 github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
+github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
+github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -1068,6 +1076,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
@@ -1077,6 +1087,10 @@ github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
+github.com/russellhaering/gosaml2 v0.9.1 h1:H/whrl8NuSoxyW46Ww5lKPskm+5K+qYLw9afqJ/Zef0=
+github.com/russellhaering/gosaml2 v0.9.1/go.mod h1:ja+qgbayxm+0mxBRLMSUuX3COqy+sb0RRhIGun/W2kc=
+github.com/russellhaering/goxmldsig v1.3.0 h1:DllIWUgMy0cRUMfGiASiYEa35nsieyD3cigIwLonTPM=
+github.com/russellhaering/goxmldsig v1.3.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
diff --git a/models/auth/saml.go b/models/auth/saml.go
index e0dca70ec7d1b..23ec562cf5099 100644
--- a/models/auth/saml.go
+++ b/models/auth/saml.go
@@ -1,9 +1,8 @@
 package auth
 
 import (
-	"code.gitea.io/gitea/models/db"
-
 	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
 )
 
 // GetActiveSAMLProviderLoginSources returns all actived LoginSAML sources
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index df1127241bbc3..34bde93fd08d9 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -370,7 +370,7 @@
 
 				<!-- SAML -->
 				{{if .Source.IsSAML}}
-					{{ $cfg:=.Source.Cfg }}
+					{{$cfg:=.Source.Cfg}}
 					<div class="inline required field">
 						<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
 						<div class="ui selection type dropdown">
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index f0a007c68fcf3..788dba8950a63 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -54,7 +54,7 @@
 				{{template "admin/auth/source/sspi" .}}
 
 				<!-- SAML -->
-+				{{ template "admin/auth/source/saml" . }}
++				{{template "admin/auth/source/saml" .}}
 
 				<div class="ldap field">
 					<div class="ui checkbox">

From a96ead2f74afc91a3059d86ef9424c2e615a249e Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 8 Jun 2023 23:41:28 -0400
Subject: [PATCH 03/84] add copy headers

---
 models/auth/saml.go                              | 16 +++++++++-------
 routers/web/auth/saml.go                         |  3 +++
 .../auth/source/saml/assert_interface_test.go    |  3 +++
 services/auth/source/saml/init.go                |  3 +++
 services/auth/source/saml/name_id_format.go      |  3 +++
 services/auth/source/saml/providers.go           |  3 +++
 services/auth/source/saml/source.go              |  3 +++
 services/auth/source/saml/source_authenticate.go |  3 +++
 services/auth/source/saml/source_callout.go      |  3 +++
 services/auth/source/saml/source_metadata.go     |  3 +++
 services/auth/source/saml/source_register.go     |  3 +++
 11 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/models/auth/saml.go b/models/auth/saml.go
index 23ec562cf5099..a452df00748b4 100644
--- a/models/auth/saml.go
+++ b/models/auth/saml.go
@@ -1,23 +1,25 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package auth
 
 import (
-	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 )
 
 // GetActiveSAMLProviderLoginSources returns all actived LoginSAML sources
-func GetActiveSAMLProviderLoginSources() ([]*auth_model.Source, error) {
-	sources := make([]*auth_model.Source, 0, 1)
-	if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, auth_model.SAML).Find(&sources); err != nil {
+func GetActiveSAMLProviderLoginSources() ([]*Source, error) {
+	sources := make([]*Source, 0, 1)
+	if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, SAML).Find(&sources); err != nil {
 		return nil, err
 	}
 	return sources, nil
 }
 
 // GetActiveSAMLLoginSourceByName returns a OAuth2 LoginSource based on the given name
-func GetActiveSAMLLoginSourceByName(name string) (*auth_model.Source, error) {
-	loginSource := new(auth_model.Source)
-	has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, auth_model.SAML, true).Get(loginSource)
+func GetActiveSAMLLoginSourceByName(name string) (*Source, error) {
+	loginSource := new(Source)
+	has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, SAML, true).Get(loginSource)
 	if !has || err != nil {
 		return nil, err
 	}
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 59715c966beee..6418165e94b18 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package auth
 
 import (
diff --git a/services/auth/source/saml/assert_interface_test.go b/services/auth/source/saml/assert_interface_test.go
index 77cf185ece4cc..2ca7057b8a590 100644
--- a/services/auth/source/saml/assert_interface_test.go
+++ b/services/auth/source/saml/assert_interface_test.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml_test
 
 import (
diff --git a/services/auth/source/saml/init.go b/services/auth/source/saml/init.go
index 6440d1d2e9d41..52d2b92d71679 100644
--- a/services/auth/source/saml/init.go
+++ b/services/auth/source/saml/init.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 import (
diff --git a/services/auth/source/saml/name_id_format.go b/services/auth/source/saml/name_id_format.go
index 38a8163cdc3c7..0f718b5bbf276 100644
--- a/services/auth/source/saml/name_id_format.go
+++ b/services/auth/source/saml/name_id_format.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 type NameIDFormat int
diff --git a/services/auth/source/saml/providers.go b/services/auth/source/saml/providers.go
index 37c88972421ff..1e10ef90b2bcf 100644
--- a/services/auth/source/saml/providers.go
+++ b/services/auth/source/saml/providers.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 import (
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 3a2da635e0709..629ef47a45d59 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 import (
diff --git a/services/auth/source/saml/source_authenticate.go b/services/auth/source/saml/source_authenticate.go
index 8edd5cb3894ce..ad4a7d247ca34 100644
--- a/services/auth/source/saml/source_authenticate.go
+++ b/services/auth/source/saml/source_authenticate.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 import (
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index 0fa464f5f1332..79bc9aa530e19 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 import (
diff --git a/services/auth/source/saml/source_metadata.go b/services/auth/source/saml/source_metadata.go
index 57c4fc82e72e5..c7e27c908bf9b 100644
--- a/services/auth/source/saml/source_metadata.go
+++ b/services/auth/source/saml/source_metadata.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 import (
diff --git a/services/auth/source/saml/source_register.go b/services/auth/source/saml/source_register.go
index 7ee390259ce2f..deb300a5ba4cc 100644
--- a/services/auth/source/saml/source_register.go
+++ b/services/auth/source/saml/source_register.go
@@ -1,3 +1,6 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package saml
 
 import "context"

From 961c714341d0c16c66a83b65fb4c5607063320b7 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 8 Jun 2023 23:47:01 -0400
Subject: [PATCH 04/84] add translations

---
 options/locale/locale_en-US.ini | 7 +++++++
 templates/admin/auth/edit.tmpl  | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 195252c47d176..42f44c31bb778 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2895,6 +2895,13 @@ auths.sspi_separator_replacement = Separator to use instead of \, / and @
 auths.sspi_separator_replacement_helper = The character to use to replace the separators of down-level logon names (eg. the \ in "DOMAIN\user") and user principal names (eg. the @ in "user@example.org").
 auths.sspi_default_language = Default user language
 auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
+auths.saml_nameidformat = SAML NameID Format
+auths.saml_IdentityProviderMetadataURL = Identity Provider Metadata URL
+auths.saml_IdentityProviderMetadata = Identity Provider Metadata XML
+auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
+auths.saml_ServiceProviderCertificate = Service Provider Certificate
+auths.saml_ServiceProviderPrivateKey = Service Provider Private Key
+auths.saml_SignRequests = Sign SAML Requests
 auths.tips = Tips
 auths.tips.oauth2.general = OAuth2 Authentication
 auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be: <host>/user/oauth2/<Authentication Name>/callback
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 34bde93fd08d9..b17178d2e5c0e 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -412,7 +412,7 @@
 
 					<div class="inline field">
 						<div class="ui checkbox">
-							<label><strong>{{.locale.Tr "admin.auths.SignRequests"}}</strong></label>
+							<label><strong>{{.locale.Tr "admin.auths.saml_SignRequests"}}</strong></label>
 							<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
 						</div>
 					</div>

From 36ca421ac7a212fb62670c8b81dec47f240b6ffa Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 8 Jun 2023 23:54:15 -0400
Subject: [PATCH 05/84] make tidy

---
 assets/go-licenses.json | 25 +++++++++++++++++++++++++
 go.mod                  |  4 ++--
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index 3718741cc7f12..11d942706f64d 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -119,6 +119,11 @@
     "path": "github.com/aymerick/douceur/LICENSE",
     "licenseText": "The MIT License (MIT)\n\nCopyright (c) 2015 Aymerick JEHANNE\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n"
   },
+  {
+    "name": "github.com/beevik/etree",
+    "path": "github.com/beevik/etree/LICENSE",
+    "licenseText": "Copyright 2015-2019 Brett Vickers. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n   1. Redistributions of source code must retain the above copyright\n      notice, this list of conditions and the following disclaimer.\n\n   2. Redistributions in binary form must reproduce the above copyright\n      notice, this list of conditions and the following disclaimer in the\n      documentation and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY COPYRIGHT HOLDER ``AS IS'' AND ANY\nEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\nPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER OR\nCONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,\nEXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,\nPROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY\nOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
+  },
   {
     "name": "github.com/beorn7/perks/quantile",
     "path": "github.com/beorn7/perks/quantile/LICENSE",
@@ -629,6 +634,11 @@
     "path": "github.com/jhillyerd/enmime/LICENSE",
     "licenseText": "The MIT License (MIT)\n\nCopyright (c) 2012-2016 James Hillyerd, All Rights Reserved\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n"
   },
+  {
+    "name": "github.com/jonboulle/clockwork",
+    "path": "github.com/jonboulle/clockwork/LICENSE",
+    "licenseText": "Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"{}\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright {yyyy} {name of copyright owner}\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
+  },
   {
     "name": "github.com/josharian/intern",
     "path": "github.com/josharian/intern/license.md",
@@ -709,6 +719,11 @@
     "path": "github.com/markbates/goth/LICENSE.txt",
     "licenseText": "Copyright (c) 2014 Mark Bates\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n"
   },
+  {
+    "name": "github.com/mattermost/xml-roundtrip-validator",
+    "path": "github.com/mattermost/xml-roundtrip-validator/LICENSE.txt",
+    "licenseText": "                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"[]\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright [yyyy] [name of copyright owner]\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
+  },
   {
     "name": "github.com/mattn/go-colorable",
     "path": "github.com/mattn/go-colorable/LICENSE",
@@ -909,6 +924,16 @@
     "path": "github.com/rs/xid/LICENSE",
     "licenseText": "Copyright (c) 2015 Olivier Poitrey \u003crs@dailymotion.com\u003e\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is furnished\nto do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n"
   },
+  {
+    "name": "github.com/russellhaering/gosaml2",
+    "path": "github.com/russellhaering/gosaml2/LICENSE",
+    "licenseText": "\n                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n"
+  },
+  {
+    "name": "github.com/russellhaering/goxmldsig",
+    "path": "github.com/russellhaering/goxmldsig/LICENSE",
+    "licenseText": "\n                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n"
+  },
   {
     "name": "github.com/russross/blackfriday/v2",
     "path": "github.com/russross/blackfriday/v2/LICENSE.txt",
diff --git a/go.mod b/go.mod
index 0053831eafaa3..0f9b2f7b4c888 100644
--- a/go.mod
+++ b/go.mod
@@ -92,6 +92,8 @@ require (
 	github.com/prometheus/client_golang v1.15.1
 	github.com/quasoft/websspi v1.1.2
 	github.com/redis/go-redis/v9 v9.0.4
+	github.com/russellhaering/gosaml2 v0.9.1
+	github.com/russellhaering/goxmldsig v1.3.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.0
 	github.com/sassoftware/go-rpmutils v0.2.0
 	github.com/sergi/go-diff v1.3.1
@@ -259,8 +261,6 @@ require (
 	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
-	github.com/russellhaering/gosaml2 v0.9.1 // indirect
-	github.com/russellhaering/goxmldsig v1.3.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect

From fa79ccf594aa468879d8e791085f1ff4ca32e9fa Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Fri, 9 Jun 2023 00:01:41 -0400
Subject: [PATCH 06/84] patch missed the missing imports

---
 routers/web/admin/auths.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 1061a74f406d3..3e97ceba60557 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -4,6 +4,8 @@
 package admin
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"net/http"

From 8b24ebd2d0eec890118d97fe37bca78c8e21e01b Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Mon, 21 Aug 2023 19:49:30 +0000
Subject: [PATCH 07/84] make vendor tidy

---
 go.mod | 3 ++-
 go.sum | 7 ++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index 02b561bb67304..c159acb986a8d 100644
--- a/go.mod
+++ b/go.mod
@@ -89,9 +89,9 @@ require (
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.16.0
 	github.com/quasoft/websspi v1.1.2
+	github.com/redis/go-redis/v9 v9.0.5
 	github.com/russellhaering/gosaml2 v0.9.1
 	github.com/russellhaering/goxmldsig v1.3.0
-	github.com/redis/go-redis/v9 v9.0.5
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/sassoftware/go-rpmutils v0.2.0
 	github.com/sergi/go-diff v1.3.1
@@ -229,6 +229,7 @@ require (
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/markbates/going v1.0.3 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
diff --git a/go.sum b/go.sum
index 62156114cb419..339e4dd69fc62 100644
--- a/go.sum
+++ b/go.sum
@@ -140,6 +140,8 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
+github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
+github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
@@ -665,6 +667,9 @@ github.com/jhillyerd/enmime v1.0.0 h1:8swYgO1fm68PllCKz5jiLzgD3axNUS388jr6BtRSsl
 github.com/jhillyerd/enmime v1.0.0/go.mod h1:EktNOa/V6ka9yCrfoB2uxgefp1lno6OVdszW0iQ5LnM=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg=
+github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -752,7 +757,6 @@ github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@@ -904,6 +908,7 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=

From 2798cc1be6c622426a1801dca57873cbdeb4acd8 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Wed, 30 Aug 2023 04:12:38 +0000
Subject: [PATCH 08/84] fix settings templates

---
 routers/web/auth/saml.go                    | 14 ++++++++++++--
 services/auth/source/saml/providers.go      |  2 +-
 services/auth/source/saml/source_callout.go | 17 ++++++++++++++---
 services/forms/auth_form.go                 |  1 +
 templates/admin/auth/source/saml.tmpl       |  2 +-
 5 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 6418165e94b18..de524f4ac0d56 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -33,8 +33,18 @@ func SignInSAML(ctx *context.Context) {
 
 // SignInSAMLCallback
 func SignInSAMLCallback(ctx *context.Context) {
-	// provider := ctx.Params(":provider")
-	// TODO: complete SAML Callback
+	provider := ctx.Params(":provider")
+	loginSource, err := auth.GetActiveSAMLLoginSourceByName(provider)
+	if err != nil || loginSource == nil {
+		ctx.NotFound("SignInSAMLCallback", err)
+		return
+	}
+
+	// TODO: use ret value to login or create user
+	if _, err = loginSource.Cfg.(*saml.Source).Callback(ctx.Req, ctx.Resp); err != nil {
+		ctx.ServerError("SignInSAMLCallback", err)
+	}
+
 }
 
 // SAMLMetadata
diff --git a/services/auth/source/saml/providers.go b/services/auth/source/saml/providers.go
index 1e10ef90b2bcf..c41b6e09b2f3b 100644
--- a/services/auth/source/saml/providers.go
+++ b/services/auth/source/saml/providers.go
@@ -93,7 +93,7 @@ func createProvider(ctx context.Context, source *Source) (*Source, error) {
 		IdentityProviderIssuer:      metadata.EntityID,
 		AudienceURI:                 setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
 		AssertionConsumerServiceURL: source.CallbackURL,
-		SignAuthnRequests:           !source.InsecureSkipAssertionSignatureValidation,
+		SkipSignatureValidation:     source.InsecureSkipAssertionSignatureValidation,
 		NameIdFormat:                source.NameIDFormat.String(),
 		IDPCertificateStore:         &certStore,
 		SPKeyStore:                  keyStore,
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index 79bc9aa530e19..d8c4d497cfd4c 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -6,6 +6,8 @@ package saml
 import (
 	"fmt"
 	"net/http"
+
+	"github.com/markbates/goth"
 )
 
 // Callout redirects request/response pair to authenticate against the provider
@@ -25,10 +27,19 @@ func (source *Source) Callout(request *http.Request, response http.ResponseWrite
 
 // Callback handles SAML callback, resolve to a goth user and send back to original url
 // this will trigger a new authentication request, but because we save it in the session we can use that
-func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (error, error) {
+func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) {
 	samlRWMutex.RLock()
 	defer samlRWMutex.RUnlock()
 
-	// TODO: complete
-	return nil, nil
+	user := goth.User{}
+	samlResponse := request.FormValue("SAMLResponse")
+	assertions, err := source.samlSP.RetrieveAssertionInfo(samlResponse)
+	if err != nil {
+		return user, err
+	}
+	if warningInfo := assertions.WarningInfo; warningInfo != nil {
+		return user, fmt.Errorf("SAML response contains warnings: %v", warningInfo)
+	}
+
+	return user, nil
 }
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index 5db6f3fafa02b..deb10e961816d 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -1,3 +1,4 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
index f29852abf6603..09f0c5b3fbce7 100644
--- a/templates/admin/auth/source/saml.tmpl
+++ b/templates/admin/auth/source/saml.tmpl
@@ -1,4 +1,4 @@
-<div class="saml field {{if not (eq .type 99)}}hide{{end}}">
+<div class="saml field {{if not (eq .type 99)}}gt-hidden{{end}}">
 
 	<div class="inline required field">
 		<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>

From c11d8e3fc64592b952c28735ae0d24daf71b4256 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 31 Aug 2023 00:27:37 +0000
Subject: [PATCH 09/84] make fmt tidy

---
 go.mod                   | 2 +-
 routers/web/auth/saml.go | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index ae6d6e47fe705..8740f4177fe69 100644
--- a/go.mod
+++ b/go.mod
@@ -90,9 +90,9 @@ require (
 	github.com/prometheus/client_golang v1.16.0
 	github.com/quasoft/websspi v1.1.2
 	github.com/redis/go-redis/v9 v9.0.5
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.1
 	github.com/russellhaering/goxmldsig v1.3.0
-	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/sassoftware/go-rpmutils v0.2.0
 	github.com/sergi/go-diff v1.3.1
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index de524f4ac0d56..423d6807acfe8 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -44,7 +44,6 @@ func SignInSAMLCallback(ctx *context.Context) {
 	if _, err = loginSource.Cfg.(*saml.Source).Callback(ctx.Req, ctx.Resp); err != nil {
 		ctx.ServerError("SignInSAMLCallback", err)
 	}
-
 }
 
 // SAMLMetadata

From eb0e267f99f875723698ee89cb32c064b08c4ce4 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 31 Aug 2023 02:06:51 +0000
Subject: [PATCH 10/84] add button to login page

---
 routers/web/admin/auths.go            |  1 +
 routers/web/auth/auth.go              |  8 ++++++++
 templates/user/auth/signin_inner.tmpl | 16 ++++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 85f1c8269936d..de4775dc6836a 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -1,4 +1,5 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2023 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package admin
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index 3bf133f56222c..44478e3c86d06 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -153,6 +153,14 @@ func SignIn(ctx *context.Context) {
 	}
 	ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
 	ctx.Data["OAuth2Providers"] = oauth2Providers
+
+	samlProviders, err := auth.GetActiveSAMLProviderLoginSources()
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	ctx.Data["SAMLProviders"] = samlProviders
+
 	ctx.Data["Title"] = ctx.Tr("sign_in")
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
 	ctx.Data["PageIsSignIn"] = true
diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
index 6b118b7a261f2..2ca024a0cc5ec 100644
--- a/templates/user/auth/signin_inner.tmpl
+++ b/templates/user/auth/signin_inner.tmpl
@@ -70,5 +70,21 @@
 		</div>
 	</div>
 	{{end}}
+	{{if .SAMLProviders}}
+	<div class="divider divider-text">
+		{{.locale.Tr "sign_in_or"}}
+	</div>
+	<div id="oauth2-login-navigator" class="gt-py-2">
+		<div class="gt-df gt-fc gt-jc">
+			<div id="saml-login-navigator-inner" class="gt-df gt-fc gt-fw gt-ac gt-gap-3">
+				{{range .SAMLProviders}}
+					<a class="{{.Name}} ui button gt-df gt-ac gt-jc gt-py-3 oauth-login-link" href="{{AppSubUrl}}/user/saml/{{ .Name }}">
+						{{$.locale.Tr "sign_in_with_provider" .Name }}
+					</a>
+				{{end}}
+			</div>
+		</div>
+	</div>
+	{{end}}
 	</form>
 </div>

From 7ccc23285ae23e70bc56ad63bc6bcd37e5043132 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 31 Aug 2023 02:09:42 +0000
Subject: [PATCH 11/84] cleanup template

---
 templates/user/auth/signin_inner.tmpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
index 2ca024a0cc5ec..c44d0d8e5e977 100644
--- a/templates/user/auth/signin_inner.tmpl
+++ b/templates/user/auth/signin_inner.tmpl
@@ -78,8 +78,8 @@
 		<div class="gt-df gt-fc gt-jc">
 			<div id="saml-login-navigator-inner" class="gt-df gt-fc gt-fw gt-ac gt-gap-3">
 				{{range .SAMLProviders}}
-					<a class="{{.Name}} ui button gt-df gt-ac gt-jc gt-py-3 oauth-login-link" href="{{AppSubUrl}}/user/saml/{{ .Name }}">
-						{{$.locale.Tr "sign_in_with_provider" .Name }}
+					<a class="{{.Name}} ui button gt-df gt-ac gt-jc gt-py-3 oauth-login-link" href="{{AppSubUrl}}/user/saml/{{.Name}}">
+						{{$.locale.Tr "sign_in_with_provider" .Name}}
 					</a>
 				{{end}}
 			</div>

From b46e5de6a73d0d36d0d354193a7e7f1f5e9836a4 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 31 Aug 2023 02:20:33 +0000
Subject: [PATCH 12/84] update comment

---
 models/auth/saml.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/auth/saml.go b/models/auth/saml.go
index a452df00748b4..5d20baa82a3c8 100644
--- a/models/auth/saml.go
+++ b/models/auth/saml.go
@@ -16,7 +16,7 @@ func GetActiveSAMLProviderLoginSources() ([]*Source, error) {
 	return sources, nil
 }
 
-// GetActiveSAMLLoginSourceByName returns a OAuth2 LoginSource based on the given name
+// GetActiveSAMLLoginSourceByName returns a SAML LoginSource based on the given name
 func GetActiveSAMLLoginSourceByName(name string) (*Source, error) {
 	loginSource := new(Source)
 	has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, SAML, true).Get(loginSource)

From 7ad1370228f8b13fcf20d5227da799d20ff40853 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 31 Aug 2023 02:32:01 +0000
Subject: [PATCH 13/84] loading spinner (not a fan of the code duplication in
 this commit)

---
 templates/user/auth/signin_inner.tmpl |  4 ++--
 web_src/js/features/user-auth.js      | 21 +++++++++++++++++++++
 web_src/js/index.js                   |  7 ++++++-
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
index c44d0d8e5e977..218b2624f4853 100644
--- a/templates/user/auth/signin_inner.tmpl
+++ b/templates/user/auth/signin_inner.tmpl
@@ -74,11 +74,11 @@
 	<div class="divider divider-text">
 		{{.locale.Tr "sign_in_or"}}
 	</div>
-	<div id="oauth2-login-navigator" class="gt-py-2">
+	<div id="saml-login-navigator" class="gt-py-2">
 		<div class="gt-df gt-fc gt-jc">
 			<div id="saml-login-navigator-inner" class="gt-df gt-fc gt-fw gt-ac gt-gap-3">
 				{{range .SAMLProviders}}
-					<a class="{{.Name}} ui button gt-df gt-ac gt-jc gt-py-3 oauth-login-link" href="{{AppSubUrl}}/user/saml/{{.Name}}">
+					<a class="{{.Name}} ui button gt-df gt-ac gt-jc gt-py-3 saml-login-link" href="{{AppSubUrl}}/user/saml/{{.Name}}">
 						{{$.locale.Tr "sign_in_with_provider" .Name}}
 					</a>
 				{{end}}
diff --git a/web_src/js/features/user-auth.js b/web_src/js/features/user-auth.js
index af380dcfc7c86..d50178eb7d2d7 100644
--- a/web_src/js/features/user-auth.js
+++ b/web_src/js/features/user-auth.js
@@ -22,6 +22,27 @@ export function initUserAuthOauth2() {
   }
 }
 
+export function initUserAuthSAML() {
+  const outer = document.getElementById('saml-login-navigator');
+  if (!outer) return;
+  const inner = document.getElementById('saml-login-navigator-inner');
+
+  checkAppUrl();
+
+  for (const link of outer.querySelectorAll('.saml-login-link')) {
+    link.addEventListener('click', () => {
+      inner.classList.add('gt-invisible');
+      outer.classList.add('is-loading');
+      setTimeout(() => {
+        // recover previous content to let user try again
+        // usually redirection will be performed before this action
+        outer.classList.remove('is-loading');
+        inner.classList.remove('gt-invisible');
+      }, 5000);
+    });
+  }
+}
+
 export function initUserAuthLinkAccountView() {
   const $lnkUserPage = $('.page-content.user.link-account');
   if ($lnkUserPage.length === 0) {
diff --git a/web_src/js/index.js b/web_src/js/index.js
index 8bd219bbe1576..8876905b70466 100644
--- a/web_src/js/index.js
+++ b/web_src/js/index.js
@@ -23,7 +23,11 @@ import {initFindFileInRepo} from './features/repo-findfile.js';
 import {initCommentContent, initMarkupContent} from './markup/content.js';
 import {initPdfViewer} from './render/pdf.js';
 
-import {initUserAuthLinkAccountView, initUserAuthOauth2} from './features/user-auth.js';
+import {
+  initUserAuthLinkAccountView,
+  initUserAuthOauth2,
+  initUserAuthSAML
+} from './features/user-auth.js';
 import {
   initRepoIssueDue,
   initRepoIssueReferenceRepositorySearch,
@@ -175,6 +179,7 @@ onDomReady(() => {
 
   initUserAuthLinkAccountView();
   initUserAuthOauth2();
+  initUserAuthSAML();
   initUserAuthWebAuthn();
   initUserAuthWebAuthnRegister();
   initUserSettings();

From cfbd7191264af75044e2e0f0f668b1ab62888280 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Thu, 31 Aug 2023 03:34:03 +0000
Subject: [PATCH 14/84] handle callback

---
 routers/web/auth/saml.go                    | 121 +++++++++++++++++++-
 services/auth/source/saml/source_callout.go |  36 ++++++
 2 files changed, 154 insertions(+), 3 deletions(-)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 423d6807acfe8..235f5c95c78f5 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -4,12 +4,21 @@
 package auth
 
 import (
+	"errors"
+	"fmt"
 	"net/http"
 	"strings"
 
 	"code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/auth/source/saml"
+	"code.gitea.io/gitea/services/externalaccount"
+	"github.com/markbates/goth"
 )
 
 // SignInSAML
@@ -40,10 +49,116 @@ func SignInSAMLCallback(ctx *context.Context) {
 		return
 	}
 
-	// TODO: use ret value to login or create user
-	if _, err = loginSource.Cfg.(*saml.Source).Callback(ctx.Req, ctx.Resp); err != nil {
-		ctx.ServerError("SignInSAMLCallback", err)
+	if loginSource == nil {
+		ctx.ServerError("SignIn", fmt.Errorf("no valid provider found, check configured callback url in provider"))
+		return
+	}
+
+	u, gothUser, err := samlUserLoginCallback(loginSource, ctx.Req, ctx.Resp)
+	if err != nil {
+		// TODO: improve error display
+		ctx.ServerError("SignIn", err)
+		return
+	}
+
+	if u == nil {
+		if ctx.Doer != nil {
+			// attach user to already logged in user
+			err = externalaccount.LinkAccountToUser(ctx.Doer, gothUser)
+			if err != nil {
+				ctx.ServerError("UserLinkAccount", err)
+				return
+			}
+
+			ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+			return
+		} else if !setting.Service.AllowOnlyInternalRegistration && false {
+			// TODO: allow auto registration from saml users (OAuth2 uses the following setting.OAuth2Client.EnableAutoRegistration)
+		} else {
+			// no existing user is found, request attach or new account
+			showLinkingLogin(ctx, gothUser)
+			return
+		}
 	}
+
+	handleSamlSignIn(ctx, loginSource, u, gothUser)
+}
+
+func handleSamlSignIn(ctx *context.Context, source *auth.Source, u *user_model.User, gothUser goth.User) {
+	if err := updateSession(ctx, nil, map[string]any{
+		"uid":   u.ID,
+		"uname": u.Name,
+	}); err != nil {
+		ctx.ServerError("updateSession", err)
+		return
+	}
+
+	// Clear whatever CSRF cookie has right now, force to generate a new one
+	ctx.Csrf.DeleteCookie(ctx)
+
+	// Register last login
+	u.SetLastLogin()
+
+	// update external user information
+	if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil {
+		if !errors.Is(err, util.ErrNotExist) {
+			log.Error("UpdateExternalUser failed: %v", err)
+		}
+	}
+
+	if err := resetLocale(ctx, u); err != nil {
+		ctx.ServerError("resetLocale", err)
+		return
+	}
+
+	if redirectTo := ctx.GetSiteCookie("redirect_to"); len(redirectTo) > 0 {
+		middleware.DeleteRedirectToCookie(ctx.Resp)
+		ctx.RedirectToFirst(redirectTo)
+		return
+	}
+
+	ctx.Redirect(setting.AppSubURL + "/")
+}
+
+func samlUserLoginCallback(authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
+	samlSource := authSource.Cfg.(*saml.Source)
+
+	gothUser, err := samlSource.Callback(request, response)
+	if err != nil {
+		return nil, gothUser, err
+	}
+
+	user := &user_model.User{
+		LoginName:   gothUser.UserID,
+		LoginType:   auth.OAuth2,
+		LoginSource: authSource.ID,
+	}
+
+	hasUser, err := user_model.GetUser(user)
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+
+	if hasUser {
+		return user, gothUser, nil
+	}
+
+	// search in external linked users
+	externalLoginUser := &user_model.ExternalLoginUser{
+		ExternalID:    gothUser.UserID,
+		LoginSourceID: authSource.ID,
+	}
+	hasUser, err = user_model.GetExternalLogin(externalLoginUser)
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+	if hasUser {
+		user, err = user_model.GetUserByID(request.Context(), externalLoginUser.UserID)
+		return user, gothUser, err
+	}
+
+	// no user found to login
+	return nil, gothUser, nil
 }
 
 // SAMLMetadata
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index d8c4d497cfd4c..63cc0c432fbe3 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -6,6 +6,7 @@ package saml
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/markbates/goth"
 )
@@ -41,5 +42,40 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		return user, fmt.Errorf("SAML response contains warnings: %v", warningInfo)
 	}
 
+	samlMap := make(map[string]string) // Global.
+	for key, value := range assertions.Values {
+		var (
+			keyParsed   string
+			valueParsed string
+		)
+
+		keyParsed = strings.ToLower(key[strings.LastIndex(key, "/")+1:]) // Uses the trailing slug as the key name.
+		valueParsed = value.Values[0].Value
+		samlMap[keyParsed] = valueParsed
+
+	}
+
+	user.UserID = assertions.NameID
+	if user.UserID == "" {
+		return user, fmt.Errorf("no nameID found in SAML response")
+	}
+
+	// TODO: rather than hardcoding assertion keys, we should allow setting them in the UI
+
+	// email
+	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]; !ok {
+		user.Email = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]
+	}
+	// name
+	if _, ok := samlMap["http://schemas.xmlsoap.org/claims/CommonName"]; !ok {
+		user.NickName = samlMap["http://schemas.xmlsoap.org/claims/CommonName"]
+	}
+	// username
+	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]; !ok {
+		user.Name = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
+	}
+
+	// TODO: utilize groups later on
+
 	return user, nil
 }

From d1af443929147c5fa7f44297e869bf1849486c12 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 12:31:00 -0400
Subject: [PATCH 15/84] fix new saml provider form, add fields for specifying
 assertion keys

---
 options/locale/locale_en-US.ini             | 13 ++++++-----
 routers/web/admin/auths.go                  |  3 +++
 services/auth/source/saml/source.go         |  9 +++++++-
 services/auth/source/saml/source_callout.go | 16 +++++--------
 services/forms/auth_form.go                 |  3 +++
 templates/admin/auth/edit.tmpl              | 25 ++++++++++++++++-----
 templates/admin/auth/source/saml.tmpl       | 19 ++++++++++++++--
 web_src/js/features/admin/common.js         |  4 ++++
 8 files changed, 69 insertions(+), 23 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index bb808571a5120..6721e21c51265 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2967,12 +2967,15 @@ auths.sspi_separator_replacement_helper = The character to use to replace the se
 auths.sspi_default_language = Default user language
 auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
 auths.saml_nameidformat = SAML NameID Format
-auths.saml_IdentityProviderMetadataURL = Identity Provider Metadata URL
-auths.saml_IdentityProviderMetadata = Identity Provider Metadata XML
+auths.saml_identity_provider_metadata_url = Identity Provider Metadata URL
+auths.saml_identity_provider_metadata = Identity Provider Metadata XML
 auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
-auths.saml_ServiceProviderCertificate = Service Provider Certificate
-auths.saml_ServiceProviderPrivateKey = Service Provider Private Key
-auths.saml_SignRequests = Sign SAML Requests
+auths.saml_service_provider_certificate = Service Provider Certificate
+auths.saml_service_provider_private_key = Service Provider Private Key
+auths.saml_sign_requests = Sign SAML Requests
+auths.saml_identity_provider_email_assertion_key = Email Assertion Key
+auths.saml_identity_provider_name_assertion_key = Name Assertion Key
+auths.saml_identity_provider_username_assertion_key = Username Assertion Key
 auths.tips = Tips
 auths.tips.oauth2.general = OAuth2 Authentication
 auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be:
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index de4775dc6836a..b2cf7f2ed24f4 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -287,6 +287,9 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
 		ServiceProviderCertificate:               form.ServiceProviderCertificate,
 		ServiceProviderPrivateKey:                form.ServiceProviderPrivateKey,
 		SignRequests:                             form.SignRequests,
+		EmailAssertionKey:                        form.EmailAssertionKey,
+		NameAssertionKey:                         form.NameAssertionKey,
+		UsernameAssertionKey:                     form.UsernameAssertionKey,
 	}, nil
 }
 
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 629ef47a45d59..1e38e924e1f35 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -14,7 +14,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-///_______  /\____|__  /\____|__  /_______ \
+// /_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.
@@ -38,6 +38,13 @@ type Source struct {
 
 	CallbackURL string
 
+	// EmailAssertionKey description: Assertion key for user.Email
+	EmailAssertionKey string
+	// NameAssertionKey description: Assertion key for user.NickName
+	NameAssertionKey string
+	// UsernameAssertionKey description: Assertion key for user.Name
+	UsernameAssertionKey string
+
 	// reference to the authSource
 	authSource *auth.Source
 
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index 63cc0c432fbe3..171c355d7341f 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -60,22 +60,18 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		return user, fmt.Errorf("no nameID found in SAML response")
 	}
 
-	// TODO: rather than hardcoding assertion keys, we should allow setting them in the UI
-
 	// email
-	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]; !ok {
-		user.Email = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]
+	if _, ok := samlMap[source.EmailAssertionKey]; !ok {
+		user.Email = samlMap[source.EmailAssertionKey]
 	}
 	// name
-	if _, ok := samlMap["http://schemas.xmlsoap.org/claims/CommonName"]; !ok {
-		user.NickName = samlMap["http://schemas.xmlsoap.org/claims/CommonName"]
+	if _, ok := samlMap[source.NameAssertionKey]; !ok {
+		user.NickName = samlMap[source.NameAssertionKey]
 	}
 	// username
-	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]; !ok {
-		user.Name = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
+	if _, ok := samlMap[source.UsernameAssertionKey]; !ok {
+		user.Name = samlMap[source.UsernameAssertionKey]
 	}
 
-	// TODO: utilize groups later on
-
 	return user, nil
 }
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index deb10e961816d..1d00e93a99764 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -92,6 +92,9 @@ type AuthenticationForm struct {
 	ServiceProviderCertificate               string
 	ServiceProviderPrivateKey                string
 	SignRequests                             bool
+	EmailAssertionKey                        string
+	NameAssertionKey                         string
+	UsernameAssertionKey                     string
 }
 
 // Validate validates fields
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 05c2ffc0afa9a..be4c98d196242 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -385,11 +385,11 @@
 					</div>
 
 					<div class="field">
-						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadataURL"}}</label>
+						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
 						<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{$cfg.IdentityProviderMetadataURL}}">
 					</div>
 					<div class="field">
-						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadata"}}</label>
+						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
 						<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata">{{$cfg.IdentityProviderMetadata}}</textarea>
 					</div>
 
@@ -401,20 +401,35 @@
 					</div>
 
 					<div class=" field">
-						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_ServiceProviderCertificate"}}</label>
+						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
 						<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate">{{$cfg.ServiceProviderCertificate}}</textarea>
 					</div>
 					<div class=" field">
-						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_ServiceProviderPrivateKey"}}</label>
+						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
 						<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key">{{$cfg.ServiceProviderPrivateKey}}</textarea>
 					</div>
 
 					<div class="inline field">
 						<div class="ui checkbox">
-							<label><strong>{{.locale.Tr "admin.auths.saml_SignRequests"}}</strong></label>
+							<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 							<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
 						</div>
 					</div>
+
+					<div class="field">
+						<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+						<input id="email_assertion_key" name="email_assertion_key" value="{{if not $cfg.EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{$cfg.EmailAssertionKey}}{{end}}">
+					</div>
+
+					<div class="field">
+						<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+						<input id="name_assertion_key" name="name_assertion_key" value="{{if not $cfg.NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{$cfg.NameAssertionKey}}{{end}}">
+					</div>
+
+					<div class="field">
+						<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+						<input id="username_assertion_key" name="username_assertion_key" value="{{if not $cfg.UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{$cfg.UsernameAssertionKey}}{{end}}">
+					</div>
 				{{end}}
 
 				<!-- SSPI -->
diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
index 09f0c5b3fbce7..f99f41b6efda4 100644
--- a/templates/admin/auth/source/saml.tmpl
+++ b/templates/admin/auth/source/saml.tmpl
@@ -1,4 +1,4 @@
-<div class="saml field {{if not (eq .type 99)}}gt-hidden{{end}}">
+<div class="saml field {{if not (eq .type 8)}}gt-hidden{{end}}">
 
 	<div class="inline required field">
 		<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
@@ -41,9 +41,24 @@
 
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label><strong>{{.locale.Tr "admin.auths.sign_requests"}}</strong></label>
+			<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 			<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
 		</div>
 	</div>
 
+	<div class="field">
+		<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+		<input id="email_assertion_key" name="email_assertion_key" value="{{if not .EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{.EmailAssertionKey}}{{end}}">
+	</div>
+
+	<div class="field">
+		<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+		<input id="name_assertion_key" name="name_assertion_key" value="{{if not .NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{.NameAssertionKey}}{{end}}">
+	</div>
+
+	<div class="field">
+		<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+		<input id="username_assertion_key" name="username_assertion_key" value="{{if not .UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{.UsernameAssertionKey}}{{end}}">
+	</div>
+
 </div>
diff --git a/web_src/js/features/admin/common.js b/web_src/js/features/admin/common.js
index c1ebc1480b7b3..a0638e09f8991 100644
--- a/web_src/js/features/admin/common.js
+++ b/web_src/js/features/admin/common.js
@@ -137,6 +137,10 @@ export function initAdminCommon() {
           showElem($('.sspi'));
           $('.sspi div.required input').attr('required', 'required');
           break;
+        case '8': // SAML
+          showElem($('.saml'));
+          $('.saml div.required input').attr('required', 'required');
+          break;
       }
       if (authType === '2' || authType === '5') {
         onSecurityProtocolChange();

From 36219f8c605f57d3fae21ee209e40c8352636559 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 12:34:18 -0400
Subject: [PATCH 16/84] fix whitespace change

---
 services/auth/source/saml/source.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 1e38e924e1f35..871fca8cbd97a 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -14,7 +14,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-// /_______  /\____|__  /\____|__  /_______ \
+///_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.

From 5c7d549d29a8c73a4c682e778d80f3f0798ead6a Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 12:34:58 -0400
Subject: [PATCH 17/84] revert comment change

---
 services/auth/source/saml/source_callout.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index 171c355d7341f..301cadd16e12c 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -73,5 +73,7 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		user.Name = samlMap[source.UsernameAssertionKey]
 	}
 
+	// TODO: utilize groups later on
+
 	return user, nil
 }

From f5466c97ea9443bb0cf860dd90116b0814919658 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 14:06:56 -0400
Subject: [PATCH 18/84] remove extra character

---
 templates/admin/auth/new.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index 9e8fec8e911f3..3b2516f060593 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -54,7 +54,7 @@
 				{{template "admin/auth/source/sspi" .}}
 
 				<!-- SAML -->
-+				{{template "admin/auth/source/saml" .}}
+				{{template "admin/auth/source/saml" .}}
 
 				<div class="ldap field">
 					<div class="ui checkbox">

From 7a92296c0cf68a5242f640553ab61324e2231a82 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Tue, 26 Sep 2023 13:45:31 -0400
Subject: [PATCH 19/84] make tidy

---
 routers/web/auth/saml.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 235f5c95c78f5..954c5758fe3da 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -18,6 +18,7 @@ import (
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/auth/source/saml"
 	"code.gitea.io/gitea/services/externalaccount"
+
 	"github.com/markbates/goth"
 )
 

From 6a6dc12f30e8b1761e290170995c1b340c1f5152 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 27 Sep 2023 13:38:55 -0400
Subject: [PATCH 20/84] WIP: add auth type to external account linking

---
 models/auth/oauth2.go                        | 16 ++--
 models/auth/saml.go                          | 28 ------
 models/auth/source.go                        |  8 ++
 routers/web/auth/auth.go                     | 20 ++--
 routers/web/auth/linkaccount.go              | 34 +++----
 routers/web/auth/oauth.go                    | 19 ++--
 routers/web/auth/openid.go                   |  5 +-
 routers/web/auth/saml.go                     | 14 +--
 services/auth/source/oauth2/init.go          |  2 +-
 services/auth/source/oauth2/providers.go     |  2 +-
 services/auth/source/saml/init.go            |  2 +-
 services/auth/source/saml/providers.go       | 85 -----------------
 services/auth/source/saml/source.go          | 97 +++++++++++++++++++-
 services/auth/source/saml/source_callout.go  | 21 ++++-
 services/auth/source/saml/source_register.go | 11 +--
 services/externalaccount/link.go             | 11 ++-
 services/externalaccount/user.go             | 12 +--
 17 files changed, 195 insertions(+), 192 deletions(-)
 delete mode 100644 models/auth/saml.go

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 9c419eff69af0..605f775edaefb 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -386,7 +386,7 @@ func ListOAuth2Applications(uid int64, listOptions db.ListOptions) ([]*OAuth2App
 	return apps, total, err
 }
 
-//////////////////////////////////////////////////////
+// ////////////////////////////////////////////////////
 
 // OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.
 type OAuth2AuthorizationCode struct {
@@ -461,7 +461,7 @@ func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth
 	return auth, nil
 }
 
-//////////////////////////////////////////////////////
+// ////////////////////////////////////////////////////
 
 // OAuth2Grant represents the permission of an user for a specific application to access resources
 type OAuth2Grant struct {
@@ -626,19 +626,19 @@ func (err ErrOAuthApplicationNotFound) Unwrap() error {
 	return util.ErrNotExist
 }
 
-// GetActiveOAuth2ProviderSources returns all actived LoginOAuth2 sources
-func GetActiveOAuth2ProviderSources() ([]*Source, error) {
+// GetActiveAuthProviderSources returns all actived LoginOAuth2 sources
+func GetActiveAuthProviderSources(authType Type) ([]*Source, error) {
 	sources := make([]*Source, 0, 1)
-	if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, OAuth2).Find(&sources); err != nil {
+	if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
 		return nil, err
 	}
 	return sources, nil
 }
 
-// GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name
-func GetActiveOAuth2SourceByName(name string) (*Source, error) {
+// GetActiveAuthSourceByName returns a OAuth2 AuthSource based on the given name
+func GetActiveAuthSourceByName(name string, authType Type) (*Source, error) {
 	authSource := new(Source)
-	has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)
+	has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, authType, true).Get(authSource)
 	if err != nil {
 		return nil, err
 	}
diff --git a/models/auth/saml.go b/models/auth/saml.go
deleted file mode 100644
index 5d20baa82a3c8..0000000000000
--- a/models/auth/saml.go
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package auth
-
-import (
-	"code.gitea.io/gitea/models/db"
-)
-
-// GetActiveSAMLProviderLoginSources returns all actived LoginSAML sources
-func GetActiveSAMLProviderLoginSources() ([]*Source, error) {
-	sources := make([]*Source, 0, 1)
-	if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, SAML).Find(&sources); err != nil {
-		return nil, err
-	}
-	return sources, nil
-}
-
-// GetActiveSAMLLoginSourceByName returns a SAML LoginSource based on the given name
-func GetActiveSAMLLoginSourceByName(name string) (*Source, error) {
-	loginSource := new(Source)
-	has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, SAML, true).Get(loginSource)
-	if !has || err != nil {
-		return nil, err
-	}
-
-	return loginSource, nil
-}
diff --git a/models/auth/source.go b/models/auth/source.go
index f1142c714ac97..8963c442681e5 100644
--- a/models/auth/source.go
+++ b/models/auth/source.go
@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"reflect"
 
+	"github.com/markbates/goth"
+
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -121,6 +123,12 @@ type Source struct {
 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
 }
 
+// LinkAccountUser is used to link an external user with a local user
+type LinkAccountUser struct {
+	Type     Type
+	GothUser goth.User
+}
+
 // TableName xorm will read the table name from this method
 func (Source) TableName() string {
 	return "login_source"
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index 61e083e22845b..36faabfa7a44b 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -154,7 +154,7 @@ func SignIn(ctx *context.Context) {
 	ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
 	ctx.Data["OAuth2Providers"] = oauth2Providers
 
-	samlProviders, err := auth.GetActiveSAMLProviderLoginSources()
+	samlProviders, err := auth.GetActiveAuthProviderSources(auth.SAML)
 	if err != nil {
 		ctx.ServerError("UserSignIn", err)
 		return
@@ -496,7 +496,7 @@ func SignUpPost(ctx *context.Context) {
 		Passwd: form.Password,
 	}
 
-	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, nil, false) {
+	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, nil, false, auth.NoType) {
 		// error already handled
 		return
 	}
@@ -507,16 +507,16 @@ func SignUpPost(ctx *context.Context) {
 
 // createAndHandleCreatedUser calls createUserInContext and
 // then handleUserCreated.
-func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) bool {
-	if !createUserInContext(ctx, tpl, form, u, overwrites, gothUser, allowLink) {
+func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool, authType auth.Type) bool {
+	if !createUserInContext(ctx, tpl, form, u, overwrites, gothUser, allowLink, authType) {
 		return false
 	}
-	return handleUserCreated(ctx, u, gothUser)
+	return handleUserCreated(ctx, u, gothUser, authType)
 }
 
 // createUserInContext creates a user and handles errors within a given context.
 // Optionally a template can be specified.
-func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) (ok bool) {
+func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool, authType auth.Type) (ok bool) {
 	if err := user_model.CreateUser(ctx, u, overwrites); err != nil {
 		if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
 			if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto {
@@ -533,10 +533,10 @@ func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *us
 				}
 
 				// TODO: probably we should respect 'remember' user's choice...
-				linkAccount(ctx, user, *gothUser, true)
+				linkAccount(ctx, user, *gothUser, true, authType)
 				return false // user is already created here, all redirects are handled
 			} else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingLogin {
-				showLinkingLogin(ctx, *gothUser)
+				showLinkingLogin(ctx, *gothUser, authType)
 				return false // user will be created only after linking login
 			}
 		}
@@ -582,7 +582,7 @@ func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *us
 // handleUserCreated does additional steps after a new user is created.
 // It auto-sets admin for the only user, updates the optional external user and
 // sends a confirmation email if required.
-func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) {
+func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User, authType auth.Type) (ok bool) {
 	// Auto-set admin for the only user.
 	if user_model.CountUsers(ctx, nil) == 1 {
 		u.IsAdmin = true
@@ -596,7 +596,7 @@ func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.
 
 	// update external user information
 	if gothUser != nil {
-		if err := externalaccount.UpdateExternalUser(u, *gothUser); err != nil {
+		if err := externalaccount.UpdateExternalUser(u, *gothUser, authType); err != nil {
 			if !errors.Is(err, util.ErrNotExist) {
 				log.Error("UpdateExternalUser failed: %v", err)
 			}
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index 42d846180d610..3820b33ce55a8 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -48,13 +48,13 @@ func LinkAccount(ctx *context.Context) {
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
 
-	gothUser := ctx.Session.Get("linkAccountGothUser")
-	if gothUser == nil {
+	externalLinkUser := ctx.Session.Get("linkAccountUser")
+	if externalLinkUser == nil {
 		ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
 		return
 	}
 
-	gu, _ := gothUser.(goth.User)
+	gu := externalLinkUser.(auth.LinkAccountUser).GothUser
 	uname := getUserName(&gu)
 	email := gu.Email
 	ctx.Data["user_name"] = uname
@@ -131,12 +131,14 @@ func LinkAccountPostSignIn(ctx *context.Context) {
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
 
-	gothUser := ctx.Session.Get("linkAccountGothUser")
-	if gothUser == nil {
+	externalLinkUserInterface := ctx.Session.Get("linkAccountUser")
+	if externalLinkUserInterface == nil {
 		ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
 		return
 	}
 
+	externalLinkUser := externalLinkUserInterface.(auth.LinkAccountUser)
+
 	if ctx.HasError() {
 		ctx.HTML(http.StatusOK, tplLinkAccount)
 		return
@@ -148,10 +150,10 @@ func LinkAccountPostSignIn(ctx *context.Context) {
 		return
 	}
 
-	linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember)
+	linkAccount(ctx, u, externalLinkUser.GothUser, signInForm.Remember, externalLinkUser.Type)
 }
 
-func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) {
+func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool, authType auth.Type) {
 	updateAvatarIfNeed(gothUser.AvatarURL, u)
 
 	// If this user is enrolled in 2FA, we can't sign the user in just yet.
@@ -164,7 +166,7 @@ func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, r
 			return
 		}
 
-		err = externalaccount.LinkAccountToUser(ctx, u, gothUser)
+		err = externalaccount.LinkAccountToUser(ctx, u, gothUser, authType)
 		if err != nil {
 			ctx.ServerError("UserLinkAccount", err)
 			return
@@ -218,14 +220,14 @@ func LinkAccountPostRegister(ctx *context.Context) {
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
 
-	gothUserInterface := ctx.Session.Get("linkAccountGothUser")
-	if gothUserInterface == nil {
+	externalLinkUser := ctx.Session.Get("linkAccountUser")
+	if externalLinkUser == nil {
 		ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))
 		return
 	}
-	gothUser, ok := gothUserInterface.(goth.User)
+	linkUser, ok := externalLinkUser.(auth.LinkAccountUser)
 	if !ok {
-		ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface))
+		ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountUser type is %t but not goth.User", externalLinkUser))
 		return
 	}
 
@@ -271,7 +273,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		}
 	}
 
-	authSource, err := auth.GetActiveOAuth2SourceByName(gothUser.Provider)
+	authSource, err := auth.GetActiveAuthSourceByName(linkUser.GothUser.Name, linkUser.Type)
 	if err != nil {
 		ctx.ServerError("CreateUser", err)
 		return
@@ -283,16 +285,16 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		Passwd:      form.Password,
 		LoginType:   auth.OAuth2,
 		LoginSource: authSource.ID,
-		LoginName:   gothUser.UserID,
+		LoginName:   linkUser.GothUser.UserID,
 	}
 
-	if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, nil, &gothUser, false) {
+	if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, nil, &linkUser.GothUser, false, linkUser.Type) {
 		// error already handled
 		return
 	}
 
 	source := authSource.Cfg.(*oauth2.Source)
-	if err := syncGroupsToTeams(ctx, source, &gothUser, u); err != nil {
+	if err := syncGroupsToTeams(ctx, source, &linkUser.GothUser, u); err != nil {
 		ctx.ServerError("SyncGroupsToTeams", err)
 		return
 	}
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 79f4711c26f85..b20dc64413cb2 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -847,7 +847,7 @@ func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirect
 func SignInOAuth(ctx *context.Context) {
 	provider := ctx.Params(":provider")
 
-	authSource, err := auth.GetActiveOAuth2SourceByName(provider)
+	authSource, err := auth.GetActiveAuthSourceByName(provider, auth.OAuth2)
 	if err != nil {
 		ctx.ServerError("SignIn", err)
 		return
@@ -898,7 +898,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 	}
 
 	// first look if the provider is still active
-	authSource, err := auth.GetActiveOAuth2SourceByName(provider)
+	authSource, err := auth.GetActiveAuthSourceByName(provider, auth.OAuth2)
 	if err != nil {
 		ctx.ServerError("SignIn", err)
 		return
@@ -941,7 +941,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 	if u == nil {
 		if ctx.Doer != nil {
 			// attach user to already logged in user
-			err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser)
+			err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser, auth.OAuth2)
 			if err != nil {
 				ctx.ServerError("UserLinkAccount", err)
 				return
@@ -987,7 +987,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 
 			setUserAdminAndRestrictedFromGroupClaims(source, u, &gothUser)
 
-			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
+			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled, auth.OAuth2) {
 				// error already handled
 				return
 			}
@@ -998,7 +998,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 			}
 		} else {
 			// no existing user is found, request attach or new account
-			showLinkingLogin(ctx, gothUser)
+			showLinkingLogin(ctx, gothUser, auth.OAuth2)
 			return
 		}
 	}
@@ -1064,9 +1064,12 @@ func setUserAdminAndRestrictedFromGroupClaims(source *oauth2.Source, u *user_mod
 	return wasAdmin != u.IsAdmin || wasRestricted != u.IsRestricted
 }
 
-func showLinkingLogin(ctx *context.Context, gothUser goth.User) {
+func showLinkingLogin(ctx *context.Context, gothUser goth.User, authType auth.Type) {
 	if err := updateSession(ctx, nil, map[string]any{
-		"linkAccountGothUser": gothUser,
+		"linkAccountUser": auth.LinkAccountUser{
+			Type:     authType,
+			GothUser: gothUser,
+		},
 	}); err != nil {
 		ctx.ServerError("updateSession", err)
 		return
@@ -1151,7 +1154,7 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
 		}
 
 		// update external user information
-		if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil {
+		if err := externalaccount.UpdateExternalUser(u, gothUser, auth.OAuth2); err != nil {
 			if !errors.Is(err, util.ErrNotExist) {
 				log.Error("UpdateExternalUser failed: %v", err)
 			}
diff --git a/routers/web/auth/openid.go b/routers/web/auth/openid.go
index aa07129632590..4861d262baf5a 100644
--- a/routers/web/auth/openid.go
+++ b/routers/web/auth/openid.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 
+	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/auth/openid"
 	"code.gitea.io/gitea/modules/base"
@@ -380,7 +381,7 @@ func RegisterOpenIDPost(ctx *context.Context) {
 		Email:  form.Email,
 		Passwd: password,
 	}
-	if !createUserInContext(ctx, tplSignUpOID, form, u, nil, nil, false) {
+	if !createUserInContext(ctx, tplSignUpOID, form, u, nil, nil, false, auth_model.NoType) {
 		// error already handled
 		return
 	}
@@ -396,7 +397,7 @@ func RegisterOpenIDPost(ctx *context.Context) {
 		return
 	}
 
-	if !handleUserCreated(ctx, u, nil) {
+	if !handleUserCreated(ctx, u, nil, auth_model.NoType) {
 		// error already handled
 		return
 	}
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 954c5758fe3da..f5095c5770afa 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -26,7 +26,7 @@ import (
 func SignInSAML(ctx *context.Context) {
 	provider := ctx.Params(":provider")
 
-	loginSource, err := auth.GetActiveSAMLLoginSourceByName(provider)
+	loginSource, err := auth.GetActiveAuthSourceByName(provider, auth.SAML)
 	if err != nil || loginSource == nil {
 		ctx.NotFound("SAMLMetadata", err)
 		return
@@ -44,7 +44,7 @@ func SignInSAML(ctx *context.Context) {
 // SignInSAMLCallback
 func SignInSAMLCallback(ctx *context.Context) {
 	provider := ctx.Params(":provider")
-	loginSource, err := auth.GetActiveSAMLLoginSourceByName(provider)
+	loginSource, err := auth.GetActiveAuthSourceByName(provider, auth.SAML)
 	if err != nil || loginSource == nil {
 		ctx.NotFound("SignInSAMLCallback", err)
 		return
@@ -65,7 +65,7 @@ func SignInSAMLCallback(ctx *context.Context) {
 	if u == nil {
 		if ctx.Doer != nil {
 			// attach user to already logged in user
-			err = externalaccount.LinkAccountToUser(ctx.Doer, gothUser)
+			err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser, auth.SAML)
 			if err != nil {
 				ctx.ServerError("UserLinkAccount", err)
 				return
@@ -77,7 +77,7 @@ func SignInSAMLCallback(ctx *context.Context) {
 			// TODO: allow auto registration from saml users (OAuth2 uses the following setting.OAuth2Client.EnableAutoRegistration)
 		} else {
 			// no existing user is found, request attach or new account
-			showLinkingLogin(ctx, gothUser)
+			showLinkingLogin(ctx, gothUser, auth.SAML)
 			return
 		}
 	}
@@ -101,7 +101,7 @@ func handleSamlSignIn(ctx *context.Context, source *auth.Source, u *user_model.U
 	u.SetLastLogin()
 
 	// update external user information
-	if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil {
+	if err := externalaccount.UpdateExternalUser(u, gothUser, auth.SAML); err != nil {
 		if !errors.Is(err, util.ErrNotExist) {
 			log.Error("UpdateExternalUser failed: %v", err)
 		}
@@ -131,7 +131,7 @@ func samlUserLoginCallback(authSource *auth.Source, request *http.Request, respo
 
 	user := &user_model.User{
 		LoginName:   gothUser.UserID,
-		LoginType:   auth.OAuth2,
+		LoginType:   auth.SAML,
 		LoginSource: authSource.ID,
 	}
 
@@ -165,7 +165,7 @@ func samlUserLoginCallback(authSource *auth.Source, request *http.Request, respo
 // SAMLMetadata
 func SAMLMetadata(ctx *context.Context) {
 	provider := ctx.Params(":provider")
-	loginSource, err := auth.GetActiveSAMLLoginSourceByName(provider)
+	loginSource, err := auth.GetActiveAuthSourceByName(provider, auth.SAML)
 	if err != nil || loginSource == nil {
 		ctx.NotFound("SAMLMetadata", err)
 		return
diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go
index 32fe545c90657..4b1fd94c00c12 100644
--- a/services/auth/source/oauth2/init.go
+++ b/services/auth/source/oauth2/init.go
@@ -62,7 +62,7 @@ func ResetOAuth2() error {
 
 // initOAuth2Sources is used to load and register all active OAuth2 providers
 func initOAuth2Sources() error {
-	authSources, _ := auth.GetActiveOAuth2ProviderSources()
+	authSources, _ := auth.GetActiveAuthProviderSources(auth.OAuth2)
 	for _, source := range authSources {
 		oauth2Source, ok := source.Cfg.(*Source)
 		if !ok {
diff --git a/services/auth/source/oauth2/providers.go b/services/auth/source/oauth2/providers.go
index e3a0cb0335dba..a7c68b3c90d75 100644
--- a/services/auth/source/oauth2/providers.go
+++ b/services/auth/source/oauth2/providers.go
@@ -100,7 +100,7 @@ func GetOAuth2Providers() []Provider {
 func GetActiveOAuth2Providers() ([]string, map[string]Provider, error) {
 	// Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type
 
-	authSources, err := auth.GetActiveOAuth2ProviderSources()
+	authSources, err := auth.GetActiveAuthProviderSources(auth.OAuth2)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/services/auth/source/saml/init.go b/services/auth/source/saml/init.go
index 52d2b92d71679..14553e9fe7594 100644
--- a/services/auth/source/saml/init.go
+++ b/services/auth/source/saml/init.go
@@ -13,7 +13,7 @@ import (
 var samlRWMutex = sync.RWMutex{}
 
 func Init() error {
-	loginSources, _ := auth.GetActiveSAMLProviderLoginSources()
+	loginSources, _ := auth.GetActiveAuthProviderSources(auth.SAML)
 	for _, source := range loginSources {
 		samlSource, ok := source.Cfg.(*Source)
 		if !ok {
diff --git a/services/auth/source/saml/providers.go b/services/auth/source/saml/providers.go
index c41b6e09b2f3b..ff6f205f57977 100644
--- a/services/auth/source/saml/providers.go
+++ b/services/auth/source/saml/providers.go
@@ -5,23 +5,12 @@ package saml
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/xml"
 	"fmt"
 	"io"
 	"net/http"
-	"net/url"
 	"time"
 
 	"code.gitea.io/gitea/modules/httplib"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-
-	saml2 "github.com/russellhaering/gosaml2"
-	"github.com/russellhaering/gosaml2/types"
-	dsig "github.com/russellhaering/goxmldsig"
 )
 
 // Providers is list of known/available providers.
@@ -29,80 +18,6 @@ type Providers map[string]Source
 
 var providers = Providers{}
 
-// used to create different types of goth providers
-func createProvider(ctx context.Context, source *Source) (*Source, error) {
-	source.CallbackURL = setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/acs"
-
-	idpMetadata, err := readIdentityProviderMetadata(ctx, source)
-	if err != nil {
-		return source, err
-	}
-	{
-		if source.IdentityProviderMetadataURL != "" {
-			log.Trace(fmt.Sprintf("Identity Provider metadata: %s", source.IdentityProviderMetadataURL), string(idpMetadata))
-		}
-	}
-
-	metadata := &types.EntityDescriptor{}
-	err = xml.Unmarshal(idpMetadata, metadata)
-	if err != nil {
-		return source, err
-	}
-
-	certStore := dsig.MemoryX509CertificateStore{
-		Roots: []*x509.Certificate{},
-	}
-
-	for _, kd := range metadata.IDPSSODescriptor.KeyDescriptors {
-		for idx, xcert := range kd.KeyInfo.X509Data.X509Certificates {
-			if xcert.Data == "" {
-				return source, fmt.Errorf("metadata certificate(%d) must not be empty", idx)
-			}
-			certData, err := base64.StdEncoding.DecodeString(xcert.Data)
-			if err != nil {
-				return source, err
-			}
-
-			idpCert, err := x509.ParseCertificate(certData)
-			if err != nil {
-				return source, err
-			}
-
-			certStore.Roots = append(certStore.Roots, idpCert)
-		}
-	}
-
-	var keyStore dsig.X509KeyStore
-
-	if source.ServiceProviderCertificate != "" && source.ServiceProviderPrivateKey != "" {
-		keyPair, err := tls.X509KeyPair([]byte(source.ServiceProviderCertificate), []byte(source.ServiceProviderPrivateKey))
-		if err != nil {
-			return nil, err
-		}
-		keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
-		if err != nil {
-			return nil, err
-		}
-		keyStore = dsig.TLSCertKeyStore(keyPair)
-	} else {
-		keyStore = dsig.RandomKeyStoreForTest()
-	}
-
-	source.samlSP = &saml2.SAMLServiceProvider{
-		IdentityProviderSSOURL:      metadata.IDPSSODescriptor.SingleSignOnServices[0].Location,
-		IdentityProviderIssuer:      metadata.EntityID,
-		AudienceURI:                 setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
-		AssertionConsumerServiceURL: source.CallbackURL,
-		SkipSignatureValidation:     source.InsecureSkipAssertionSignatureValidation,
-		NameIdFormat:                source.NameIDFormat.String(),
-		IDPCertificateStore:         &certStore,
-		SPKeyStore:                  keyStore,
-		ServiceProviderIssuer:       setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
-	}
-
-	return source, err
-}
-
 func readIdentityProviderMetadata(ctx context.Context, source *Source) ([]byte, error) {
 	if source.IdentityProviderMetadata != "" {
 		return []byte(source.IdentityProviderMetadata), nil
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 871fca8cbd97a..260b7367b9d8b 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -4,17 +4,29 @@
 package saml
 
 import (
-	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/modules/json"
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/xml"
+	"fmt"
+	"net/url"
 
 	saml2 "github.com/russellhaering/gosaml2"
+	"github.com/russellhaering/gosaml2/types"
+	dsig "github.com/russellhaering/goxmldsig"
+
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 )
 
 //  _________   _____      _____  .____
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-///_______  /\____|__  /\____|__  /_______ \
+// /_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.
@@ -51,9 +63,86 @@ type Source struct {
 	samlSP *saml2.SAMLServiceProvider
 }
 
+func (source *Source) initSAMLSp() error {
+	source.CallbackURL = setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/acs"
+
+	idpMetadata, err := readIdentityProviderMetadata(context.Background(), source)
+	if err != nil {
+		return err
+	}
+	{
+		if source.IdentityProviderMetadataURL != "" {
+			log.Trace(fmt.Sprintf("Identity Provider metadata: %s", source.IdentityProviderMetadataURL), string(idpMetadata))
+		}
+	}
+
+	metadata := &types.EntityDescriptor{}
+	err = xml.Unmarshal(idpMetadata, metadata)
+	if err != nil {
+		return err
+	}
+
+	certStore := dsig.MemoryX509CertificateStore{
+		Roots: []*x509.Certificate{},
+	}
+
+	for _, kd := range metadata.IDPSSODescriptor.KeyDescriptors {
+		for idx, xcert := range kd.KeyInfo.X509Data.X509Certificates {
+			if xcert.Data == "" {
+				return fmt.Errorf("metadata certificate(%d) must not be empty", idx)
+			}
+			certData, err := base64.StdEncoding.DecodeString(xcert.Data)
+			if err != nil {
+				return err
+			}
+
+			idpCert, err := x509.ParseCertificate(certData)
+			if err != nil {
+				return err
+			}
+
+			certStore.Roots = append(certStore.Roots, idpCert)
+		}
+	}
+
+	var keyStore dsig.X509KeyStore
+
+	if source.ServiceProviderCertificate != "" && source.ServiceProviderPrivateKey != "" {
+		keyPair, err := tls.X509KeyPair([]byte(source.ServiceProviderCertificate), []byte(source.ServiceProviderPrivateKey))
+		if err != nil {
+			return err
+		}
+		keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
+		if err != nil {
+			return err
+		}
+		keyStore = dsig.TLSCertKeyStore(keyPair)
+	} else {
+		keyStore = dsig.RandomKeyStoreForTest()
+	}
+
+	source.samlSP = &saml2.SAMLServiceProvider{
+		IdentityProviderSSOURL:      metadata.IDPSSODescriptor.SingleSignOnServices[0].Location,
+		IdentityProviderIssuer:      metadata.EntityID,
+		AudienceURI:                 setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
+		AssertionConsumerServiceURL: source.CallbackURL,
+		SkipSignatureValidation:     source.InsecureSkipAssertionSignatureValidation,
+		NameIdFormat:                source.NameIDFormat.String(),
+		IDPCertificateStore:         &certStore,
+		SPKeyStore:                  keyStore,
+		ServiceProviderIssuer:       setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
+	}
+
+	return nil
+}
+
 // FromDB fills up a SAML from serialized format.
 func (source *Source) FromDB(bs []byte) error {
-	return json.UnmarshalHandleDoubleEncode(bs, &source)
+	if err := json.UnmarshalHandleDoubleEncode(bs, &source); err != nil {
+		return err
+	}
+
+	return source.initSAMLSp()
 }
 
 // ToDB exports a SAML to a serialized format.
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index 301cadd16e12c..eb5d106be9c89 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -32,14 +32,29 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 	samlRWMutex.RLock()
 	defer samlRWMutex.RUnlock()
 
-	user := goth.User{}
+	user := goth.User{
+		Provider: source.authSource.Name,
+	}
 	samlResponse := request.FormValue("SAMLResponse")
 	assertions, err := source.samlSP.RetrieveAssertionInfo(samlResponse)
 	if err != nil {
 		return user, err
 	}
-	if warningInfo := assertions.WarningInfo; warningInfo != nil {
-		return user, fmt.Errorf("SAML response contains warnings: %v", warningInfo)
+
+	if assertions.WarningInfo.OneTimeUse {
+		return user, fmt.Errorf("SAML response contains one time use warning")
+	}
+
+	if assertions.WarningInfo.ProxyRestriction != nil {
+		return user, fmt.Errorf("SAML response contains proxy restriction warning: %v", assertions.WarningInfo.ProxyRestriction)
+	}
+
+	if assertions.WarningInfo.NotInAudience {
+		return user, fmt.Errorf("SAML response contains audience warning")
+	}
+
+	if assertions.WarningInfo.InvalidTime {
+		return user, fmt.Errorf("SAML response contains invalid time warning")
 	}
 
 	samlMap := make(map[string]string) // Global.
diff --git a/services/auth/source/saml/source_register.go b/services/auth/source/saml/source_register.go
index deb300a5ba4cc..93eaaa88b66ac 100644
--- a/services/auth/source/saml/source_register.go
+++ b/services/auth/source/saml/source_register.go
@@ -3,18 +3,15 @@
 
 package saml
 
-import "context"
-
 // RegisterSource causes an OAuth2 configuration to be registered
 func (source *Source) RegisterSource() error {
 	samlRWMutex.Lock()
 	defer samlRWMutex.Unlock()
-	var err error
-	source, err = createProvider(context.Background(), source)
-	if err == nil {
-		providers[source.authSource.Name] = *source
+	if err := source.initSAMLSp(); err != nil {
+		return err
 	}
-	return err
+	providers[source.authSource.Name] = *source
+	return nil
 }
 
 // UnregisterSource causes an SAML configuration to be unregistered
diff --git a/services/externalaccount/link.go b/services/externalaccount/link.go
index d6e2ea7e9427c..1f4c6728b86ab 100644
--- a/services/externalaccount/link.go
+++ b/services/externalaccount/link.go
@@ -7,9 +7,8 @@ import (
 	"context"
 	"fmt"
 
+	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
-
-	"github.com/markbates/goth"
 )
 
 // Store represents a thing that stores things
@@ -21,10 +20,12 @@ type Store interface {
 
 // LinkAccountFromStore links the provided user with a stored external user
 func LinkAccountFromStore(ctx context.Context, store Store, user *user_model.User) error {
-	gothUser := store.Get("linkAccountGothUser")
-	if gothUser == nil {
+	externalLinkUserInterface := store.Get("linkAccountUser")
+	if externalLinkUserInterface == nil {
 		return fmt.Errorf("not in LinkAccount session")
 	}
 
-	return LinkAccountToUser(ctx, user, gothUser.(goth.User))
+	externalLinkUser := externalLinkUserInterface.(auth.LinkAccountUser)
+
+	return LinkAccountToUser(ctx, user, externalLinkUser.GothUser, externalLinkUser.Type)
 }
diff --git a/services/externalaccount/user.go b/services/externalaccount/user.go
index 51a0f9a4ef216..e4634935d1d92 100644
--- a/services/externalaccount/user.go
+++ b/services/externalaccount/user.go
@@ -16,8 +16,8 @@ import (
 	"github.com/markbates/goth"
 )
 
-func toExternalLoginUser(user *user_model.User, gothUser goth.User) (*user_model.ExternalLoginUser, error) {
-	authSource, err := auth.GetActiveOAuth2SourceByName(gothUser.Provider)
+func toExternalLoginUser(user *user_model.User, gothUser goth.User, authType auth.Type) (*user_model.ExternalLoginUser, error) {
+	authSource, err := auth.GetActiveAuthSourceByName(gothUser.Provider, authType)
 	if err != nil {
 		return nil, err
 	}
@@ -43,8 +43,8 @@ func toExternalLoginUser(user *user_model.User, gothUser goth.User) (*user_model
 }
 
 // LinkAccountToUser link the gothUser to the user
-func LinkAccountToUser(ctx context.Context, user *user_model.User, gothUser goth.User) error {
-	externalLoginUser, err := toExternalLoginUser(user, gothUser)
+func LinkAccountToUser(ctx context.Context, user *user_model.User, gothUser goth.User, authType auth.Type) error {
+	externalLoginUser, err := toExternalLoginUser(user, gothUser, authType)
 	if err != nil {
 		return err
 	}
@@ -71,8 +71,8 @@ func LinkAccountToUser(ctx context.Context, user *user_model.User, gothUser goth
 }
 
 // UpdateExternalUser updates external user's information
-func UpdateExternalUser(user *user_model.User, gothUser goth.User) error {
-	externalLoginUser, err := toExternalLoginUser(user, gothUser)
+func UpdateExternalUser(user *user_model.User, gothUser goth.User, authType auth.Type) error {
+	externalLoginUser, err := toExternalLoginUser(user, gothUser, authType)
 	if err != nil {
 		return err
 	}

From 3042a0848f2cd5a1d21b372deefc330bfcfe5ccc Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 29 Sep 2023 15:01:59 -0400
Subject: [PATCH 21/84] fixes for account link

---
 models/auth/oauth2.go           |  5 ++++-
 routers/web/auth/linkaccount.go | 13 ++++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 605f775edaefb..33baaa79ad044 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"encoding/base32"
 	"encoding/base64"
+	"encoding/gob"
 	"fmt"
 	"net"
 	"net/url"
@@ -76,6 +77,8 @@ func Init(ctx context.Context) error {
 		builtinAllClientIDs = append(builtinAllClientIDs, clientID)
 	}
 
+	gob.Register(LinkAccountUser{})
+
 	var registeredApps []*OAuth2Application
 	if err := db.GetEngine(ctx).In("client_id", builtinAllClientIDs).Find(&registeredApps); err != nil {
 		return err
@@ -644,7 +647,7 @@ func GetActiveAuthSourceByName(name string, authType Type) (*Source, error) {
 	}
 
 	if !has {
-		return nil, fmt.Errorf("oauth2 source not found, name: %q", name)
+		return nil, fmt.Errorf("auth source not found, name: %q", name)
 	}
 
 	return authSource, nil
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index 3820b33ce55a8..99229c35ccf63 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -273,7 +273,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		}
 	}
 
-	authSource, err := auth.GetActiveAuthSourceByName(linkUser.GothUser.Name, linkUser.Type)
+	authSource, err := auth.GetActiveAuthSourceByName(linkUser.GothUser.Provider, linkUser.Type)
 	if err != nil {
 		ctx.ServerError("CreateUser", err)
 		return
@@ -293,11 +293,14 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		return
 	}
 
-	source := authSource.Cfg.(*oauth2.Source)
-	if err := syncGroupsToTeams(ctx, source, &linkUser.GothUser, u); err != nil {
-		ctx.ServerError("SyncGroupsToTeams", err)
-		return
+	if linkUser.Type == auth.OAuth2 {
+		source := authSource.Cfg.(*oauth2.Source)
+		if err := syncGroupsToTeams(ctx, source, &linkUser.GothUser, u); err != nil {
+			ctx.ServerError("SyncGroupsToTeams", err)
+			return
+		}
 	}
+	// TODO groups for SAML?
 
 	handleSignIn(ctx, u, false)
 }

From 1dae9fd8748aae5cc9cdbe3fd8b137f4160f3716 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Mon, 2 Oct 2023 15:45:33 -0400
Subject: [PATCH 22/84] rebase cleanup

---
 models/auth/source.go                            | 3 +--
 routers/web/auth/saml.go                         | 6 +++---
 services/auth/source/saml/source.go              | 8 ++++----
 services/auth/source/saml/source_authenticate.go | 6 ++++--
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/models/auth/source.go b/models/auth/source.go
index 8963c442681e5..e4fde0d8f07d2 100644
--- a/models/auth/source.go
+++ b/models/auth/source.go
@@ -8,13 +8,12 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/markbates/goth"
-
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
+	"github.com/markbates/goth"
 	"xorm.io/xorm"
 	"xorm.io/xorm/convert"
 )
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index f5095c5770afa..e2e66e79c2375 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -55,7 +55,7 @@ func SignInSAMLCallback(ctx *context.Context) {
 		return
 	}
 
-	u, gothUser, err := samlUserLoginCallback(loginSource, ctx.Req, ctx.Resp)
+	u, gothUser, err := samlUserLoginCallback(*ctx, loginSource, ctx.Req, ctx.Resp)
 	if err != nil {
 		// TODO: improve error display
 		ctx.ServerError("SignIn", err)
@@ -121,7 +121,7 @@ func handleSamlSignIn(ctx *context.Context, source *auth.Source, u *user_model.U
 	ctx.Redirect(setting.AppSubURL + "/")
 }
 
-func samlUserLoginCallback(authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
+func samlUserLoginCallback(ctx context.Context, authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
 	samlSource := authSource.Cfg.(*saml.Source)
 
 	gothUser, err := samlSource.Callback(request, response)
@@ -135,7 +135,7 @@ func samlUserLoginCallback(authSource *auth.Source, request *http.Request, respo
 		LoginSource: authSource.ID,
 	}
 
-	hasUser, err := user_model.GetUser(user)
+	hasUser, err := user_model.GetUser(ctx, user)
 	if err != nil {
 		return nil, goth.User{}, err
 	}
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 260b7367b9d8b..e2321bcdaf4d5 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -12,14 +12,14 @@ import (
 	"fmt"
 	"net/url"
 
-	saml2 "github.com/russellhaering/gosaml2"
-	"github.com/russellhaering/gosaml2/types"
-	dsig "github.com/russellhaering/goxmldsig"
-
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+
+	saml2 "github.com/russellhaering/gosaml2"
+	"github.com/russellhaering/gosaml2/types"
+	dsig "github.com/russellhaering/goxmldsig"
 )
 
 //  _________   _____      _____  .____
diff --git a/services/auth/source/saml/source_authenticate.go b/services/auth/source/saml/source_authenticate.go
index ad4a7d247ca34..d118917f8740d 100644
--- a/services/auth/source/saml/source_authenticate.go
+++ b/services/auth/source/saml/source_authenticate.go
@@ -4,11 +4,13 @@
 package saml
 
 import (
+	"context"
+
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/services/auth/source/db"
 )
 
 // Authenticate falls back to the db authenticator
-func (source *Source) Authenticate(user *user_model.User, login, password string) (*user_model.User, error) {
-	return db.Authenticate(user, login, password)
+func (source *Source) Authenticate(ctx context.Context, user *user_model.User, login, password string) (*user_model.User, error) {
+	return db.Authenticate(ctx, user, login, password)
 }

From d555cf929f563d429843b04ad161faeb32d000bb Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Mon, 2 Oct 2023 15:48:21 -0400
Subject: [PATCH 23/84] whitespace fix

---
 models/auth/oauth2.go               | 4 ++--
 services/auth/source/saml/source.go | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 33baaa79ad044..0ab042a16964f 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -389,7 +389,7 @@ func ListOAuth2Applications(uid int64, listOptions db.ListOptions) ([]*OAuth2App
 	return apps, total, err
 }
 
-// ////////////////////////////////////////////////////
+//////////////////////////////////////////////////////
 
 // OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.
 type OAuth2AuthorizationCode struct {
@@ -464,7 +464,7 @@ func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth
 	return auth, nil
 }
 
-// ////////////////////////////////////////////////////
+//////////////////////////////////////////////////////
 
 // OAuth2Grant represents the permission of an user for a specific application to access resources
 type OAuth2Grant struct {
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index e2321bcdaf4d5..6106810bced4b 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -26,7 +26,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-// /_______  /\____|__  /\____|__  /_______ \
+///_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.

From 10c6ca9d57acde479dd1dd0decb558cd46ee8f63 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Sun, 15 Oct 2023 18:30:44 +0000
Subject: [PATCH 24/84] fix merge

---
 models/auth/oauth2.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index e4c554e24cc8f..0d91f4a3346ee 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -644,7 +644,6 @@ func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source
 	return sources, nil
 }
 
-func GetActiveAuthSourceByName(ctx context.Context, name string, authType Type) (*Source, error) {
 // GetActiveAuthSourceByName returns a OAuth2 AuthSource based on the given name
 func GetActiveAuthSourceByName(ctx context.Context, name string, authType Type) (*Source, error) {
 	authSource := new(Source)

From 9b90e3535e4371642c91e3ccac1497e0486d2612 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Sun, 15 Oct 2023 18:32:39 +0000
Subject: [PATCH 25/84] fix merge

---
 models/auth/oauth2.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 0d91f4a3346ee..9668ad10ff7ed 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -637,7 +637,6 @@ func (err ErrOAuthApplicationNotFound) Unwrap() error {
 // GetActiveAuthProviderSources returns all actived LoginOAuth2 sources
 func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source, error) {
 	sources := make([]*Source, 0, 1)
-	if err := db.GetEngine(ctx).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
 	if err := db.GetEngine(ctx).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
 		return nil, err
 	}

From 17f0fe5fb64127920ce2ab408a9481ae83011b3e Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Mon, 30 Oct 2023 15:38:30 -0400
Subject: [PATCH 26/84] return error for malformed xml to avoid panic, fix
 external link bug

---
 routers/web/auth/linkaccount.go     | 2 +-
 services/auth/source/saml/source.go | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index e922f42aafc9f..a53c555bcc3eb 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -283,7 +283,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		Name:        form.UserName,
 		Email:       form.Email,
 		Passwd:      form.Password,
-		LoginType:   auth.OAuth2,
+		LoginType:   authSource.Type,
 		LoginSource: authSource.ID,
 		LoginName:   linkUser.GothUser.UserID,
 	}
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 6106810bced4b..6a1c4088f61d8 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -9,6 +9,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"net/url"
 
@@ -86,6 +87,10 @@ func (source *Source) initSAMLSp() error {
 		Roots: []*x509.Certificate{},
 	}
 
+	if metadata.IDPSSODescriptor == nil {
+		return errors.New("saml idp metadata missing IDPSSODescriptor")
+	}
+
 	for _, kd := range metadata.IDPSSODescriptor.KeyDescriptors {
 		for idx, xcert := range kd.KeyInfo.X509Data.X509Certificates {
 			if xcert.Data == "" {

From ece1d3c3367b74b4155230b6a8b25e82dfc65818 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Tue, 31 Oct 2023 15:03:34 +0000
Subject: [PATCH 27/84] pass ctx

---
 services/auth/source/saml/init.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/services/auth/source/saml/init.go b/services/auth/source/saml/init.go
index 14553e9fe7594..f1d6d9fa4bcd7 100644
--- a/services/auth/source/saml/init.go
+++ b/services/auth/source/saml/init.go
@@ -4,6 +4,7 @@
 package saml
 
 import (
+	"context"
 	"sync"
 
 	"code.gitea.io/gitea/models/auth"
@@ -12,8 +13,8 @@ import (
 
 var samlRWMutex = sync.RWMutex{}
 
-func Init() error {
-	loginSources, _ := auth.GetActiveAuthProviderSources(auth.SAML)
+func Init(ctx context.Context) error {
+	loginSources, _ := auth.GetActiveAuthProviderSources(ctx, auth.SAML)
 	for _, source := range loginSources {
 		samlSource, ok := source.Cfg.(*Source)
 		if !ok {

From e844904b173ea4fb7de61bf37576bd870b6b290a Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Tue, 31 Oct 2023 15:12:29 +0000
Subject: [PATCH 28/84] fix func call

---
 routers/web/auth/auth.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index 05ed76ad42966..e67877e1a549f 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -168,7 +168,7 @@ func SignIn(ctx *context.Context) {
 	ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
 	ctx.Data["OAuth2Providers"] = oauth2Providers
 
-	samlProviders, err := auth.GetActiveAuthProviderSources(auth.SAML)
+	samlProviders, err := auth.GetActiveAuthProviderSources(ctx, auth.SAML)
 	if err != nil {
 		ctx.ServerError("UserSignIn", err)
 		return

From 94aac3689e0ceba3542eb16e866f6f999d9313a5 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Tue, 31 Oct 2023 15:16:25 +0000
Subject: [PATCH 29/84] pass ctx

---
 routers/web/auth/saml.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index e2e66e79c2375..7f61ad6ca8609 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -26,7 +26,7 @@ import (
 func SignInSAML(ctx *context.Context) {
 	provider := ctx.Params(":provider")
 
-	loginSource, err := auth.GetActiveAuthSourceByName(provider, auth.SAML)
+	loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)
 	if err != nil || loginSource == nil {
 		ctx.NotFound("SAMLMetadata", err)
 		return

From f7d224642e1c380ddeded6826ebf29631b45b5ef Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Tue, 31 Oct 2023 15:17:49 +0000
Subject: [PATCH 30/84] ctx

---
 routers/web/auth/saml.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 7f61ad6ca8609..832aef8a5170d 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -149,7 +149,7 @@ func samlUserLoginCallback(ctx context.Context, authSource *auth.Source, request
 		ExternalID:    gothUser.UserID,
 		LoginSourceID: authSource.ID,
 	}
-	hasUser, err = user_model.GetExternalLogin(externalLoginUser)
+	hasUser, err = user_model.GetExternalLogin(ctx, externalLoginUser)
 	if err != nil {
 		return nil, goth.User{}, err
 	}

From 47eaae4609035726589de55928323dfd0a1bf74c Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Tue, 31 Oct 2023 15:19:57 +0000
Subject: [PATCH 31/84] ctx

---
 routers/web/auth/saml.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 832aef8a5170d..42ac640f82f6b 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -165,7 +165,7 @@ func samlUserLoginCallback(ctx context.Context, authSource *auth.Source, request
 // SAMLMetadata
 func SAMLMetadata(ctx *context.Context) {
 	provider := ctx.Params(":provider")
-	loginSource, err := auth.GetActiveAuthSourceByName(provider, auth.SAML)
+	loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)
 	if err != nil || loginSource == nil {
 		ctx.NotFound("SAMLMetadata", err)
 		return

From 0c92ddf5ea9ea9e6d329f89bc6bacf305ac78e40 Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Tue, 31 Oct 2023 15:29:54 +0000
Subject: [PATCH 32/84] ctx

---
 routers/web/auth/auth.go | 2 +-
 routers/web/auth/saml.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index e67877e1a549f..6cdc59ca5b4a4 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -612,7 +612,7 @@ func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.
 
 	// update external user information
 	if gothUser != nil {
-		if err := externalaccount.UpdateExternalUser(ctx, u, *gothUser); err != nil {
+		if err := externalaccount.UpdateExternalUser(ctx, u, *gothUser, authType); err != nil {
 			if !errors.Is(err, util.ErrNotExist) {
 				log.Error("UpdateExternalUser failed: %v", err)
 			}
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 42ac640f82f6b..551beef6cfa67 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -44,7 +44,7 @@ func SignInSAML(ctx *context.Context) {
 // SignInSAMLCallback
 func SignInSAMLCallback(ctx *context.Context) {
 	provider := ctx.Params(":provider")
-	loginSource, err := auth.GetActiveAuthSourceByName(provider, auth.SAML)
+	loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)
 	if err != nil || loginSource == nil {
 		ctx.NotFound("SignInSAMLCallback", err)
 		return
@@ -101,7 +101,7 @@ func handleSamlSignIn(ctx *context.Context, source *auth.Source, u *user_model.U
 	u.SetLastLogin()
 
 	// update external user information
-	if err := externalaccount.UpdateExternalUser(u, gothUser, auth.SAML); err != nil {
+	if err := externalaccount.UpdateExternalUser(ctx, u, gothUser, auth.SAML); err != nil {
 		if !errors.Is(err, util.ErrNotExist) {
 			log.Error("UpdateExternalUser failed: %v", err)
 		}

From 99785b50cc65a1947708425ef017a642b697fdff Mon Sep 17 00:00:00 2001
From: techknowlogick <hello@techknowlogick.com>
Date: Tue, 31 Oct 2023 15:40:45 +0000
Subject: [PATCH 33/84] make tidy

---
 go.sum | 2 --
 1 file changed, 2 deletions(-)

diff --git a/go.sum b/go.sum
index 9f050a38aec82..340ddba9f7924 100644
--- a/go.sum
+++ b/go.sum
@@ -144,8 +144,6 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuP
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
-github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
-github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bits-and-blooms/bitset v1.1.10/go.mod h1:w0XsmFg8qg6cmpTtJ0z3pKgjTDBMMnI/+I2syrE6XBE=

From 1f50dbb05171f4f5a577827dbc4330cc2e98c46e Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.com>
Date: Fri, 3 Nov 2023 23:19:57 -0400
Subject: [PATCH 34/84] Update auths.go

---
 routers/web/admin/auths.go | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index d2d0c0101d705..692533fc039f3 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -249,17 +249,14 @@ func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*sspi
 }
 
 func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml.Source, error) {
-	// TODO: verify form here
-	// if util.IsEmptyString(form.ServiceProviderCertificate) {
-	// 	ctx.Data["Err_SSPISeparatorReplacement"] = true
-	// 	// TODO: need sp cert
-	// 	return nil, errors.New(ctx.Tr("form.require_error"))
-	// }
-	// if util.IsEmptyString(form.ServiceProviderPrivateKey) {
-	// 	ctx.Data["Err_SSPISeparatorReplacement"] = true
-	// 	// TODO: need sp key
-	// 	return nil, errors.New(ctx.Tr("form.require_error"))
-	// }
+	if util.IsEmptyString(form.ServiceProviderCertificate) {
+		ctx.Data["Err_SSPISeparatorReplacement"] = true
+		return nil, errors.New(ctx.Tr("form.require_error"))
+	}
+	if util.IsEmptyString(form.ServiceProviderPrivateKey) {
+		ctx.Data["Err_SSPISeparatorReplacement"] = true
+		return nil, errors.New(ctx.Tr("form.require_error"))
+	}
 	if util.IsEmptyString(form.IdentityProviderMetadata) && util.IsEmptyString(form.IdentityProviderMetadataURL) {
 		return nil, fmt.Errorf("Identity Provider Metadata needed (either raw XML or URL)")
 	}

From 80c9af9440ab52743f48d99072a5396a961ba37e Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 1 Dec 2023 11:49:20 -0500
Subject: [PATCH 35/84] ui fixes, docs

---
 docs/content/usage/authentication.en-us.md | 21 +++++++++++++++++++++
 templates/admin/auth/source/saml.tmpl      | 20 ++++++++++----------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/docs/content/usage/authentication.en-us.md b/docs/content/usage/authentication.en-us.md
index 6e4ede0be6c89..0ed149d0d2f86 100644
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@@ -349,3 +349,24 @@ If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WE
 You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.
 
 Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.
+
+
+## SAML
+
+### Configuring Gitea as a SAML 2.0 Service Provider
+
+- Navigate to `Site Administration > Identity & Access > Authentication Sources`
+- Click the `Add Authentication Source` button
+- Select `SAML` as the authentication type and specify an authentication source name in `Authentication Name`.
+- The `SAML NameID Format` dropdown specifies how Identity Provider (IdP) users are mapped to Gitea users. This option will be provider specific.
+- The `[Insecure] Skip Assertion Signature Validation` option is not recommended and disables integrity verification of IdP SAML assertions.
+- Either `Identity Provider Metadata URL` or `Identity Provider Metadata XML` must be specified.
+  - Specifically, `Identity Provider Metadata XML` should be the XML metadata returned by the IdP metadata endpoint. This may be omitted if the endpoint url is recorded in `Identity Provider Metadata URL`.
+- You should generate an X.509-formatted certificate and DSA/RSA private key for signing SAML requests. These are specified in `Service Provider Certificate` and `Service Provider Private Key` respectively.
+- The checkbox `Sign SAML Requests` should be enabled if a certificate and private key are provided.
+- `Email Assertion Key` (email), `Name Assertion Key` (nickname), and `Username Assertion Key` (username) specify how IdP user attributes are mapped to Gitea user attributes. These will be provider specific (or configurable).
+
+### Configuring a SAML 2.0 Identity Provider to use Gitea
+
+- The service provider assertion consumer service url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/acs`.
+- The service provider metadata url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/metadata`.
diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
index f99f41b6efda4..d3401c7447daa 100644
--- a/templates/admin/auth/source/saml.tmpl
+++ b/templates/admin/auth/source/saml.tmpl
@@ -1,7 +1,7 @@
 <div class="saml field {{if not (eq .type 8)}}gt-hidden{{end}}">
 
 	<div class="inline required field">
-		<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
+		<label>{{ctx.Locale.Tr "admin.auths.saml_nameidformat"}}</label>
 		<div class="ui selection type dropdown">
 			<input type="hidden" id="name_id_format" name="name_id_format" value="{{.name_id_format}}">
 			<div class="text">{{.CurrentNameIDFormat}}</div>
@@ -15,49 +15,49 @@
 	</div>
 
 	<div class="field">
-		<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
+		<label for="identity_provider_metadata_url">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_metadata_url"}}</label>
 		<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{.IdentityProviderMetadataURL}}">
 	</div>
 	<div class="field">
-		<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
+		<label for="identity_provider_metadata">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_metadata"}}</label>
 		<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata" value="{{.IdentityProviderMetadata}}"></textarea>
 	</div>
 
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label><strong>{{.locale.Tr "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
+			<label><strong>{{ctx.Locale.Tr  "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
 			<input name="insecure_skip_assertion_signature_validation" type="checkbox" {{if .InsecureSkipAssertionSignatureValidation}}checked{{end}}>
 		</div>
 	</div>
 
 	<div class=" field">
-		<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
+		<label for="service_provider_certificate">{{ctx.Locale.Tr  "admin.auths.saml_service_provider_certificate"}}</label>
 		<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate" value="{{.ServiceProviderCertificate}}"></textarea>
 	</div>
 	<div class=" field">
-		<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
+		<label for="service_provider_private_key">{{ctx.Locale.Tr  "admin.auths.saml_service_provider_private_key"}}</label>
 		<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key" value="{{.ServiceProviderPrivateKey}}"></textarea>
 	</div>
 
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
+			<label><strong>{{ctx.Locale.Tr  "admin.auths.saml_sign_requests"}}</strong></label>
 			<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
 		</div>
 	</div>
 
 	<div class="field">
-		<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+		<label for="email_assertion_key">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
 		<input id="email_assertion_key" name="email_assertion_key" value="{{if not .EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{.EmailAssertionKey}}{{end}}">
 	</div>
 
 	<div class="field">
-		<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+		<label for="name_assertion_key">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
 		<input id="name_assertion_key" name="name_assertion_key" value="{{if not .NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{.NameAssertionKey}}{{end}}">
 	</div>
 
 	<div class="field">
-		<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+		<label for="username_assertion_key">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
 		<input id="username_assertion_key" name="username_assertion_key" value="{{if not .UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{.UsernameAssertionKey}}{{end}}">
 	</div>
 

From e9c1b0b6ebd27e28efbf19fdbd396db9c59f493d Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 8 Nov 2023 11:58:57 -0500
Subject: [PATCH 36/84] add saml integration test

---
 models/fixtures/login_source.yml |  10 ++-
 modules/setting/saml.go          |   1 +
 tests/e2e/saml.test.e2e.js       |   0
 tests/integration/saml_test.go   | 107 +++++++++++++++++++++++++++++++
 4 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 modules/setting/saml.go
 create mode 100644 tests/e2e/saml.test.e2e.js
 create mode 100644 tests/integration/saml_test.go

diff --git a/models/fixtures/login_source.yml b/models/fixtures/login_source.yml
index ca780a73aa0c1..63b0561fce7cf 100644
--- a/models/fixtures/login_source.yml
+++ b/models/fixtures/login_source.yml
@@ -1 +1,9 @@
-[] # empty
+-
+  id: 1
+  type: 8
+  name: test-sp
+  is_active: 1
+  is_sync_enabled: 0
+  cfg: {"IdentityProviderMetadata":"","IdentityProviderMetadataURL":"http://localhost:8080/simplesaml/saml2/idp/metadata.php","InsecureSkipAssertionSignatureValidation":false,"NameIDFormat":4,"ServiceProviderCertificate":"","ServiceProviderIssuer":"","ServiceProviderPrivateKey":"","SignRequests":false,"CallbackURL":"","EmailAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","NameAssertionKey":"http://schemas.xmlsoap.org/claims/CommonName","UsernameAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"}
+  created_unix: 1697568527
+  updated_unix: 1699288881
diff --git a/modules/setting/saml.go b/modules/setting/saml.go
new file mode 100644
index 0000000000000..85d4a38805fe0
--- /dev/null
+++ b/modules/setting/saml.go
@@ -0,0 +1 @@
+package setting
diff --git a/tests/e2e/saml.test.e2e.js b/tests/e2e/saml.test.e2e.js
new file mode 100644
index 0000000000000..e69de29bb2d1d
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
new file mode 100644
index 0000000000000..9df886e79e288
--- /dev/null
+++ b/tests/integration/saml_test.go
@@ -0,0 +1,107 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"html"
+	"io"
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+	"regexp"
+	"strings"
+	"testing"
+	"time"
+
+	"code.gitea.io/gitea/models/db"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSAMLRegistration(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// check the saml metadata url
+	req := NewRequest(t, "GET", "/user/saml/test-sp/metadata")
+	MakeRequest(t, req, http.StatusOK)
+
+	req = NewRequest(t, "GET", "/user/saml/test-sp")
+	resp := MakeRequest(t, req, http.StatusTemporaryRedirect)
+
+	jar, err := cookiejar.New(nil)
+	assert.NoError(t, err)
+
+	client := http.Client{
+		Timeout: 30 * time.Second,
+		Jar:     jar,
+	}
+
+	req, err = http.NewRequest("GET", test.RedirectURL(resp), nil)
+	assert.NoError(t, err)
+
+	res, err := client.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, res.StatusCode)
+
+	// find the auth state hidden input
+	authStateMatcher := regexp.MustCompile(`<input.*?name="AuthState".*?value="([^"]+)".*?>`)
+	body, err := io.ReadAll(res.Body)
+	assert.NoError(t, err)
+
+	matches := authStateMatcher.FindStringSubmatch(string(body))
+	assert.Len(t, matches, 2)
+	assert.NoError(t, res.Body.Close())
+
+	form := url.Values{
+		"username":  {"user1"},
+		"password":  {"user1pass"},
+		"AuthState": {html.UnescapeString(matches[1])},
+	}
+
+	req, err = http.NewRequest("POST", "http://localhost:8080/simplesaml/module.php/core/loginuserpass.php", strings.NewReader(form.Encode()))
+	assert.NoError(t, err)
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	res, err = client.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, res.StatusCode)
+
+	samlResMatcher := regexp.MustCompile(`<input.*?value="([^"]+)".*?>`)
+
+	body, err = io.ReadAll(res.Body)
+	assert.NoError(t, err)
+
+	matches = samlResMatcher.FindStringSubmatch(string(body))
+	assert.Len(t, matches, 2)
+	assert.NoError(t, res.Body.Close())
+
+	session := emptyTestSession(t)
+
+	req = NewRequestWithValues(t, "POST", "/user/saml/test-sp/acs", map[string]string{
+		"SAMLResponse": matches[1],
+	})
+	resp = session.MakeRequest(t, req, http.StatusSeeOther)
+	assert.Equal(t, test.RedirectURL(resp), "/user/link_account")
+
+	csrf := GetCSRF(t, session, test.RedirectURL(resp))
+
+	// link the account
+	req = NewRequestWithValues(t, "POST", "/user/link_account_signup", map[string]string{
+		"_csrf":     csrf,
+		"user_name": "samluser",
+		"email":     "saml@example.com",
+	})
+
+	resp = session.MakeRequest(t, req, http.StatusSeeOther)
+	assert.Equal(t, test.RedirectURL(resp), "/")
+
+	// verify that the user was created
+	u, err := user_model.GetUserByEmail(db.DefaultContext, "saml@example.com")
+	assert.NoError(t, err)
+	assert.NotNil(t, u)
+	assert.Equal(t, "samluser", u.Name)
+}

From 449f5ff74ed7d8154af903b1c969d58485ed9606 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 8 Nov 2023 12:17:43 -0500
Subject: [PATCH 37/84] add saml container to db test action

---
 .github/workflows/pull-db-tests.yml | 33 +++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 97446e6cd3b2f..1ea33295d40dd 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -37,6 +37,14 @@ jobs:
           MINIO_ROOT_PASSWORD: 12345678
         ports:
           - "9000:9000"
+      simplesaml:
+        image: kristophjunge/test-saml-idp
+        ports:
+          - "8080:8080"
+        env:
+          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -62,6 +70,15 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    services:
+      simplesaml:
+        image: kristophjunge/test-saml-idp
+        ports:
+          - "8080:8080"
+        env:
+          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -163,6 +180,14 @@ jobs:
           - "143:143"
           - "587:587"
           - "993:993"
+      simplesaml:
+        image: kristophjunge/test-saml-idp
+        ports:
+          - "8080:8080"
+        env:
+          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -196,6 +221,14 @@ jobs:
           SA_PASSWORD: MwantsaSecurePassword1
         ports:
           - "1433:1433"
+      simplesaml:
+        image: kristophjunge/test-saml-idp
+        ports:
+          - "8080:8080"
+        env:
+          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4

From 6f94f26ba4b235880742bf714720121dc0bbc204 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 8 Nov 2023 12:23:55 -0500
Subject: [PATCH 38/84] cleanup

---
 modules/setting/saml.go    | 1 -
 tests/e2e/saml.test.e2e.js | 0
 2 files changed, 1 deletion(-)
 delete mode 100644 modules/setting/saml.go
 delete mode 100644 tests/e2e/saml.test.e2e.js

diff --git a/modules/setting/saml.go b/modules/setting/saml.go
deleted file mode 100644
index 85d4a38805fe0..0000000000000
--- a/modules/setting/saml.go
+++ /dev/null
@@ -1 +0,0 @@
-package setting
diff --git a/tests/e2e/saml.test.e2e.js b/tests/e2e/saml.test.e2e.js
deleted file mode 100644
index e69de29bb2d1d..0000000000000

From 721d4535f59ed8efb0b54d70a3ed88120f2de66b Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 8 Nov 2023 12:27:17 -0500
Subject: [PATCH 39/84] fix env formatting

---
 .github/workflows/pull-db-tests.yml | 24 +++++++++---------
 custom/conf/app.example.ini         | 13 ++++++++++
 modules/setting/saml.go             | 16 ++++++++++++
 modules/setting/setting.go          |  1 +
 routers/web/auth/saml.go            | 38 +++++++++++++++++++++++++++--
 5 files changed, 78 insertions(+), 14 deletions(-)
 create mode 100644 modules/setting/saml.go

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 1ea33295d40dd..ee0cb1c670fc2 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -42,9 +42,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -76,9 +76,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -185,9 +185,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -226,9 +226,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 329dd34d7bead..9fbdad75f3cfc 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -1535,6 +1535,19 @@ LEVEL = Info
 ;; auto = link directly with the account
 ;ACCOUNT_LINKING = login
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[saml_service_provider]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; Automatically create user accounts for new saml users
+;ENABLE_AUTO_REGISTRATION = false
+;;
+;; Whether a new auto registered saml user needs to confirm their email.
+;; Do not include to use the REGISTER_EMAIL_CONFIRM setting from the `[service]` section.
+;REGISTER_EMAIL_CONFIRM =
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[webhook]
diff --git a/modules/setting/saml.go b/modules/setting/saml.go
new file mode 100644
index 0000000000000..3d27495a22a71
--- /dev/null
+++ b/modules/setting/saml.go
@@ -0,0 +1,16 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+// SAMLServiceProvider settings
+var SAMLServiceProvider struct {
+	RegisterEmailConfirm   bool
+	EnableAutoRegistration bool
+}
+
+func loadSAMLServiceProviderFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("saml_service_provider")
+	SAMLServiceProvider.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
+	SAMLServiceProvider.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool()
+}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index d444d9a0175c6..af510b5b53d2e 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -205,6 +205,7 @@ func LoadSettings() {
 	loadDBSetting(CfgProvider)
 	loadServiceFrom(CfgProvider)
 	loadOAuth2ClientFrom(CfgProvider)
+	loadSAMLServiceProviderFrom(CfgProvider)
 	loadCacheFrom(CfgProvider)
 	loadSessionFrom(CfgProvider)
 	loadCorsFrom(CfgProvider)
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 551beef6cfa67..c650690568d5f 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -11,6 +11,7 @@ import (
 
 	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -73,8 +74,41 @@ func SignInSAMLCallback(ctx *context.Context) {
 
 			ctx.Redirect(setting.AppSubURL + "/user/settings/security")
 			return
-		} else if !setting.Service.AllowOnlyInternalRegistration && false {
-			// TODO: allow auto registration from saml users (OAuth2 uses the following setting.OAuth2Client.EnableAutoRegistration)
+		} else if !setting.Service.AllowOnlyInternalRegistration && setting.SAMLServiceProvider.EnableAutoRegistration {
+			var missingFields []string
+			if gothUser.UserID == "" {
+				missingFields = append(missingFields, "nameID")
+			}
+			if gothUser.Email == "" {
+				missingFields = append(missingFields, "email")
+			}
+			if gothUser.NickName == "" {
+				missingFields = append(missingFields, "nickname")
+			}
+			if len(missingFields) > 0 {
+				log.Error("SAML Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields)
+				ctx.ServerError("CreateUser", fmt.Errorf("SAML Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields))
+				return
+			}
+			u = &user_model.User{
+				Name:        getUserName(&gothUser),
+				FullName:    gothUser.Name,
+				Email:       gothUser.Email,
+				LoginType:   auth.OAuth2,
+				LoginSource: loginSource.ID,
+				LoginName:   gothUser.UserID,
+			}
+
+			overwriteDefault := &user_model.CreateUserOverwriteOptions{
+				IsActive: util.OptionalBoolOf(!setting.SAMLServiceProvider.RegisterEmailConfirm && !setting.Service.RegisterManualConfirm),
+			}
+
+			// TODO add account linking setting to match oauth?
+			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, true, auth.OAuth2) {
+				// error already handled
+				return
+			}
+			// TODO group mapping
 		} else {
 			// no existing user is found, request attach or new account
 			showLinkingLogin(ctx, gothUser, auth.SAML)

From 54c66b308f657bdbd846d7b9a72cf3bed7ea2e5d Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 8 Nov 2023 12:29:51 -0500
Subject: [PATCH 40/84] fix env vars

---
 .github/workflows/pull-db-tests.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index ee0cb1c670fc2..a72f5271a921d 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -42,9 +42,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -76,9 +76,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -185,9 +185,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -226,9 +226,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4

From b1eaf6e7fd9cbf0e5e0f8e302dd8616f84f41f21 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 8 Nov 2023 12:35:18 -0500
Subject: [PATCH 41/84] fix yaml lint

---
 models/fixtures/login_source.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/fixtures/login_source.yml b/models/fixtures/login_source.yml
index 63b0561fce7cf..c8dae55db0889 100644
--- a/models/fixtures/login_source.yml
+++ b/models/fixtures/login_source.yml
@@ -4,6 +4,6 @@
   name: test-sp
   is_active: 1
   is_sync_enabled: 0
-  cfg: {"IdentityProviderMetadata":"","IdentityProviderMetadataURL":"http://localhost:8080/simplesaml/saml2/idp/metadata.php","InsecureSkipAssertionSignatureValidation":false,"NameIDFormat":4,"ServiceProviderCertificate":"","ServiceProviderIssuer":"","ServiceProviderPrivateKey":"","SignRequests":false,"CallbackURL":"","EmailAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","NameAssertionKey":"http://schemas.xmlsoap.org/claims/CommonName","UsernameAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"}
+  cfg: {"IdentityProviderMetadata":"", "IdentityProviderMetadataURL":"http://localhost:8080/simplesaml/saml2/idp/metadata.php", "InsecureSkipAssertionSignatureValidation":false, "NameIDFormat":4, "ServiceProviderCertificate":"", "ServiceProviderIssuer":"", "ServiceProviderPrivateKey":"", "SignRequests":false, "CallbackURL":"", "EmailAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "NameAssertionKey":"http://schemas.xmlsoap.org/claims/CommonName", "UsernameAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"}
   created_unix: 1697568527
   updated_unix: 1699288881

From 048de029e0a5f81001e981153f7c5ac263373ca3 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 8 Nov 2023 12:44:59 -0500
Subject: [PATCH 42/84] cleanup

---
 custom/conf/app.example.ini | 13 -------------
 modules/setting/saml.go     | 16 ----------------
 modules/setting/setting.go  |  1 -
 routers/web/auth/saml.go    | 38 ++-----------------------------------
 4 files changed, 2 insertions(+), 66 deletions(-)
 delete mode 100644 modules/setting/saml.go

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 9fbdad75f3cfc..329dd34d7bead 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -1535,19 +1535,6 @@ LEVEL = Info
 ;; auto = link directly with the account
 ;ACCOUNT_LINKING = login
 
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[saml_service_provider]
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;
-;; Automatically create user accounts for new saml users
-;ENABLE_AUTO_REGISTRATION = false
-;;
-;; Whether a new auto registered saml user needs to confirm their email.
-;; Do not include to use the REGISTER_EMAIL_CONFIRM setting from the `[service]` section.
-;REGISTER_EMAIL_CONFIRM =
-
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[webhook]
diff --git a/modules/setting/saml.go b/modules/setting/saml.go
deleted file mode 100644
index 3d27495a22a71..0000000000000
--- a/modules/setting/saml.go
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package setting
-
-// SAMLServiceProvider settings
-var SAMLServiceProvider struct {
-	RegisterEmailConfirm   bool
-	EnableAutoRegistration bool
-}
-
-func loadSAMLServiceProviderFrom(rootCfg ConfigProvider) {
-	sec := rootCfg.Section("saml_service_provider")
-	SAMLServiceProvider.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
-	SAMLServiceProvider.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool()
-}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index af510b5b53d2e..d444d9a0175c6 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -205,7 +205,6 @@ func LoadSettings() {
 	loadDBSetting(CfgProvider)
 	loadServiceFrom(CfgProvider)
 	loadOAuth2ClientFrom(CfgProvider)
-	loadSAMLServiceProviderFrom(CfgProvider)
 	loadCacheFrom(CfgProvider)
 	loadSessionFrom(CfgProvider)
 	loadCorsFrom(CfgProvider)
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index c650690568d5f..551beef6cfa67 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -11,7 +11,6 @@ import (
 
 	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -74,41 +73,8 @@ func SignInSAMLCallback(ctx *context.Context) {
 
 			ctx.Redirect(setting.AppSubURL + "/user/settings/security")
 			return
-		} else if !setting.Service.AllowOnlyInternalRegistration && setting.SAMLServiceProvider.EnableAutoRegistration {
-			var missingFields []string
-			if gothUser.UserID == "" {
-				missingFields = append(missingFields, "nameID")
-			}
-			if gothUser.Email == "" {
-				missingFields = append(missingFields, "email")
-			}
-			if gothUser.NickName == "" {
-				missingFields = append(missingFields, "nickname")
-			}
-			if len(missingFields) > 0 {
-				log.Error("SAML Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields)
-				ctx.ServerError("CreateUser", fmt.Errorf("SAML Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields))
-				return
-			}
-			u = &user_model.User{
-				Name:        getUserName(&gothUser),
-				FullName:    gothUser.Name,
-				Email:       gothUser.Email,
-				LoginType:   auth.OAuth2,
-				LoginSource: loginSource.ID,
-				LoginName:   gothUser.UserID,
-			}
-
-			overwriteDefault := &user_model.CreateUserOverwriteOptions{
-				IsActive: util.OptionalBoolOf(!setting.SAMLServiceProvider.RegisterEmailConfirm && !setting.Service.RegisterManualConfirm),
-			}
-
-			// TODO add account linking setting to match oauth?
-			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, true, auth.OAuth2) {
-				// error already handled
-				return
-			}
-			// TODO group mapping
+		} else if !setting.Service.AllowOnlyInternalRegistration && false {
+			// TODO: allow auto registration from saml users (OAuth2 uses the following setting.OAuth2Client.EnableAutoRegistration)
 		} else {
 			// no existing user is found, request attach or new account
 			showLinkingLogin(ctx, gothUser, auth.SAML)

From 0d84083c6e6482067100eab89bdc23444002bd46 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 10:59:30 -0500
Subject: [PATCH 43/84] update port

---
 .github/workflows/pull-db-tests.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index a72f5271a921d..114c42154db71 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -42,9 +42,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -76,9 +76,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -185,9 +185,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -226,9 +226,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3000/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3000/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4

From 9d064dec276f7aaa95193bdfdd0852ce996af43e Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 11:50:58 -0500
Subject: [PATCH 44/84] disable saml test when not in ci

---
 .github/workflows/pull-db-tests.yml | 24 +++++++++----------
 models/fixtures/login_source.yml    | 10 +-------
 tests/integration/saml_test.go      | 36 ++++++++++++++++++++++++++++-
 3 files changed, 48 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 114c42154db71..04db65d5b5d10 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -42,9 +42,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -76,9 +76,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -185,9 +185,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -226,9 +226,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
diff --git a/models/fixtures/login_source.yml b/models/fixtures/login_source.yml
index c8dae55db0889..fe51488c7066f 100644
--- a/models/fixtures/login_source.yml
+++ b/models/fixtures/login_source.yml
@@ -1,9 +1 @@
--
-  id: 1
-  type: 8
-  name: test-sp
-  is_active: 1
-  is_sync_enabled: 0
-  cfg: {"IdentityProviderMetadata":"", "IdentityProviderMetadataURL":"http://localhost:8080/simplesaml/saml2/idp/metadata.php", "InsecureSkipAssertionSignatureValidation":false, "NameIDFormat":4, "ServiceProviderCertificate":"", "ServiceProviderIssuer":"", "ServiceProviderPrivateKey":"", "SignRequests":false, "CallbackURL":"", "EmailAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "NameAssertionKey":"http://schemas.xmlsoap.org/claims/CommonName", "UsernameAssertionKey":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"}
-  created_unix: 1697568527
-  updated_unix: 1699288881
+[]
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 9df886e79e288..f52c127c8a600 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -4,19 +4,23 @@
 package integration
 
 import (
+	"fmt"
 	"html"
 	"io"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
+	"os"
 	"regexp"
 	"strings"
 	"testing"
 	"time"
 
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/services/auth/source/saml"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -25,6 +29,36 @@ import (
 func TestSAMLRegistration(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
+	samlURL := "simplesaml:8080"
+
+	if os.Getenv("CI") == "" {
+		// Make it possible to run tests against a local elasticsearch instance
+		samlURL = os.Getenv("TEST_SIMPLESAML_URL")
+		if samlURL == "" {
+			t.Skip("TEST_SIMPLESAML_URL not set and not running in CI")
+			return
+		}
+	}
+
+	assert.NoError(t, auth.CreateSource(db.DefaultContext, &auth.Source{
+		Type:          auth.SAML,
+		Name:          "test-sp",
+		IsActive:      true,
+		IsSyncEnabled: false,
+		Cfg: &saml.Source{
+			IdentityProviderMetadata:                 "",
+			IdentityProviderMetadataURL:              fmt.Sprintf("http://%s/simplesaml/saml2/idp/metadata.php", samlURL),
+			InsecureSkipAssertionSignatureValidation: false,
+			NameIDFormat:                             4,
+			ServiceProviderCertificate:               "",
+			ServiceProviderPrivateKey:                "",
+			SignRequests:                             false,
+			EmailAssertionKey:                        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+			NameAssertionKey:                         "http://schemas.xmlsoap.org/claims/CommonName",
+			UsernameAssertionKey:                     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+		},
+	}))
+
 	// check the saml metadata url
 	req := NewRequest(t, "GET", "/user/saml/test-sp/metadata")
 	MakeRequest(t, req, http.StatusOK)
@@ -62,7 +96,7 @@ func TestSAMLRegistration(t *testing.T) {
 		"AuthState": {html.UnescapeString(matches[1])},
 	}
 
-	req, err = http.NewRequest("POST", "http://localhost:8080/simplesaml/module.php/core/loginuserpass.php", strings.NewReader(form.Encode()))
+	req, err = http.NewRequest("POST", fmt.Sprintf("http://%s/simplesaml/module.php/core/loginuserpass.php", samlURL), strings.NewReader(form.Encode()))
 	assert.NoError(t, err)
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 

From 44bdd3144c57328afc2d65712f67cf50bc73e604 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 12:10:22 -0500
Subject: [PATCH 45/84] add host mapping

---
 .github/workflows/pull-db-tests.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 04db65d5b5d10..bd1f2052399e0 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -52,7 +52,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 pgsql ldap minio" | sudo tee -a /etc/hosts'
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 pgsql ldap minio simplesaml" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:
@@ -85,6 +85,8 @@ jobs:
         with:
           go-version-file: go.mod
           check-latest: true
+      - name: Add hosts to /etc/hosts
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 simplesaml" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:
@@ -195,7 +197,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap" | sudo tee -a /etc/hosts'
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap simplesaml" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:
@@ -236,7 +238,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mssql" | sudo tee -a /etc/hosts'
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mssql simplesaml" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:

From 2a93fcbd40a3f697ee82c991535c819f25b76220 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 12:31:39 -0500
Subject: [PATCH 46/84] update urls

---
 .github/workflows/pull-db-tests.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index bd1f2052399e0..a480003ca1a20 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -42,9 +42,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -76,9 +76,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -187,9 +187,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -228,9 +228,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://172.17.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://172.17.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4

From 13f240d746c70a1cd84fe021cddb375458494dad Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 12:59:43 -0500
Subject: [PATCH 47/84] use localhost

---
 .github/workflows/pull-db-tests.yml | 8 +++-----
 tests/integration/saml_test.go      | 4 ++--
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index a480003ca1a20..d6214b669b035 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -52,7 +52,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 pgsql ldap minio simplesaml" | sudo tee -a /etc/hosts'
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 pgsql ldap minio" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:
@@ -85,8 +85,6 @@ jobs:
         with:
           go-version-file: go.mod
           check-latest: true
-      - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 simplesaml" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:
@@ -197,7 +195,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap simplesaml" | sudo tee -a /etc/hosts'
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:
@@ -238,7 +236,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mssql simplesaml" | sudo tee -a /etc/hosts'
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mssql" | sudo tee -a /etc/hosts'
       - run: make deps-backend
       - run: make backend
         env:
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index f52c127c8a600..32ee09a45787d 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -29,10 +29,10 @@ import (
 func TestSAMLRegistration(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	samlURL := "simplesaml:8080"
+	samlURL := "127.0.0.1:8080"
 
 	if os.Getenv("CI") == "" {
-		// Make it possible to run tests against a local elasticsearch instance
+		// Make it possible to run tests against a local simplesaml instance
 		samlURL = os.Getenv("TEST_SIMPLESAML_URL")
 		if samlURL == "" {
 			t.Skip("TEST_SIMPLESAML_URL not set and not running in CI")

From 48cb4fa44f64f4dfa3d4dcb0e49d05812e9ddd59 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 14:01:40 -0500
Subject: [PATCH 48/84] update ports

---
 .github/workflows/pull-db-tests.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index d6214b669b035..9c3362246afe9 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -42,9 +42,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3002/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3002/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3002/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -76,9 +76,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -185,9 +185,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3001/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3001/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3001/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -226,9 +226,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://127.0.0.1:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://127.0.0.1:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4

From 567ea6c4dcc72462c2ae02956175c725994f8c63 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 14:30:39 -0500
Subject: [PATCH 49/84] cleanup

---
 models/fixtures/login_source.yml | 2 +-
 tests/integration/saml_test.go   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/models/fixtures/login_source.yml b/models/fixtures/login_source.yml
index fe51488c7066f..ca780a73aa0c1 100644
--- a/models/fixtures/login_source.yml
+++ b/models/fixtures/login_source.yml
@@ -1 +1 @@
-[]
+[] # empty
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 32ee09a45787d..9115270fde182 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -29,7 +29,7 @@ import (
 func TestSAMLRegistration(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	samlURL := "127.0.0.1:8080"
+	samlURL := "localhost:8080"
 
 	if os.Getenv("CI") == "" {
 		// Make it possible to run tests against a local simplesaml instance

From e26ba327cdcaa54bf27e86d095a564457e3b1b9f Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 9 Nov 2023 15:33:28 -0500
Subject: [PATCH 50/84] update docs

---
 tests/integration/README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tests/integration/README.md b/tests/integration/README.md
index f6f74ca21ff9a..946fbd47c2e6e 100644
--- a/tests/integration/README.md
+++ b/tests/integration/README.md
@@ -110,3 +110,20 @@ SLOW_FLUSH = 5S ; 5s is the default value
 ```bash
 GITEA_SLOW_TEST_TIME="10s" GITEA_SLOW_FLUSH_TIME="5s" make test-sqlite
 ```
+
+## Running SimpleSAML for testing SAML locally
+
+```shell
+docker run \
+-p 8080:8080 \
+-p 8443:8443 \
+-e SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3003/user/saml/test-sp/metadata \
+-e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3003/user/saml/test-sp/acs \
+-e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3003/user/saml/test-sp/acs \
+--add-host=localhost:192.168.65.2 \
+-d kristophjunge/test-saml-idp
+```
+
+```shell
+TEST_SIMPLESAML_URL=localhost:8080 make test-sqlite#TestSAMLRegistration
+```

From 063642569ac33518d68e3c03ffb6603c468cc6ee Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 15 Nov 2023 15:27:04 -0500
Subject: [PATCH 51/84] update test to work with simplesamlphp 2.1.0

---
 tests/integration/saml_test.go | 33 +++++++++++++++------------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 9115270fde182..4dfb5ba9296e3 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -5,7 +5,6 @@ package integration
 
 import (
 	"fmt"
-	"html"
 	"io"
 	"net/http"
 	"net/http/cookiejar"
@@ -77,26 +76,25 @@ func TestSAMLRegistration(t *testing.T) {
 	req, err = http.NewRequest("GET", test.RedirectURL(resp), nil)
 	assert.NoError(t, err)
 
+	var formRedirectURL *url.URL
+	client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		// capture the redirected destination to use in POST request
+		formRedirectURL = req.URL
+		return nil
+	}
+
 	res, err := client.Do(req)
+	client.CheckRedirect = nil
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusOK, res.StatusCode)
-
-	// find the auth state hidden input
-	authStateMatcher := regexp.MustCompile(`<input.*?name="AuthState".*?value="([^"]+)".*?>`)
-	body, err := io.ReadAll(res.Body)
-	assert.NoError(t, err)
-
-	matches := authStateMatcher.FindStringSubmatch(string(body))
-	assert.Len(t, matches, 2)
-	assert.NoError(t, res.Body.Close())
+	assert.NotNil(t, formRedirectURL)
 
 	form := url.Values{
-		"username":  {"user1"},
-		"password":  {"user1pass"},
-		"AuthState": {html.UnescapeString(matches[1])},
+		"username": {"user1"},
+		"password": {"user1pass"},
 	}
 
-	req, err = http.NewRequest("POST", fmt.Sprintf("http://%s/simplesaml/module.php/core/loginuserpass.php", samlURL), strings.NewReader(form.Encode()))
+	req, err = http.NewRequest("POST", formRedirectURL.String(), strings.NewReader(form.Encode()))
 	assert.NoError(t, err)
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 
@@ -104,12 +102,11 @@ func TestSAMLRegistration(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusOK, res.StatusCode)
 
-	samlResMatcher := regexp.MustCompile(`<input.*?value="([^"]+)".*?>`)
-
-	body, err = io.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 	assert.NoError(t, err)
 
-	matches = samlResMatcher.FindStringSubmatch(string(body))
+	samlResMatcher := regexp.MustCompile(`<input.*?name="SAMLResponse".*?value="([^"]+)".*?>`)
+	matches := samlResMatcher.FindStringSubmatch(string(body))
 	assert.Len(t, matches, 2)
 	assert.NoError(t, res.Body.Close())
 

From eb6a58be45784677b98a11cf4a68fe5415700c55 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 15 Nov 2023 17:37:42 -0500
Subject: [PATCH 52/84] switch to use updated image

---
 .github/workflows/pull-db-tests.yml | 8 ++++----
 tests/integration/README.md         | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 9c3362246afe9..a408b39897199 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -38,7 +38,7 @@ jobs:
         ports:
           - "9000:9000"
       simplesaml:
-        image: kristophjunge/test-saml-idp
+        image: allspice/simple-saml
         ports:
           - "8080:8080"
         env:
@@ -72,7 +72,7 @@ jobs:
     runs-on: ubuntu-latest
     services:
       simplesaml:
-        image: kristophjunge/test-saml-idp
+        image: allspice/simple-saml
         ports:
           - "8080:8080"
         env:
@@ -181,7 +181,7 @@ jobs:
           - "587:587"
           - "993:993"
       simplesaml:
-        image: kristophjunge/test-saml-idp
+        image: allspice/simple-saml
         ports:
           - "8080:8080"
         env:
@@ -222,7 +222,7 @@ jobs:
         ports:
           - "1433:1433"
       simplesaml:
-        image: kristophjunge/test-saml-idp
+        image: allspice/simple-saml
         ports:
           - "8080:8080"
         env:
diff --git a/tests/integration/README.md b/tests/integration/README.md
index 946fbd47c2e6e..c691483511932 100644
--- a/tests/integration/README.md
+++ b/tests/integration/README.md
@@ -121,7 +121,7 @@ docker run \
 -e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3003/user/saml/test-sp/acs \
 -e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3003/user/saml/test-sp/acs \
 --add-host=localhost:192.168.65.2 \
--d kristophjunge/test-saml-idp
+-d allspice/simple-saml
 ```
 
 ```shell

From 06c7818199025179da29f6355ba43d7c8278c4c1 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Mon, 27 Nov 2023 09:52:29 -0500
Subject: [PATCH 53/84] disable saml tests for other db types

---
 .github/workflows/pull-db-tests.yml | 25 -------------------------
 tests/integration/saml_test.go      |  3 ++-
 2 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index a408b39897199..fa71284545b64 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -70,15 +70,6 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
-    services:
-      simplesaml:
-        image: allspice/simple-saml
-        ports:
-          - "8080:8080"
-        env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -180,14 +171,6 @@ jobs:
           - "143:143"
           - "587:587"
           - "993:993"
-      simplesaml:
-        image: allspice/simple-saml
-        ports:
-          - "8080:8080"
-        env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3001/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3001/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3001/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -221,14 +204,6 @@ jobs:
           SA_PASSWORD: MwantsaSecurePassword1
         ports:
           - "1433:1433"
-      simplesaml:
-        image: allspice/simple-saml
-        ports:
-          - "8080:8080"
-        env:
-          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3003/user/saml/test-sp/metadata
-          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3003/user/saml/test-sp/acs
-          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3003/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 4dfb5ba9296e3..28916bb21ff0f 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -18,6 +18,7 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/services/auth/source/saml"
 	"code.gitea.io/gitea/tests"
@@ -30,7 +31,7 @@ func TestSAMLRegistration(t *testing.T) {
 
 	samlURL := "localhost:8080"
 
-	if os.Getenv("CI") == "" {
+	if os.Getenv("CI") == "" || !setting.Database.Type.IsPostgreSQL() {
 		// Make it possible to run tests against a local simplesaml instance
 		samlURL = os.Getenv("TEST_SIMPLESAML_URL")
 		if samlURL == "" {

From 04d5b13f0e4da199db2aa36a1024ae739c3dcddc Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 1 Dec 2023 11:51:17 -0500
Subject: [PATCH 54/84] whitespace fix

---
 templates/admin/auth/source/saml.tmpl | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
index d3401c7447daa..cf34f2461c7a6 100644
--- a/templates/admin/auth/source/saml.tmpl
+++ b/templates/admin/auth/source/saml.tmpl
@@ -15,49 +15,49 @@
 	</div>
 
 	<div class="field">
-		<label for="identity_provider_metadata_url">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_metadata_url"}}</label>
+		<label for="identity_provider_metadata_url">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
 		<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{.IdentityProviderMetadataURL}}">
 	</div>
 	<div class="field">
-		<label for="identity_provider_metadata">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_metadata"}}</label>
+		<label for="identity_provider_metadata">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
 		<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata" value="{{.IdentityProviderMetadata}}"></textarea>
 	</div>
 
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label><strong>{{ctx.Locale.Tr  "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
+			<label><strong>{{ctx.Locale.Tr "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
 			<input name="insecure_skip_assertion_signature_validation" type="checkbox" {{if .InsecureSkipAssertionSignatureValidation}}checked{{end}}>
 		</div>
 	</div>
 
 	<div class=" field">
-		<label for="service_provider_certificate">{{ctx.Locale.Tr  "admin.auths.saml_service_provider_certificate"}}</label>
+		<label for="service_provider_certificate">{{ctx.Locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
 		<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate" value="{{.ServiceProviderCertificate}}"></textarea>
 	</div>
 	<div class=" field">
-		<label for="service_provider_private_key">{{ctx.Locale.Tr  "admin.auths.saml_service_provider_private_key"}}</label>
+		<label for="service_provider_private_key">{{ctx.Locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
 		<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key" value="{{.ServiceProviderPrivateKey}}"></textarea>
 	</div>
 
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label><strong>{{ctx.Locale.Tr  "admin.auths.saml_sign_requests"}}</strong></label>
+			<label><strong>{{ctx.Locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 			<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
 		</div>
 	</div>
 
 	<div class="field">
-		<label for="email_assertion_key">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+		<label for="email_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
 		<input id="email_assertion_key" name="email_assertion_key" value="{{if not .EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{.EmailAssertionKey}}{{end}}">
 	</div>
 
 	<div class="field">
-		<label for="name_assertion_key">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+		<label for="name_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
 		<input id="name_assertion_key" name="name_assertion_key" value="{{if not .NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{.NameAssertionKey}}{{end}}">
 	</div>
 
 	<div class="field">
-		<label for="username_assertion_key">{{ctx.Locale.Tr  "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+		<label for="username_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
 		<input id="username_assertion_key" name="username_assertion_key" value="{{if not .UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{.UsernameAssertionKey}}{{end}}">
 	</div>
 

From 2ff56a8a8516a0d89bd1f2e039b4fcc261af3874 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 1 Dec 2023 12:05:03 -0500
Subject: [PATCH 55/84] fix md formatting

---
 docs/content/usage/authentication.en-us.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/content/usage/authentication.en-us.md b/docs/content/usage/authentication.en-us.md
index 0ed149d0d2f86..25e8496fe0890 100644
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@@ -350,7 +350,6 @@ You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUS
 
 Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.
 
-
 ## SAML
 
 ### Configuring Gitea as a SAML 2.0 Service Provider

From 156bc28457cd84889fe5d379ff911cae6f5c489b Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Wed, 6 Dec 2023 10:20:55 -0500
Subject: [PATCH 56/84] reorganize docs

---
 docs/content/usage/authentication.en-us.md | 60 ++++++++++++++++++----
 1 file changed, 50 insertions(+), 10 deletions(-)

diff --git a/docs/content/usage/authentication.en-us.md b/docs/content/usage/authentication.en-us.md
index 25e8496fe0890..bd1da43fe8f93 100644
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@@ -354,16 +354,56 @@ Notice: Reverse Proxy Auth doesn't support the API. You still need an access tok
 
 ### Configuring Gitea as a SAML 2.0 Service Provider
 
-- Navigate to `Site Administration > Identity & Access > Authentication Sources`
-- Click the `Add Authentication Source` button
-- Select `SAML` as the authentication type and specify an authentication source name in `Authentication Name`.
-- The `SAML NameID Format` dropdown specifies how Identity Provider (IdP) users are mapped to Gitea users. This option will be provider specific.
-- The `[Insecure] Skip Assertion Signature Validation` option is not recommended and disables integrity verification of IdP SAML assertions.
-- Either `Identity Provider Metadata URL` or `Identity Provider Metadata XML` must be specified.
-  - Specifically, `Identity Provider Metadata XML` should be the XML metadata returned by the IdP metadata endpoint. This may be omitted if the endpoint url is recorded in `Identity Provider Metadata URL`.
-- You should generate an X.509-formatted certificate and DSA/RSA private key for signing SAML requests. These are specified in `Service Provider Certificate` and `Service Provider Private Key` respectively.
-- The checkbox `Sign SAML Requests` should be enabled if a certificate and private key are provided.
-- `Email Assertion Key` (email), `Name Assertion Key` (nickname), and `Username Assertion Key` (username) specify how IdP user attributes are mapped to Gitea user attributes. These will be provider specific (or configurable).
+- Navigate to `Site Administration > Identity & Access > Authentication Sources`.
+- Click the `Add Authentication Source` button.
+- Select `SAML` as the authentication type.
+
+#### Settings
+
+- `Authentication Name` **(required)**
+
+  - The name of this authentication source (appears in the Gitea ACS and metadata URLs)
+
+- `SAML NameID Format` **(required)**
+
+  - This specifies how Identity Provider (IdP) users are mapped to Gitea users. This option will be provider specific.
+
+- `[Insecure] Skip Assertion Signature Validation` (optional)
+
+  - This option is not recommended and disables integrity verification of IdP SAML assertions.
+
+- `Identity Provider Metadata URL` (optional if XML set)
+
+  - The URL of the IdP metadata endpoint.
+
+- `Identity Provider Metadata XML` (optional if URL set)
+
+  - The XML returned by the IdP metadata endpoint.
+
+- `Service Provider Certificate` (optional)
+
+  - X.509-formatted certificate (with `Service Provider Private Key`) used for signing SAML requests.
+
+- `Service Provider Private Key` (optional)
+
+  - DSA/RSA private key (with `Service Provider Certificate`) used for signing SAML requests.
+
+- `Sign SAML Requests` (optional)
+
+  - Sign requests made to the SAML IdP
+
+- `Email Assertion Key` (optional)
+
+  - The SAML assertion key used for the IdP user's email (depends on provider configuration).
+
+- `Name Assertion Key` (optional)
+
+  - The SAML assertion key used for the IdP user's nickname (depends on provider configuration).
+
+- `Username Assertion Key` (optional)
+
+  - The SAML assertion key used for the IdP user's username (depends on provider configuration).
+
 
 ### Configuring a SAML 2.0 Identity Provider to use Gitea
 

From 37322f91261c30aab5319468f21f42c43cd2df78 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 7 Dec 2023 13:42:34 -0500
Subject: [PATCH 57/84] fix templates for edit page

---
 templates/admin/auth/edit.tmpl | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 2a8bf3148ec37..98fb3876d7337 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -371,7 +371,7 @@
 				{{if .Source.IsSAML}}
 					{{$cfg:=.Source.Cfg}}
 					<div class="inline required field">
-						<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
+						<label>{{ctx.Locale.Tr "admin.auths.saml_nameidformat"}}</label>
 						<div class="ui selection type dropdown">
 							<input type="hidden" id="name_id_format" name="name_id_format" value="{{$cfg.NameIDFormat}}">
 							<div class="text">{{.CurrentNameIDFormat}}</div>
@@ -385,49 +385,49 @@
 					</div>
 
 					<div class="field">
-						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
+						<label for="identity_provider_metadata_url">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
 						<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{$cfg.IdentityProviderMetadataURL}}">
 					</div>
 					<div class="field">
-						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
+						<label for="identity_provider_metadata">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
 						<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata">{{$cfg.IdentityProviderMetadata}}</textarea>
 					</div>
 
 					<div class="inline field">
 						<div class="ui checkbox">
-							<label><strong>{{.locale.Tr "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
+							<label><strong>{{ctx.Locale.Tr "admin.auths.saml_insecure_skip_assertion_signature_validation"}}</strong></label>
 							<input name="insecure_skip_assertion_signature_validation" type="checkbox" {{if $cfg.InsecureSkipAssertionSignatureValidation}}checked{{end}}>
 						</div>
 					</div>
 
 					<div class=" field">
-						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
+						<label for="service_provider_certificate">{{ctx.Locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
 						<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate">{{$cfg.ServiceProviderCertificate}}</textarea>
 					</div>
 					<div class=" field">
-						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
+						<label for="service_provider_private_key">{{ctx.Locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
 						<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key">{{$cfg.ServiceProviderPrivateKey}}</textarea>
 					</div>
 
 					<div class="inline field">
 						<div class="ui checkbox">
-							<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
+							<label><strong>{{ctx.Locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 							<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
 						</div>
 					</div>
 
 					<div class="field">
-						<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+						<label for="email_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
 						<input id="email_assertion_key" name="email_assertion_key" value="{{if not $cfg.EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{$cfg.EmailAssertionKey}}{{end}}">
 					</div>
 
 					<div class="field">
-						<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+						<label for="name_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
 						<input id="name_assertion_key" name="name_assertion_key" value="{{if not $cfg.NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{$cfg.NameAssertionKey}}{{end}}">
 					</div>
 
 					<div class="field">
-						<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+						<label for="username_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
 						<input id="username_assertion_key" name="username_assertion_key" value="{{if not $cfg.UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{$cfg.UsernameAssertionKey}}{{end}}">
 					</div>
 				{{end}}

From acd00f8d9dfb33d70b5081259d460ceffe43fd77 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 7 Dec 2023 15:33:33 -0500
Subject: [PATCH 58/84] documentation, improvements, clean up form and
 validation

---
 docs/content/usage/authentication.en-us.md |  8 ++++----
 options/locale/locale_en-US.ini            |  5 ++++-
 routers/web/admin/auths.go                 | 17 ++++++-----------
 services/auth/source/saml/source.go        |  5 ++---
 services/forms/auth_form.go                |  1 -
 templates/admin/auth/edit.tmpl             | 10 +++-------
 templates/admin/auth/new.tmpl              |  3 +++
 templates/admin/auth/source/saml.tmpl      | 11 ++---------
 tests/integration/saml_test.go             |  1 -
 9 files changed, 24 insertions(+), 37 deletions(-)

diff --git a/docs/content/usage/authentication.en-us.md b/docs/content/usage/authentication.en-us.md
index bd1da43fe8f93..68db24548c256 100644
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@@ -375,22 +375,22 @@ Notice: Reverse Proxy Auth doesn't support the API. You still need an access tok
 - `Identity Provider Metadata URL` (optional if XML set)
 
   - The URL of the IdP metadata endpoint.
+  - This field must be set if `Identity Provider Metadata XML` is left blank.
 
 - `Identity Provider Metadata XML` (optional if URL set)
 
   - The XML returned by the IdP metadata endpoint.
+  - This field must be set if `Identity Provider Metadata URL` is left blank.
 
 - `Service Provider Certificate` (optional)
 
   - X.509-formatted certificate (with `Service Provider Private Key`) used for signing SAML requests.
+  - A certificate will be generated if this field is left blank.
 
 - `Service Provider Private Key` (optional)
 
   - DSA/RSA private key (with `Service Provider Certificate`) used for signing SAML requests.
-
-- `Sign SAML Requests` (optional)
-
-  - Sign requests made to the SAML IdP
+  - A private key will be generated if this field is left blank.
 
 - `Email Assertion Key` (optional)
 
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 8981505132203..8e43d3b871ca9 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -520,6 +520,9 @@ Content = Content
 SSPISeparatorReplacement = Separator
 SSPIDefaultLanguage = Default Language
 
+SAMLMetadata = Either SAML Identity Provider metadata URL or XML
+SAMLMetadataURL = SAML Identity Provider metadata URL is invalid
+
 require_error = ` cannot be empty.`
 alpha_dash_error = ` should contain only alphanumeric, dash ('-') and underscore ('_') characters.`
 alpha_dash_dot_error = ` should contain only alphanumeric, dash ('-'), underscore ('_') and dot ('.') characters.`
@@ -2995,11 +2998,11 @@ auths.saml_identity_provider_metadata = Identity Provider Metadata XML
 auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
 auths.saml_service_provider_certificate = Service Provider Certificate
 auths.saml_service_provider_private_key = Service Provider Private Key
-auths.saml_sign_requests = Sign SAML Requests
 auths.saml_identity_provider_email_assertion_key = Email Assertion Key
 auths.saml_identity_provider_name_assertion_key = Name Assertion Key
 auths.saml_identity_provider_username_assertion_key = Username Assertion Key
 auths.tips = Tips
+auths.tips.saml = Documentation can be found at https://docs.gitea.com/usage/authentication#saml
 auths.tips.oauth2.general = OAuth2 Authentication
 auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be:
 auths.tip.oauth2_provider = OAuth2 Provider
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 692533fc039f3..dfbb63d00f094 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -249,23 +249,18 @@ func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*sspi
 }
 
 func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml.Source, error) {
-	if util.IsEmptyString(form.ServiceProviderCertificate) {
-		ctx.Data["Err_SSPISeparatorReplacement"] = true
-		return nil, errors.New(ctx.Tr("form.require_error"))
-	}
-	if util.IsEmptyString(form.ServiceProviderPrivateKey) {
-		ctx.Data["Err_SSPISeparatorReplacement"] = true
-		return nil, errors.New(ctx.Tr("form.require_error"))
-	}
 	if util.IsEmptyString(form.IdentityProviderMetadata) && util.IsEmptyString(form.IdentityProviderMetadataURL) {
-		return nil, fmt.Errorf("Identity Provider Metadata needed (either raw XML or URL)")
+		return nil, errors.New(ctx.Tr("form.SAMLMetadata") + ctx.Tr("form.require_error"))
 	}
+
 	if !util.IsEmptyString(form.IdentityProviderMetadataURL) {
 		_, err := url.Parse(form.IdentityProviderMetadataURL)
 		if err != nil {
-			return nil, fmt.Errorf("Identity Provider Metadata URL is an invalid URL")
+			return nil, errors.New(ctx.Tr("form.SAMLMetadataURL"))
 		}
 	}
+
+	// check the integrity of the certificate and private key (autogenerated if these form fields are blank)
 	if !util.IsEmptyString(form.ServiceProviderCertificate) && !util.IsEmptyString(form.ServiceProviderPrivateKey) {
 		keyPair, err := tls.X509KeyPair([]byte(form.ServiceProviderCertificate), []byte(form.ServiceProviderPrivateKey))
 		if err != nil {
@@ -276,6 +271,7 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
 			return nil, err
 		}
 	}
+
 	return &saml.Source{
 		IdentityProviderMetadata:                 form.IdentityProviderMetadata,
 		IdentityProviderMetadataURL:              form.IdentityProviderMetadataURL,
@@ -283,7 +279,6 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
 		NameIDFormat:                             saml.NameIDFormat(form.NameIDFormat),
 		ServiceProviderCertificate:               form.ServiceProviderCertificate,
 		ServiceProviderPrivateKey:                form.ServiceProviderPrivateKey,
-		SignRequests:                             form.SignRequests,
 		EmailAssertionKey:                        form.EmailAssertionKey,
 		NameAssertionKey:                         form.NameAssertionKey,
 		UsernameAssertionKey:                     form.UsernameAssertionKey,
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 6a1c4088f61d8..3388abd80efa1 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -27,7 +27,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-///_______  /\____|__  /\____|__  /_______ \
+// /_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.
@@ -46,8 +46,6 @@ type Source struct {
 	ServiceProviderIssuer string
 	// ServiceProviderPrivateKey description: The SAML Service Provider private key in PKCS#8 encoding (begins with "-----BEGIN PRIVATE KEY-----"). This private key is used to sign AuthnRequests and LogoutRequests. It corresponds to the Service Provider's certificate (`serviceProviderCertificate`). To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
 	ServiceProviderPrivateKey string
-	// SignRequests description: Sign AuthnRequests and LogoutRequests sent to the Identity Provider using the Service Provider's private key (`serviceProviderPrivateKey`). It defaults to true if the `serviceProviderPrivateKey` and `serviceProviderCertificate` are set, and false otherwise.
-	SignRequests bool
 
 	CallbackURL string
 
@@ -134,6 +132,7 @@ func (source *Source) initSAMLSp() error {
 		SkipSignatureValidation:     source.InsecureSkipAssertionSignatureValidation,
 		NameIdFormat:                source.NameIDFormat.String(),
 		IDPCertificateStore:         &certStore,
+		SignAuthnRequests:           true,
 		SPKeyStore:                  keyStore,
 		ServiceProviderIssuer:       setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
 	}
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index 1d00e93a99764..f56789b81dbf0 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -91,7 +91,6 @@ type AuthenticationForm struct {
 	InsecureSkipAssertionSignatureValidation bool
 	ServiceProviderCertificate               string
 	ServiceProviderPrivateKey                string
-	SignRequests                             bool
 	EmailAssertionKey                        string
 	NameAssertionKey                         string
 	UsernameAssertionKey                     string
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 98fb3876d7337..b39765d893fdc 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -409,13 +409,6 @@
 						<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key">{{$cfg.ServiceProviderPrivateKey}}</textarea>
 					</div>
 
-					<div class="inline field">
-						<div class="ui checkbox">
-							<label><strong>{{ctx.Locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
-							<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
-						</div>
-					</div>
-
 					<div class="field">
 						<label for="email_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
 						<input id="email_assertion_key" name="email_assertion_key" value="{{if not $cfg.EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{$cfg.EmailAssertionKey}}{{end}}">
@@ -506,6 +499,9 @@
 			<h5>GMail Settings:</h5>
 			<p>Host: smtp.gmail.com, Port: 587, Enable TLS Encryption: true</p>
 
+			<h5>SAML Settings:</h5>
+			<p>{{ctx.Locale.Tr "admin.auths.tips.saml"}}</p>
+
 			<h5 class="oauth2">{{ctx.Locale.Tr "admin.auths.tips.oauth2.general"}}:</h5>
 			<p class="oauth2">{{ctx.Locale.Tr "admin.auths.tips.oauth2.general.tip"}} <b id="oauth2-callback-url"></b></p>
 		</div>
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index 53ba30df7d8b8..665b0e30863e3 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -88,6 +88,9 @@
 			<h5>GMail Settings:</h5>
 			<p>Host: smtp.gmail.com, Port: 587, Enable TLS Encryption: true</p>
 
+			<h5>SAML Settings:</h5>
+			<p>{{ctx.Locale.Tr "admin.auths.tips.saml"}}</p>
+
 			<h5 class="oauth2">{{ctx.Locale.Tr "admin.auths.tips.oauth2.general"}}:</h5>
 			<p class="oauth2">{{ctx.Locale.Tr "admin.auths.tips.oauth2.general.tip"}} <b id="oauth2-callback-url"></b></p>
 
diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
index cf34f2461c7a6..3e1e6b5189c36 100644
--- a/templates/admin/auth/source/saml.tmpl
+++ b/templates/admin/auth/source/saml.tmpl
@@ -30,22 +30,15 @@
 		</div>
 	</div>
 
-	<div class=" field">
+	<div class="field">
 		<label for="service_provider_certificate">{{ctx.Locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
 		<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate" value="{{.ServiceProviderCertificate}}"></textarea>
 	</div>
-	<div class=" field">
+	<div class="field">
 		<label for="service_provider_private_key">{{ctx.Locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
 		<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key" value="{{.ServiceProviderPrivateKey}}"></textarea>
 	</div>
 
-	<div class="inline field">
-		<div class="ui checkbox">
-			<label><strong>{{ctx.Locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
-			<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
-		</div>
-	</div>
-
 	<div class="field">
 		<label for="email_assertion_key">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
 		<input id="email_assertion_key" name="email_assertion_key" value="{{if not .EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{.EmailAssertionKey}}{{end}}">
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 28916bb21ff0f..4871a6c6cfb25 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -52,7 +52,6 @@ func TestSAMLRegistration(t *testing.T) {
 			NameIDFormat:                             4,
 			ServiceProviderCertificate:               "",
 			ServiceProviderPrivateKey:                "",
-			SignRequests:                             false,
 			EmailAssertionKey:                        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
 			NameAssertionKey:                         "http://schemas.xmlsoap.org/claims/CommonName",
 			UsernameAssertionKey:                     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",

From c89b2170bf98467c57465075b78abea91dee4618 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 7 Dec 2023 15:36:32 -0500
Subject: [PATCH 59/84] fix formatting

---
 services/auth/source/saml/source.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 3388abd80efa1..7b23c2155d64c 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -27,7 +27,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-// /_______  /\____|__  /\____|__  /_______ \
+///_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.

From 271e042e0d01bb98d6a9ebe34cd824665bfc73ad Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 7 Dec 2023 15:38:54 -0500
Subject: [PATCH 60/84] markdown linting fix

---
 docs/content/usage/authentication.en-us.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/content/usage/authentication.en-us.md b/docs/content/usage/authentication.en-us.md
index 68db24548c256..0b6ed5fb96f5d 100644
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@@ -404,7 +404,6 @@ Notice: Reverse Proxy Auth doesn't support the API. You still need an access tok
 
   - The SAML assertion key used for the IdP user's username (depends on provider configuration).
 
-
 ### Configuring a SAML 2.0 Identity Provider to use Gitea
 
 - The service provider assertion consumer service url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/acs`.

From 9909373e0ea919b92c85f6618b7b71b14eb65195 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 8 Dec 2023 11:20:42 -0500
Subject: [PATCH 61/84] omit cert, private key in test

---
 routers/web/admin/auths.go          |  8 +++++
 services/auth/source/saml/source.go | 50 +++++++++++++++++++++++++++--
 tests/integration/saml_test.go      | 13 +++++++-
 3 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index dfbb63d00f094..558a7b2d0f534 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -270,6 +270,14 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
 		if err != nil {
 			return nil, err
 		}
+	} else {
+		privateKey, cert, err := saml.GenerateSAMLSPKeypair()
+		if err != nil {
+			return nil, err
+		}
+
+		form.ServiceProviderPrivateKey = privateKey
+		form.ServiceProviderCertificate = cert
 	}
 
 	return &saml.Source{
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 7b23c2155d64c..077ed018cce73 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -5,13 +5,18 @@ package saml
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"encoding/xml"
 	"errors"
 	"fmt"
+	"math/big"
 	"net/url"
+	"time"
 
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
@@ -62,6 +67,47 @@ type Source struct {
 	samlSP *saml2.SAMLServiceProvider
 }
 
+func GenerateSAMLSPKeypair() (string, string, error) {
+	key, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		return "", "", err
+	}
+
+	keyBytes := x509.MarshalPKCS1PrivateKey(key)
+	keyPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: keyBytes,
+		},
+	)
+
+	now := time.Now()
+
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(0),
+		NotBefore:    now.Add(-5 * time.Minute),
+		NotAfter:     now.Add(365 * 24 * time.Hour),
+
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{},
+		BasicConstraintsValid: true,
+	}
+
+	certificate, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	if err != nil {
+		return "", "", err
+	}
+
+	certPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: certificate,
+		},
+	)
+
+	return string(keyPem), string(certPem), nil
+}
+
 func (source *Source) initSAMLSp() error {
 	source.CallbackURL = setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/acs"
 
@@ -120,8 +166,6 @@ func (source *Source) initSAMLSp() error {
 			return err
 		}
 		keyStore = dsig.TLSCertKeyStore(keyPair)
-	} else {
-		keyStore = dsig.RandomKeyStoreForTest()
 	}
 
 	source.samlSP = &saml2.SAMLServiceProvider{
@@ -132,7 +176,7 @@ func (source *Source) initSAMLSp() error {
 		SkipSignatureValidation:     source.InsecureSkipAssertionSignatureValidation,
 		NameIdFormat:                source.NameIDFormat.String(),
 		IDPCertificateStore:         &certStore,
-		SignAuthnRequests:           true,
+		SignAuthnRequests:           source.ServiceProviderCertificate != "" && source.ServiceProviderPrivateKey != "",
 		SPKeyStore:                  keyStore,
 		ServiceProviderIssuer:       setting.AppURL + "user/saml/" + url.PathEscape(source.authSource.Name) + "/metadata",
 	}
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 4871a6c6cfb25..4bcbb5ec9cdeb 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -4,6 +4,8 @@
 package integration
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"net/http"
@@ -40,6 +42,15 @@ func TestSAMLRegistration(t *testing.T) {
 		}
 	}
 
+	privateKey, cert, err := saml.GenerateSAMLSPKeypair()
+	assert.NoError(t, err)
+
+	// verify that the keypair can be parsed
+	keyPair, err := tls.X509KeyPair([]byte(cert), []byte(privateKey))
+	assert.NoError(t, err)
+	keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
+	assert.NoError(t, err)
+
 	assert.NoError(t, auth.CreateSource(db.DefaultContext, &auth.Source{
 		Type:          auth.SAML,
 		Name:          "test-sp",
@@ -50,7 +61,7 @@ func TestSAMLRegistration(t *testing.T) {
 			IdentityProviderMetadataURL:              fmt.Sprintf("http://%s/simplesaml/saml2/idp/metadata.php", samlURL),
 			InsecureSkipAssertionSignatureValidation: false,
 			NameIDFormat:                             4,
-			ServiceProviderCertificate:               "",
+			ServiceProviderCertificate:               "", // SimpleSAMLPhp requires that the SP certificate be specified in the server configuration rather than SP metadata
 			ServiceProviderPrivateKey:                "",
 			EmailAssertionKey:                        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
 			NameAssertionKey:                         "http://schemas.xmlsoap.org/claims/CommonName",

From 5b2acda670a590343e4d9c5642fe1e4a31047a51 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 12 Dec 2023 15:17:01 -0500
Subject: [PATCH 62/84] add optional saml icon

---
 docs/content/usage/authentication.en-us.md |  4 ++
 options/locale/locale_en-US.ini            |  1 +
 routers/web/admin/auths.go                 |  1 +
 routers/web/auth/auth.go                   | 11 +++-
 services/auth/source/saml/providers.go     | 66 ++++++++++++++++++++++
 services/auth/source/saml/source.go        |  3 +-
 services/forms/auth_form.go                |  1 +
 templates/admin/auth/edit.tmpl             |  5 ++
 templates/admin/auth/source/saml.tmpl      |  5 ++
 templates/user/auth/signin_inner.tmpl      |  7 ++-
 tests/integration/saml_test.go             |  1 +
 11 files changed, 100 insertions(+), 5 deletions(-)

diff --git a/docs/content/usage/authentication.en-us.md b/docs/content/usage/authentication.en-us.md
index 0b6ed5fb96f5d..3715e1367a017 100644
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@@ -368,6 +368,10 @@ Notice: Reverse Proxy Auth doesn't support the API. You still need an access tok
 
   - This specifies how Identity Provider (IdP) users are mapped to Gitea users. This option will be provider specific.
 
+- `Icon URL` (optional)
+
+  - URL of an icon to display on the Sign-In page for this authentication source.
+
 - `[Insecure] Skip Assertion Signature Validation` (optional)
 
   - This option is not recommended and disables integrity verification of IdP SAML assertions.
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 8e43d3b871ca9..6e58dec7adcaa 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3001,6 +3001,7 @@ auths.saml_service_provider_private_key = Service Provider Private Key
 auths.saml_identity_provider_email_assertion_key = Email Assertion Key
 auths.saml_identity_provider_name_assertion_key = Name Assertion Key
 auths.saml_identity_provider_username_assertion_key = Username Assertion Key
+auths.saml_icon_url = Icon URL
 auths.tips = Tips
 auths.tips.saml = Documentation can be found at https://docs.gitea.com/usage/authentication#saml
 auths.tips.oauth2.general = OAuth2 Authentication
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 558a7b2d0f534..bf4a2cde578a0 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -290,6 +290,7 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
 		EmailAssertionKey:                        form.EmailAssertionKey,
 		NameAssertionKey:                         form.NameAssertionKey,
 		UsernameAssertionKey:                     form.UsernameAssertionKey,
+		IconURL:                                  form.SAMLIconURL,
 	}, nil
 }
 
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index 8296b69468163..91e87c7142e07 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -27,6 +27,7 @@ import (
 	"code.gitea.io/gitea/routers/utils"
 	auth_service "code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
+	"code.gitea.io/gitea/services/auth/source/saml"
 	"code.gitea.io/gitea/services/externalaccount"
 	"code.gitea.io/gitea/services/forms"
 	"code.gitea.io/gitea/services/mailer"
@@ -167,7 +168,7 @@ func SignIn(ctx *context.Context) {
 	}
 	ctx.Data["OAuth2Providers"] = oauth2Providers
 
-	samlProviders, err := auth.GetActiveAuthProviderSources(ctx, auth.SAML)
+	samlProviders, err := saml.GetSAMLProviders(ctx, util.OptionalBoolTrue)
 	if err != nil {
 		ctx.ServerError("UserSignIn", err)
 		return
@@ -197,6 +198,14 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 	ctx.Data["OAuth2Providers"] = oauth2Providers
+
+	samlProviders, err := saml.GetSAMLProviders(ctx, util.OptionalBoolTrue)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	ctx.Data["SAMLProviders"] = samlProviders
+
 	ctx.Data["Title"] = ctx.Tr("sign_in")
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
 	ctx.Data["PageIsSignIn"] = true
diff --git a/services/auth/source/saml/providers.go b/services/auth/source/saml/providers.go
index ff6f205f57977..1f5a7d67d7a77 100644
--- a/services/auth/source/saml/providers.go
+++ b/services/auth/source/saml/providers.go
@@ -6,11 +6,17 @@ package saml
 import (
 	"context"
 	"fmt"
+	"html"
+	"html/template"
 	"io"
 	"net/http"
+	"sort"
 	"time"
 
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/httplib"
+	"code.gitea.io/gitea/modules/svg"
+	"code.gitea.io/gitea/modules/util"
 )
 
 // Providers is list of known/available providers.
@@ -18,6 +24,32 @@ type Providers map[string]Source
 
 var providers = Providers{}
 
+// Provider is an interface for describing a single SAML provider
+type Provider interface {
+	Name() string
+	IconHTML(size int) template.HTML
+}
+
+// AuthSourceProvider is a SAML provider
+type AuthSourceProvider struct {
+	sourceName, iconURL string
+}
+
+func (p *AuthSourceProvider) Name() string {
+	return p.sourceName
+}
+
+func (p *AuthSourceProvider) IconHTML(size int) template.HTML {
+	if p.iconURL != "" {
+		return template.HTML(fmt.Sprintf(`<img class="gt-object-contain gt-mr-3" width="%d" height="%d" src="%s" alt="%s">`,
+			size,
+			size,
+			html.EscapeString(p.iconURL), html.EscapeString(p.Name()),
+		))
+	}
+	return svg.RenderHTML("gitea-lock-cog", size, "gt-mr-3")
+}
+
 func readIdentityProviderMetadata(ctx context.Context, source *Source) ([]byte, error) {
 	if source.IdentityProviderMetadata != "" {
 		return []byte(source.IdentityProviderMetadata), nil
@@ -40,3 +72,37 @@ func readIdentityProviderMetadata(ctx context.Context, source *Source) ([]byte,
 	}
 	return data, nil
 }
+
+func createProviderFromSource(source *auth.Source) (Provider, error) {
+	samlCfg, ok := source.Cfg.(*Source)
+	if !ok {
+		return nil, fmt.Errorf("invalid SAML source config: %v", samlCfg)
+	}
+	return &AuthSourceProvider{sourceName: source.Name, iconURL: samlCfg.IconURL}, nil
+}
+
+// GetSAMLProviders returns the list of configured SAML providers
+func GetSAMLProviders(ctx context.Context, isActive util.OptionalBool) ([]Provider, error) {
+	authSources, err := auth.FindSources(ctx, auth.FindSourcesOptions{
+		IsActive:  isActive,
+		LoginType: auth.SAML,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	samlProviders := make([]Provider, 0, len(authSources))
+	for _, source := range authSources {
+		p, err := createProviderFromSource(source)
+		if err != nil {
+			return nil, err
+		}
+		samlProviders = append(samlProviders, p)
+	}
+
+	sort.Slice(samlProviders, func(i, j int) bool {
+		return samlProviders[i].Name() < samlProviders[j].Name()
+	})
+
+	return samlProviders, nil
+}
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 077ed018cce73..1043b4f02a29e 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -32,7 +32,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-///_______  /\____|__  /\____|__  /_______ \
+// /_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.
@@ -53,6 +53,7 @@ type Source struct {
 	ServiceProviderPrivateKey string
 
 	CallbackURL string
+	IconURL     string
 
 	// EmailAssertionKey description: Assertion key for user.Email
 	EmailAssertionKey string
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index f56789b81dbf0..85be38b40312d 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -94,6 +94,7 @@ type AuthenticationForm struct {
 	EmailAssertionKey                        string
 	NameAssertionKey                         string
 	UsernameAssertionKey                     string
+	SAMLIconURL                              string
 }
 
 // Validate validates fields
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index b39765d893fdc..2182d011e9a36 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -384,6 +384,11 @@
 						</div>
 					</div>
 
+					<div class="optional field">
+						<label for="saml_icon_url">{{ctx.Locale.Tr "admin.auths.saml_icon_url"}}</label>
+						<input id="saml_icon_url" name="saml_icon_url" value="{{$cfg.IconURL}}">
+					</div>
+
 					<div class="field">
 						<label for="identity_provider_metadata_url">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
 						<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{$cfg.IdentityProviderMetadataURL}}">
diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
index 3e1e6b5189c36..050e22ddcc3f0 100644
--- a/templates/admin/auth/source/saml.tmpl
+++ b/templates/admin/auth/source/saml.tmpl
@@ -14,6 +14,11 @@
 		</div>
 	</div>
 
+	<div class="optional field">
+		<label for="saml_icon_url">{{ctx.Locale.Tr "admin.auths.saml_icon_url"}}</label>
+		<input id="saml_icon_url" name="saml_icon_url" value="{{.SAMLIconURL}}">
+	</div>
+
 	<div class="field">
 		<label for="identity_provider_metadata_url">{{ctx.Locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
 		<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{.IdentityProviderMetadataURL}}">
diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
index e564c0b77858d..709310e64b032 100644
--- a/templates/user/auth/signin_inner.tmpl
+++ b/templates/user/auth/signin_inner.tmpl
@@ -76,9 +76,10 @@
 	<div id="saml-login-navigator" class="gt-py-2">
 		<div class="gt-df gt-fc gt-jc">
 			<div id="saml-login-navigator-inner" class="gt-df gt-fc gt-fw gt-ac gt-gap-3">
-				{{range .SAMLProviders}}
-					<a class="{{.Name}} ui button gt-df gt-ac gt-jc gt-py-3 saml-login-link" href="{{AppSubUrl}}/user/saml/{{.Name}}">
-						{{$.locale.Tr "sign_in_with_provider" .Name}}
+				{{range $provider := .SAMLProviders}}
+					<a class="{{$provider.Name}} ui button gt-df gt-ac gt-jc gt-py-3 saml-login-link" href="{{AppSubUrl}}/user/saml/{{$provider.Name}}">
+						{{.IconHTML 28}}
+						{{ctx.Locale.Tr "sign_in_with_provider" $provider.Name}}
 					</a>
 				{{end}}
 			</div>
diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 4bcbb5ec9cdeb..41b135ac664a1 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -66,6 +66,7 @@ func TestSAMLRegistration(t *testing.T) {
 			EmailAssertionKey:                        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
 			NameAssertionKey:                         "http://schemas.xmlsoap.org/claims/CommonName",
 			UsernameAssertionKey:                     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+			IconURL:                                  "",
 		},
 	}))
 

From e3555501ccfc8492a7c63407bb7322af954e2918 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 12 Dec 2023 15:25:20 -0500
Subject: [PATCH 63/84] formatting fix

---
 services/auth/source/saml/source.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 1043b4f02a29e..1e9c2b0012d24 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -32,7 +32,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-// /_______  /\____|__  /\____|__  /_______ \
+///_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.

From f18b8d40e792d3e68905c3e3c7352f0d28ff04d7 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 22 Dec 2023 11:25:22 -0500
Subject: [PATCH 64/84] update FindSources to generic db.Find

---
 services/auth/source/saml/providers.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/auth/source/saml/providers.go b/services/auth/source/saml/providers.go
index 1f5a7d67d7a77..d0b36ff44d9e5 100644
--- a/services/auth/source/saml/providers.go
+++ b/services/auth/source/saml/providers.go
@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/httplib"
 	"code.gitea.io/gitea/modules/svg"
 	"code.gitea.io/gitea/modules/util"
@@ -83,7 +84,7 @@ func createProviderFromSource(source *auth.Source) (Provider, error) {
 
 // GetSAMLProviders returns the list of configured SAML providers
 func GetSAMLProviders(ctx context.Context, isActive util.OptionalBool) ([]Provider, error) {
-	authSources, err := auth.FindSources(ctx, auth.FindSourcesOptions{
+	authSources, err := db.Find[auth.Source](ctx, auth.FindSourcesOptions{
 		IsActive:  isActive,
 		LoginType: auth.SAML,
 	})

From 8b0cb4a25ffbd71b0f13e1310033e1f52d9b0d2f Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Thu, 21 Dec 2023 22:48:18 +0100
Subject: [PATCH 65/84] Use information from previous blame parts (#28572)

Fixes #28545

`git blame` output can contain blocks without commit information if it
was outputted before (the `0dafa97ea3f6d9662299579e5be1875cd28baaae 48
26 1` line):
```
fec25436488499df7231f63b857f66457c193d5c 24 25 1
author Bastien Montagne
author-mail <bastien@blender.org>
author-time 1660731031
author-tz +0200
committer Bastien Montagne
committer-mail <bastien@blender.org>
committer-time 1660731031
committer-tz +0200
summary LibOverride: Add Make/Reset/Clear entries to IDTemplate contextual menu.
previous 839ece6477203382b7a7483062961540180ff1cd source/blender/editors/interface/interface_ops.c
filename source/blender/editors/interface/interface_ops.c
        #include "BLT_translation.h"
0dafa97ea3f6d9662299579e5be1875cd28baaae 48 26 1

3d57bc4397fca53bc9702a27bbf50102827829b0 27 27 1
author Hans Goudey
author-mail <hans@blender.org>
author-time 1700131315
author-tz +0100
committer Hans Goudey
committer-mail <hooglyboogly@noreply.localhost>
committer-time 1700131315
committer-tz +0100
summary Cleanup: Move several blenkernel headers to C++
previous 451c054d9b7d3148a646caa5a72fb127a5b5c408 source/blender/editors/interface/interface_ops.cc
filename source/blender/editors/interface/interface_ops.cc
        #include "BKE_context.hh"
```
This PR reuses data from the previous blame part to fill these gaps.
---
 routers/web/repo/blame.go | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/routers/web/repo/blame.go b/routers/web/repo/blame.go
index b2374e32c2849..d414779a14ec7 100644
--- a/routers/web/repo/blame.go
+++ b/routers/web/repo/blame.go
@@ -125,7 +125,7 @@ func RefBlame(ctx *context.Context) {
 }
 
 type blameResult struct {
-	Parts                []git.BlamePart
+	Parts                []*git.BlamePart
 	UsesIgnoreRevs       bool
 	FaultyIgnoreRevsFile bool
 }
@@ -175,7 +175,9 @@ func performBlame(ctx *context.Context, repoPath string, commit *git.Commit, fil
 func fillBlameResult(br *git.BlameReader, r *blameResult) error {
 	r.UsesIgnoreRevs = br.UsesIgnoreRevs()
 
-	r.Parts = make([]git.BlamePart, 0, 5)
+	previousHelper := make(map[string]*git.BlamePart)
+
+	r.Parts = make([]*git.BlamePart, 0, 5)
 	for {
 		blamePart, err := br.NextPart()
 		if err != nil {
@@ -184,13 +186,23 @@ func fillBlameResult(br *git.BlameReader, r *blameResult) error {
 		if blamePart == nil {
 			break
 		}
-		r.Parts = append(r.Parts, *blamePart)
+
+		if prev, ok := previousHelper[blamePart.Sha]; ok {
+			if blamePart.PreviousSha == "" {
+				blamePart.PreviousSha = prev.PreviousSha
+				blamePart.PreviousPath = prev.PreviousPath
+			}
+		} else {
+			previousHelper[blamePart.Sha] = blamePart
+		}
+
+		r.Parts = append(r.Parts, blamePart)
 	}
 
 	return nil
 }
 
-func processBlameParts(ctx *context.Context, blameParts []git.BlamePart) map[string]*user_model.UserCommit {
+func processBlameParts(ctx *context.Context, blameParts []*git.BlamePart) map[string]*user_model.UserCommit {
 	// store commit data by SHA to look up avatar info etc
 	commitNames := make(map[string]*user_model.UserCommit)
 	// and as blameParts can reference the same commits multiple
@@ -232,7 +244,7 @@ func processBlameParts(ctx *context.Context, blameParts []git.BlamePart) map[str
 	return commitNames
 }
 
-func renderBlame(ctx *context.Context, blameParts []git.BlamePart, commitNames map[string]*user_model.UserCommit) {
+func renderBlame(ctx *context.Context, blameParts []*git.BlamePart, commitNames map[string]*user_model.UserCommit) {
 	repoLink := ctx.Repo.RepoLink
 
 	language := ""

From 041436dd9a8ced3a66cef48cfe9aa5d562df5af3 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 22 Dec 2023 06:25:57 +0800
Subject: [PATCH 66/84] improve possible performance bottleneck (#28547)

Replace #28500

---------

Co-authored-by: Giteabot <teabot@gitea.io>
---
 models/issues/comment.go | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/models/issues/comment.go b/models/issues/comment.go
index ba5aed9c652e9..ce5cf5902d776 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -1161,14 +1161,9 @@ func DeleteComment(ctx context.Context, comment *Comment) error {
 // UpdateCommentsMigrationsByType updates comments' migrations information via given git service type and original id and poster id
 func UpdateCommentsMigrationsByType(ctx context.Context, tp structs.GitServiceType, originalAuthorID string, posterID int64) error {
 	_, err := db.GetEngine(ctx).Table("comment").
-		Where(builder.In("issue_id",
-			builder.Select("issue.id").
-				From("issue").
-				InnerJoin("repository", "issue.repo_id = repository.id").
-				Where(builder.Eq{
-					"repository.original_service_type": tp,
-				}),
-		)).
+		Join("INNER", "issue", "issue.id = comment.issue_id").
+		Join("INNER", "repository", "issue.repo_id = repository.id").
+		Where("repository.original_service_type = ?", tp).
 		And("comment.original_author_id = ?", originalAuthorID).
 		Update(map[string]any{
 			"poster_id":          posterID,

From b4888874588b94bfd93ac93677b4735ae54f3dc8 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Fri, 22 Dec 2023 07:09:14 +0800
Subject: [PATCH 67/84] Fix 500 error of searching commits (#28576)

Regression of #28454 . Now the string is escaped HTML, so it doesn't
need `| Safe`.

Fix #28575
---
 templates/code/searchresults.tmpl | 2 +-
 templates/repo/search.tmpl        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/code/searchresults.tmpl b/templates/code/searchresults.tmpl
index 28c33a26de92a..bb21a5e0dcadf 100644
--- a/templates/code/searchresults.tmpl
+++ b/templates/code/searchresults.tmpl
@@ -31,7 +31,7 @@
 										<a href="{{$repo.Link}}/src/commit/{{$result.CommitID | PathEscape}}/{{$result.Filename | PathEscapeSegments}}#L{{.}}"><span>{{.}}</span></a>
 									{{end}}
 								</td>
-								<td class="lines-code chroma"><code class="code-inner">{{.FormattedLines | Safe}}</code></td>
+								<td class="lines-code chroma"><code class="code-inner">{{.FormattedLines}}</code></td>
 							</tr>
 						</tbody>
 					</table>
diff --git a/templates/repo/search.tmpl b/templates/repo/search.tmpl
index b6c90de32f63c..b616b4de32312 100644
--- a/templates/repo/search.tmpl
+++ b/templates/repo/search.tmpl
@@ -53,7 +53,7 @@
 														<a href="{{$.SourcePath}}/src/commit/{{PathEscape $result.CommitID}}/{{PathEscapeSegments $result.Filename}}#L{{.}}"><span>{{.}}</span></a>
 													{{end}}
 												</td>
-												<td class="lines-code chroma"><code class="code-inner">{{.FormattedLines | Safe}}</code></td>
+												<td class="lines-code chroma"><code class="code-inner">{{.FormattedLines}}</code></td>
 											</tr>
 										</tbody>
 									</table>

From de0585a2705c194ecb6d24fc142a2dbf6bc6c0b2 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Fri, 22 Dec 2023 00:59:59 +0100
Subject: [PATCH 68/84] Convert to url auth to header auth in tests (#28484)

Related #28390
---
 .../integration/api_actions_artifact_test.go  |  89 ++++----
 .../api_activitypub_person_test.go            |   4 +-
 tests/integration/api_admin_org_test.go       |   9 +-
 tests/integration/api_admin_test.go           |  89 ++++----
 tests/integration/api_branch_test.go          |  23 +-
 .../api_comment_attachment_test.go            |  31 +--
 tests/integration/api_comment_test.go         |  36 +--
 tests/integration/api_gpg_keys_test.go        |  36 +--
 .../api_helper_for_declarative_test.go        | 108 ++++-----
 tests/integration/api_httpsig_test.go         |  14 +-
 .../integration/api_issue_attachment_test.go  |  26 +--
 tests/integration/api_issue_label_test.go     |  58 ++---
 tests/integration/api_issue_milestone_test.go |  23 +-
 tests/integration/api_issue_pin_test.go       |  62 ++----
 tests/integration/api_issue_reaction_test.go  |  34 +--
 tests/integration/api_issue_stopwatch_test.go |  12 +-
 .../api_issue_subscription_test.go            |  20 +-
 tests/integration/api_issue_test.go           |  12 +-
 .../api_issue_tracked_time_test.go            |  19 +-
 tests/integration/api_keys_test.go            |  54 ++---
 tests/integration/api_nodeinfo_test.go        |   2 +-
 tests/integration/api_notification_test.go    |  45 ++--
 tests/integration/api_oauth2_apps_test.go     |  24 +-
 tests/integration/api_org_avatar_test.go      |  12 +-
 tests/integration/api_org_test.go             |  34 +--
 tests/integration/api_packages_alpine_test.go |  12 +-
 tests/integration/api_packages_cargo_test.go  |  36 +--
 tests/integration/api_packages_chef_test.go   |  83 +++----
 .../integration/api_packages_composer_test.go |  32 +--
 tests/integration/api_packages_conan_test.go  | 112 +++++-----
 tests/integration/api_packages_conda_test.go  |  16 +-
 .../api_packages_container_test.go            | 210 +++++++++---------
 tests/integration/api_packages_cran_test.go   |  45 ++--
 tests/integration/api_packages_debian_test.go |  28 +--
 .../integration/api_packages_generic_test.go  |  48 ++--
 .../integration/api_packages_goproxy_test.go  |  16 +-
 tests/integration/api_packages_helm_test.go   |  16 +-
 tests/integration/api_packages_maven_test.go  |  36 +--
 tests/integration/api_packages_npm_test.go    |  56 ++---
 tests/integration/api_packages_nuget_test.go  | 137 ++++++------
 tests/integration/api_packages_pub_test.go    |  14 +-
 tests/integration/api_packages_pypi_test.go   |  14 +-
 tests/integration/api_packages_rpm_test.go    |  16 +-
 .../integration/api_packages_rubygems_test.go |  22 +-
 tests/integration/api_packages_swift_test.go  |  70 +++---
 tests/integration/api_packages_test.go        |  65 +++---
 .../integration/api_packages_vagrant_test.go  |  12 +-
 tests/integration/api_pull_review_test.go     |  95 ++++----
 tests/integration/api_pull_test.go            |  34 +--
 tests/integration/api_releases_test.go        |  47 ++--
 tests/integration/api_repo_avatar_test.go     |  12 +-
 .../integration/api_repo_collaborator_test.go |  24 +-
 tests/integration/api_repo_edit_test.go       |  79 ++++---
 .../integration/api_repo_file_create_test.go  |  42 ++--
 .../integration/api_repo_file_delete_test.go  |  38 ++--
 .../integration/api_repo_file_update_test.go  |  42 ++--
 .../integration/api_repo_files_change_test.go |  40 ++--
 .../api_repo_get_contents_list_test.go        |   9 +-
 .../integration/api_repo_get_contents_test.go |   9 +-
 tests/integration/api_repo_git_blobs_test.go  |   9 +-
 .../integration/api_repo_git_commits_test.go  |  39 ++--
 tests/integration/api_repo_git_hook_test.go   |  47 ++--
 tests/integration/api_repo_git_notes_test.go  |   9 +-
 tests/integration/api_repo_git_ref_test.go    |   9 +-
 tests/integration/api_repo_git_tags_test.go   |  17 +-
 tests/integration/api_repo_git_trees_test.go  |   6 +-
 tests/integration/api_repo_hook_test.go       |   7 +-
 .../integration/api_repo_lfs_migrate_test.go  |   4 +-
 tests/integration/api_repo_lfs_test.go        |  23 +-
 tests/integration/api_repo_raw_test.go        |   6 +-
 tests/integration/api_repo_secrets_test.go    |  23 +-
 tests/integration/api_repo_tags_test.go       |  13 +-
 tests/integration/api_repo_teams_test.go      |  24 +-
 tests/integration/api_repo_test.go            |  82 ++++---
 tests/integration/api_repo_topic_test.go      |  51 +++--
 tests/integration/api_team_test.go            |  54 +++--
 tests/integration/api_team_user_test.go       |   6 +-
 tests/integration/api_token_test.go           |  46 ++--
 tests/integration/api_twofa_test.go           |  12 +-
 tests/integration/api_user_avatar_test.go     |  12 +-
 tests/integration/api_user_email_test.go      |  21 +-
 tests/integration/api_user_follow_test.go     |  30 ++-
 tests/integration/api_user_heatmap_test.go    |   4 +-
 tests/integration/api_user_info_test.go       |   9 +-
 tests/integration/api_user_org_perm_test.go   |   9 +-
 tests/integration/api_user_orgs_test.go       |   7 +-
 tests/integration/api_user_search_test.go     |   7 +-
 tests/integration/api_user_secrets_test.go    |  23 +-
 tests/integration/api_user_star_test.go       |  18 +-
 tests/integration/api_user_watch_test.go      |  18 +-
 tests/integration/api_wiki_test.go            |   8 +-
 tests/integration/cors_test.go                |   2 +-
 tests/integration/empty_repo_test.go          |   9 +-
 tests/integration/eventsource_test.go         |   9 +-
 tests/integration/integration_test.go         |  81 ++++---
 tests/integration/org_test.go                 |   8 +-
 tests/integration/privateactivity_test.go     |   7 +-
 tests/integration/pull_merge_test.go          |   8 +-
 tests/integration/pull_status_test.go         |   6 +-
 tests/integration/pull_update_test.go         |   6 +-
 tests/integration/repo_search_test.go         |   2 +-
 tests/integration/user_test.go                |   2 +-
 102 files changed, 1714 insertions(+), 1522 deletions(-)

diff --git a/tests/integration/api_actions_artifact_test.go b/tests/integration/api_actions_artifact_test.go
index 101bedde02788..2597d103746e6 100644
--- a/tests/integration/api_actions_artifact_test.go
+++ b/tests/integration/api_actions_artifact_test.go
@@ -30,8 +30,7 @@ func TestActionsArtifactUploadSingleFile(t *testing.T) {
 	req := NewRequestWithJSON(t, "POST", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts", getUploadArtifactRequest{
 		Type: "actions_storage",
 		Name: "artifact",
-	})
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	}).AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp := MakeRequest(t, req, http.StatusOK)
 	var uploadResp uploadArtifactResponse
 	DecodeJSON(t, resp, &uploadResp)
@@ -43,18 +42,18 @@ func TestActionsArtifactUploadSingleFile(t *testing.T) {
 
 	// upload artifact chunk
 	body := strings.Repeat("A", 1024)
-	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body))
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
-	req.Header.Add("Content-Range", "bytes 0-1023/1024")
-	req.Header.Add("x-tfs-filelength", "1024")
-	req.Header.Add("x-actions-results-md5", "1HsSe8LeLWh93ILaw1TEFQ==") // base64(md5(body))
+	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body)).
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a").
+		SetHeader("Content-Range", "bytes 0-1023/1024").
+		SetHeader("x-tfs-filelength", "1024").
+		SetHeader("x-actions-results-md5", "1HsSe8LeLWh93ILaw1TEFQ==") // base64(md5(body))
 	MakeRequest(t, req, http.StatusOK)
 
 	t.Logf("Create artifact confirm")
 
 	// confirm artifact upload
-	req = NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts?artifactName=artifact")
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req = NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts?artifactName=artifact").
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	MakeRequest(t, req, http.StatusOK)
 }
 
@@ -64,11 +63,11 @@ func TestActionsArtifactUploadInvalidHash(t *testing.T) {
 	// artifact id 54321 not exist
 	url := "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts/8e5b948a454515dbabfc7eb718ddddddd/upload?itemPath=artifact/abc.txt"
 	body := strings.Repeat("A", 1024)
-	req := NewRequestWithBody(t, "PUT", url, strings.NewReader(body))
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
-	req.Header.Add("Content-Range", "bytes 0-1023/1024")
-	req.Header.Add("x-tfs-filelength", "1024")
-	req.Header.Add("x-actions-results-md5", "1HsSe8LeLWh93ILaw1TEFQ==") // base64(md5(body))
+	req := NewRequestWithBody(t, "PUT", url, strings.NewReader(body)).
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a").
+		SetHeader("Content-Range", "bytes 0-1023/1024").
+		SetHeader("x-tfs-filelength", "1024").
+		SetHeader("x-actions-results-md5", "1HsSe8LeLWh93ILaw1TEFQ==") // base64(md5(body))
 	resp := MakeRequest(t, req, http.StatusBadRequest)
 	assert.Contains(t, resp.Body.String(), "Invalid artifact hash")
 }
@@ -76,8 +75,8 @@ func TestActionsArtifactUploadInvalidHash(t *testing.T) {
 func TestActionsArtifactConfirmUploadWithoutName(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	req := NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts")
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req := NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts").
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp := MakeRequest(t, req, http.StatusBadRequest)
 	assert.Contains(t, resp.Body.String(), "artifact name is empty")
 }
@@ -111,8 +110,8 @@ type (
 func TestActionsArtifactDownload(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	req := NewRequest(t, "GET", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts")
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req := NewRequest(t, "GET", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts").
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp := MakeRequest(t, req, http.StatusOK)
 	var listResp listArtifactsResponse
 	DecodeJSON(t, resp, &listResp)
@@ -122,8 +121,8 @@ func TestActionsArtifactDownload(t *testing.T) {
 
 	idx := strings.Index(listResp.Value[0].FileContainerResourceURL, "/api/actions_pipeline/_apis/pipelines/")
 	url := listResp.Value[0].FileContainerResourceURL[idx+1:] + "?itemPath=artifact"
-	req = NewRequest(t, "GET", url)
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req = NewRequest(t, "GET", url).
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp = MakeRequest(t, req, http.StatusOK)
 	var downloadResp downloadArtifactResponse
 	DecodeJSON(t, resp, &downloadResp)
@@ -134,8 +133,8 @@ func TestActionsArtifactDownload(t *testing.T) {
 
 	idx = strings.Index(downloadResp.Value[0].ContentLocation, "/api/actions_pipeline/_apis/pipelines/")
 	url = downloadResp.Value[0].ContentLocation[idx:]
-	req = NewRequest(t, "GET", url)
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req = NewRequest(t, "GET", url).
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp = MakeRequest(t, req, http.StatusOK)
 	body := strings.Repeat("A", 1024)
 	assert.Equal(t, resp.Body.String(), body)
@@ -150,8 +149,7 @@ func TestActionsArtifactUploadMultipleFile(t *testing.T) {
 	req := NewRequestWithJSON(t, "POST", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts", getUploadArtifactRequest{
 		Type: "actions_storage",
 		Name: testArtifactName,
-	})
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	}).AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp := MakeRequest(t, req, http.StatusOK)
 	var uploadResp uploadArtifactResponse
 	DecodeJSON(t, resp, &uploadResp)
@@ -182,19 +180,19 @@ func TestActionsArtifactUploadMultipleFile(t *testing.T) {
 		url := uploadResp.FileContainerResourceURL[idx:] + "?itemPath=" + testArtifactName + "/" + f.Path
 
 		// upload artifact chunk
-		req = NewRequestWithBody(t, "PUT", url, strings.NewReader(f.Content))
-		req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
-		req.Header.Add("Content-Range", "bytes 0-1023/1024")
-		req.Header.Add("x-tfs-filelength", "1024")
-		req.Header.Add("x-actions-results-md5", f.MD5) // base64(md5(body))
+		req = NewRequestWithBody(t, "PUT", url, strings.NewReader(f.Content)).
+			AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a").
+			SetHeader("Content-Range", "bytes 0-1023/1024").
+			SetHeader("x-tfs-filelength", "1024").
+			SetHeader("x-actions-results-md5", f.MD5) // base64(md5(body))
 		MakeRequest(t, req, http.StatusOK)
 	}
 
 	t.Logf("Create artifact confirm")
 
 	// confirm artifact upload
-	req = NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts?artifactName="+testArtifactName)
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req = NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts?artifactName="+testArtifactName).
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	MakeRequest(t, req, http.StatusOK)
 }
 
@@ -203,8 +201,8 @@ func TestActionsArtifactDownloadMultiFiles(t *testing.T) {
 
 	const testArtifactName = "multi-files"
 
-	req := NewRequest(t, "GET", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts")
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req := NewRequest(t, "GET", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts").
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp := MakeRequest(t, req, http.StatusOK)
 	var listResp listArtifactsResponse
 	DecodeJSON(t, resp, &listResp)
@@ -221,8 +219,8 @@ func TestActionsArtifactDownloadMultiFiles(t *testing.T) {
 
 	idx := strings.Index(fileContainerResourceURL, "/api/actions_pipeline/_apis/pipelines/")
 	url := fileContainerResourceURL[idx+1:] + "?itemPath=" + testArtifactName
-	req = NewRequest(t, "GET", url)
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req = NewRequest(t, "GET", url).
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp = MakeRequest(t, req, http.StatusOK)
 	var downloadResp downloadArtifactResponse
 	DecodeJSON(t, resp, &downloadResp)
@@ -246,8 +244,8 @@ func TestActionsArtifactDownloadMultiFiles(t *testing.T) {
 
 		idx = strings.Index(value.ContentLocation, "/api/actions_pipeline/_apis/pipelines/")
 		url = value.ContentLocation[idx:]
-		req = NewRequest(t, "GET", url)
-		req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+		req = NewRequest(t, "GET", url).
+			AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 		resp = MakeRequest(t, req, http.StatusOK)
 		body := strings.Repeat(bodyChar, 1024)
 		assert.Equal(t, resp.Body.String(), body)
@@ -262,8 +260,7 @@ func TestActionsArtifactUploadWithRetentionDays(t *testing.T) {
 		Type:          "actions_storage",
 		Name:          "artifact-retention-days",
 		RetentionDays: 9,
-	})
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	}).AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	resp := MakeRequest(t, req, http.StatusOK)
 	var uploadResp uploadArtifactResponse
 	DecodeJSON(t, resp, &uploadResp)
@@ -276,17 +273,17 @@ func TestActionsArtifactUploadWithRetentionDays(t *testing.T) {
 
 	// upload artifact chunk
 	body := strings.Repeat("A", 1024)
-	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body))
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
-	req.Header.Add("Content-Range", "bytes 0-1023/1024")
-	req.Header.Add("x-tfs-filelength", "1024")
-	req.Header.Add("x-actions-results-md5", "1HsSe8LeLWh93ILaw1TEFQ==") // base64(md5(body))
+	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body)).
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a").
+		SetHeader("Content-Range", "bytes 0-1023/1024").
+		SetHeader("x-tfs-filelength", "1024").
+		SetHeader("x-actions-results-md5", "1HsSe8LeLWh93ILaw1TEFQ==") // base64(md5(body))
 	MakeRequest(t, req, http.StatusOK)
 
 	t.Logf("Create artifact confirm")
 
 	// confirm artifact upload
-	req = NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts?artifactName=artifact-retention-days")
-	req = addTokenAuthHeader(req, "Bearer 8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
+	req = NewRequest(t, "PATCH", "/api/actions_pipeline/_apis/pipelines/workflows/791/artifacts?artifactName=artifact-retention-days").
+		AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
 	MakeRequest(t, req, http.StatusOK)
 }
diff --git a/tests/integration/api_activitypub_person_test.go b/tests/integration/api_activitypub_person_test.go
index 3222dfc807134..42a2a09072761 100644
--- a/tests/integration/api_activitypub_person_test.go
+++ b/tests/integration/api_activitypub_person_test.go
@@ -32,7 +32,7 @@ func TestActivityPubPerson(t *testing.T) {
 	onGiteaRun(t, func(*testing.T, *url.URL) {
 		userID := 2
 		username := "user2"
-		req := NewRequestf(t, "GET", fmt.Sprintf("/api/v1/activitypub/user-id/%v", userID))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/activitypub/user-id/%v", userID))
 		resp := MakeRequest(t, req, http.StatusOK)
 		body := resp.Body.Bytes()
 		assert.Contains(t, string(body), "@context")
@@ -68,7 +68,7 @@ func TestActivityPubMissingPerson(t *testing.T) {
 	}()
 
 	onGiteaRun(t, func(*testing.T, *url.URL) {
-		req := NewRequestf(t, "GET", "/api/v1/activitypub/user-id/999999999")
+		req := NewRequest(t, "GET", "/api/v1/activitypub/user-id/999999999")
 		resp := MakeRequest(t, req, http.StatusNotFound)
 		assert.Contains(t, resp.Body.String(), "user does not exist")
 	})
diff --git a/tests/integration/api_admin_org_test.go b/tests/integration/api_admin_org_test.go
index 0bf4b1f7cba03..a29d0ba1d7467 100644
--- a/tests/integration/api_admin_org_test.go
+++ b/tests/integration/api_admin_org_test.go
@@ -31,7 +31,8 @@ func TestAPIAdminOrgCreate(t *testing.T) {
 			Location:    "Shanghai",
 			Visibility:  "private",
 		}
-		req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs?token="+token, &org)
+		req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs", &org).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var apiOrg api.Organization
@@ -65,7 +66,8 @@ func TestAPIAdminOrgCreateBadVisibility(t *testing.T) {
 			Location:    "Shanghai",
 			Visibility:  "notvalid",
 		}
-		req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs?token="+token, &org)
+		req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs", &org).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusUnprocessableEntity)
 	})
 }
@@ -83,6 +85,7 @@ func TestAPIAdminOrgCreateNotAdmin(t *testing.T) {
 		Location:    "Shanghai",
 		Visibility:  "public",
 	}
-	req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs?token="+token, &org)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs", &org).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
diff --git a/tests/integration/api_admin_test.go b/tests/integration/api_admin_test.go
index aae9ec4a24a2d..ff7c2ddca39b7 100644
--- a/tests/integration/api_admin_test.go
+++ b/tests/integration/api_admin_test.go
@@ -27,11 +27,11 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
 	keyOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
 
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteAdmin)
-	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", keyOwner.Name)
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",
 		"title": "test-key",
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var newPublicKey api.PublicKey
@@ -43,8 +43,8 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
 		OwnerID:     keyOwner.ID,
 	})
 
-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
-		keyOwner.Name, newPublicKey.ID, token)
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d", keyOwner.Name, newPublicKey.ID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	unittest.AssertNotExistsBean(t, &asymkey_model.PublicKey{ID: newPublicKey.ID})
 }
@@ -54,7 +54,8 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
 
 	// user1 is an admin user
 	token := getUserToken(t, "user1", auth_model.AccessTokenScopeWriteAdmin)
-	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", unittest.NonexistentID, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d", unittest.NonexistentID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 }
 
@@ -64,18 +65,18 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
 	normalUsername := "user2"
 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
 
-	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)
+	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", adminUsername)
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",
 		"title": "test-key",
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	var newPublicKey api.PublicKey
 	DecodeJSON(t, resp, &newPublicKey)
 
 	token = getUserToken(t, normalUsername)
-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
-		adminUsername, newPublicKey.ID, token)
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d", adminUsername, newPublicKey.ID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -85,8 +86,8 @@ func TestAPISudoUser(t *testing.T) {
 	normalUsername := "user2"
 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadUser)
 
-	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user?sudo=%s", normalUsername)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var user api.User
 	DecodeJSON(t, resp, &user)
@@ -100,8 +101,8 @@ func TestAPISudoUserForbidden(t *testing.T) {
 	normalUsername := "user2"
 
 	token := getUserToken(t, normalUsername, auth_model.AccessTokenScopeReadAdmin)
-	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user?sudo=%s", adminUsername)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -110,8 +111,8 @@ func TestAPIListUsers(t *testing.T) {
 	adminUsername := "user1"
 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
 
-	urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", "/api/v1/admin/users").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var users []api.User
 	DecodeJSON(t, resp, &users)
@@ -137,7 +138,8 @@ func TestAPIListUsersNonAdmin(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	nonAdminUsername := "user2"
 	token := getUserToken(t, nonAdminUsername)
-	req := NewRequestf(t, "GET", "/api/v1/admin/users?token=%s", token)
+	req := NewRequest(t, "GET", "/api/v1/admin/users").
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -145,8 +147,7 @@ func TestAPICreateUserInvalidEmail(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	adminUsername := "user1"
 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
-	urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)
-	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
+	req := NewRequestWithValues(t, "POST", "/api/v1/admin/users", map[string]string{
 		"email":                "invalid_email@domain.com\r\n",
 		"full_name":            "invalid user",
 		"login_name":           "invalidUser",
@@ -155,7 +156,7 @@ func TestAPICreateUserInvalidEmail(t *testing.T) {
 		"send_notify":          "true",
 		"source_id":            "0",
 		"username":             "invalidUser",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 }
 
@@ -167,7 +168,7 @@ func TestAPICreateAndDeleteUser(t *testing.T) {
 	req := NewRequestWithValues(
 		t,
 		"POST",
-		fmt.Sprintf("/api/v1/admin/users?token=%s", token),
+		"/api/v1/admin/users",
 		map[string]string{
 			"email":                "deleteme@domain.com",
 			"full_name":            "delete me",
@@ -178,10 +179,11 @@ func TestAPICreateAndDeleteUser(t *testing.T) {
 			"source_id":            "0",
 			"username":             "deleteme",
 		},
-	)
+	).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
-	req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/admin/users/deleteme?token=%s", token))
+	req = NewRequest(t, "DELETE", "/api/v1/admin/users/deleteme").
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
 
@@ -189,7 +191,7 @@ func TestAPIEditUser(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	adminUsername := "user1"
 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
-	urlStr := fmt.Sprintf("/api/v1/admin/users/%s?token=%s", "user2", token)
+	urlStr := fmt.Sprintf("/api/v1/admin/users/%s", "user2")
 
 	req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
 		// required
@@ -197,7 +199,7 @@ func TestAPIEditUser(t *testing.T) {
 		"source_id":  "0",
 		// to change
 		"full_name": "Full Name User 2",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	empty := ""
@@ -205,7 +207,7 @@ func TestAPIEditUser(t *testing.T) {
 		LoginName: "user2",
 		SourceID:  0,
 		Email:     &empty,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	errMap := make(map[string]any)
@@ -221,7 +223,7 @@ func TestAPIEditUser(t *testing.T) {
 		SourceID:  0,
 		// to change
 		Restricted: &bTrue,
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 	user2 = unittest.AssertExistsAndLoadBean(t, &user_model.User{LoginName: "user2"})
 	assert.True(t, user2.IsRestricted)
@@ -235,11 +237,11 @@ func TestAPICreateRepoForUser(t *testing.T) {
 	req := NewRequestWithJSON(
 		t,
 		"POST",
-		fmt.Sprintf("/api/v1/admin/users/%s/repos?token=%s", adminUsername, token),
+		fmt.Sprintf("/api/v1/admin/users/%s/repos", adminUsername),
 		&api.CreateRepoOption{
 			Name: "admincreatedrepo",
 		},
-	)
+	).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 }
 
@@ -247,40 +249,38 @@ func TestAPIRenameUser(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	adminUsername := "user1"
 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
-	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "user2", token)
+	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/rename", "user2")
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		// required
 		"new_name": "User2",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
-	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2", token)
+	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename", "User2")
 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		// required
 		"new_name": "User2-2-2",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
-	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2", token)
 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		// required
 		"new_name": "user1",
-	})
+	}).AddTokenAuth(token)
 	// the old user name still be used by with a redirect
 	MakeRequest(t, req, http.StatusTemporaryRedirect)
 
-	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2-2-2", token)
+	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename", "User2-2-2")
 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		// required
 		"new_name": "user1",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
-	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2-2-2", token)
 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		// required
 		"new_name": "user2",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 }
 
@@ -294,8 +294,9 @@ func TestAPICron(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadAdmin)
-		urlStr := fmt.Sprintf("/api/v1/admin/cron?token=%s", token)
-		req := NewRequest(t, "GET", urlStr)
+
+		req := NewRequest(t, "GET", "/api/v1/admin/cron").
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "28", resp.Header().Get("X-Total-Count"))
@@ -313,13 +314,13 @@ func TestAPICron(t *testing.T) {
 		// Archive cleanup is harmless, because in the test environment there are none
 		// and is thus an NOOP operation and therefore doesn't interfere with any other
 		// tests.
-		urlStr := fmt.Sprintf("/api/v1/admin/cron/archive_cleanup?token=%s", token)
-		req := NewRequest(t, "POST", urlStr)
+		req := NewRequest(t, "POST", "/api/v1/admin/cron/archive_cleanup").
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNoContent)
 
 		// Check for the latest run time for this cron, to ensure it has been run.
-		urlStr = fmt.Sprintf("/api/v1/admin/cron?token=%s", token)
-		req = NewRequest(t, "GET", urlStr)
+		req = NewRequest(t, "GET", "/api/v1/admin/cron").
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var crons []api.Cron
diff --git a/tests/integration/api_branch_test.go b/tests/integration/api_branch_test.go
index bc026c117f66e..28e690b356890 100644
--- a/tests/integration/api_branch_test.go
+++ b/tests/integration/api_branch_test.go
@@ -17,7 +17,8 @@ import (
 
 func testAPIGetBranch(t *testing.T, branchName string, exists bool) {
 	token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branches/%s?token=%s", branchName, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branches/%s", branchName).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, NoExpectedStatus)
 	if !exists {
 		assert.EqualValues(t, http.StatusNotFound, resp.Code)
@@ -33,7 +34,8 @@ func testAPIGetBranch(t *testing.T, branchName string, exists bool) {
 
 func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) *api.BranchProtection {
 	token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branch_protections/%s?token=%s", branchName, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branch_protections/%s", branchName).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, expectedHTTPStatus)
 
 	if resp.Code == http.StatusOK {
@@ -47,9 +49,9 @@ func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPSta
 
 func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
 	token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/branch_protections?token="+token, &api.BranchProtection{
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/branch_protections", &api.BranchProtection{
 		RuleName: branchName,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, expectedHTTPStatus)
 
 	if resp.Code == http.StatusCreated {
@@ -61,7 +63,8 @@ func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTP
 
 func testAPIEditBranchProtection(t *testing.T, branchName string, body *api.BranchProtection, expectedHTTPStatus int) {
 	token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestWithJSON(t, "PATCH", "/api/v1/repos/user2/repo1/branch_protections/"+branchName+"?token="+token, body)
+	req := NewRequestWithJSON(t, "PATCH", "/api/v1/repos/user2/repo1/branch_protections/"+branchName, body).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, expectedHTTPStatus)
 
 	if resp.Code == http.StatusOK {
@@ -73,13 +76,15 @@ func testAPIEditBranchProtection(t *testing.T, branchName string, body *api.Bran
 
 func testAPIDeleteBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
 	token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branch_protections/%s?token=%s", branchName, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branch_protections/%s", branchName).
+		AddTokenAuth(token)
 	MakeRequest(t, req, expectedHTTPStatus)
 }
 
 func testAPIDeleteBranch(t *testing.T, branchName string, expectedHTTPStatus int) {
 	token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branches/%s?token=%s", branchName, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branches/%s", branchName).
+		AddTokenAuth(token)
 	MakeRequest(t, req, expectedHTTPStatus)
 }
 
@@ -152,10 +157,10 @@ func testAPICreateBranches(t *testing.T, giteaURL *url.URL) {
 
 func testAPICreateBranch(t testing.TB, session *TestSession, user, repo, oldBranch, newBranch string, status int) bool {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+user+"/"+repo+"/branches?token="+token, &api.CreateBranchRepoOption{
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+user+"/"+repo+"/branches", &api.CreateBranchRepoOption{
 		BranchName:    newBranch,
 		OldBranchName: oldBranch,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, status)
 
 	var branch api.Branch
diff --git a/tests/integration/api_comment_attachment_test.go b/tests/integration/api_comment_attachment_test.go
index 95a7a81eb4040..e5e62a86b7be7 100644
--- a/tests/integration/api_comment_attachment_test.go
+++ b/tests/integration/api_comment_attachment_test.go
@@ -39,15 +39,18 @@ func TestAPIGetCommentAttachment(t *testing.T) {
 		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 		repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 		token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
-		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d", repoOwner.Name, repo.Name, comment.ID, attachment.ID).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d", repoOwner.Name, repo.Name, comment.ID, attachment.ID).
+		AddTokenAuth(token)
 	session.MakeRequest(t, req, http.StatusOK)
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d", repoOwner.Name, repo.Name, comment.ID, attachment.ID).
+		AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	var apiAttachment api.Attachment
@@ -71,8 +74,8 @@ func TestAPIListCommentAttachments(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets?token=%s",
-		repoOwner.Name, repo.Name, comment.ID, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets", repoOwner.Name, repo.Name, comment.ID).
+		AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	var apiAttachments []*api.Attachment
@@ -93,8 +96,6 @@ func TestAPICreateCommentAttachment(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets?token=%s",
-		repoOwner.Name, repo.Name, comment.ID, token)
 
 	filename := "image.png"
 	buff := generateImg()
@@ -109,8 +110,9 @@ func TestAPICreateCommentAttachment(t *testing.T) {
 	err = writer.Close()
 	assert.NoError(t, err)
 
-	req := NewRequestWithBody(t, "POST", urlStr, body)
-	req.Header.Add("Content-Type", writer.FormDataContentType())
+	req := NewRequestWithBody(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets", repoOwner.Name, repo.Name, comment.ID), body).
+		AddTokenAuth(token).
+		SetHeader("Content-Type", writer.FormDataContentType())
 	resp := session.MakeRequest(t, req, http.StatusCreated)
 
 	apiAttachment := new(api.Attachment)
@@ -132,11 +134,11 @@ func TestAPIEditCommentAttachment(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s",
-		repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets/%d",
+		repoOwner.Name, repo.Name, comment.ID, attachment.ID)
 	req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
 		"name": newAttachmentName,
-	})
+	}).AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusCreated)
 	apiAttachment := new(api.Attachment)
 	DecodeJSON(t, resp, &apiAttachment)
@@ -155,10 +157,9 @@ func TestAPIDeleteCommentAttachment(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s",
-		repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
 
-	req := NewRequestf(t, "DELETE", urlStr)
+	req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets/%d", repoOwner.Name, repo.Name, comment.ID, attachment.ID)).
+		AddTokenAuth(token)
 	session.MakeRequest(t, req, http.StatusNoContent)
 
 	unittest.AssertNotExistsBean(t, &repo_model.Attachment{ID: attachment.ID, CommentID: comment.ID})
diff --git a/tests/integration/api_comment_test.go b/tests/integration/api_comment_test.go
index fe272cf926932..a9c5228a16c17 100644
--- a/tests/integration/api_comment_test.go
+++ b/tests/integration/api_comment_test.go
@@ -77,8 +77,8 @@ func TestAPIListIssueComments(t *testing.T) {
 	repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
 	token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeReadIssue)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
-		repoOwner.Name, repo.Name, issue.Index, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/comments", repoOwner.Name, repo.Name, issue.Index).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var comments []*api.Comment
@@ -97,11 +97,11 @@ func TestAPICreateComment(t *testing.T) {
 	repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
 	token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
-		repoOwner.Name, repo.Name, issue.Index, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments",
+		repoOwner.Name, repo.Name, issue.Index)
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"body": commentBody,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var updatedComment api.Comment
@@ -121,7 +121,8 @@ func TestAPIGetComment(t *testing.T) {
 	token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeReadIssue)
 	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID)
 	MakeRequest(t, req, http.StatusOK)
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiComment api.Comment
@@ -188,20 +189,20 @@ func TestAPIEditComment(t *testing.T) {
 		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 		repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 		token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
-			repoOwner.Name, repo.Name, comment.ID, token)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d",
+			repoOwner.Name, repo.Name, comment.ID)
 		req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
 			"body": newCommentBody,
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
-		repoOwner.Name, repo.Name, comment.ID, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d",
+		repoOwner.Name, repo.Name, comment.ID)
 	req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
 		"body": newCommentBody,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var updatedComment api.Comment
@@ -225,14 +226,14 @@ func TestAPIDeleteComment(t *testing.T) {
 		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 		repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 		token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
-		req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
-			repoOwner.Name, repo.Name, comment.ID, token)
+		req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
-	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
-		repoOwner.Name, repo.Name, comment.ID, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	unittest.AssertNotExistsBean(t, &issues_model.Comment{ID: comment.ID})
@@ -247,8 +248,7 @@ func TestAPIListIssueTimeline(t *testing.T) {
 	repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
 	// make request
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/timeline",
-		repoOwner.Name, repo.Name, issue.Index)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/timeline", repoOwner.Name, repo.Name, issue.Index)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	// check if lens of list returned by API and
diff --git a/tests/integration/api_gpg_keys_test.go b/tests/integration/api_gpg_keys_test.go
index a4545bd0bbd55..ec0dafc2d6dd2 100644
--- a/tests/integration/api_gpg_keys_test.go
+++ b/tests/integration/api_gpg_keys_test.go
@@ -16,7 +16,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-type makeRequestFunc func(testing.TB, *http.Request, int) *httptest.ResponseRecorder
+type makeRequestFunc func(testing.TB, *RequestWrapper, int) *httptest.ResponseRecorder
 
 func TestGPGKeys(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
@@ -79,7 +79,8 @@ func TestGPGKeys(t *testing.T) {
 	t.Run("CheckState", func(t *testing.T) {
 		var keys []*api.GPGKey
 
-		req := NewRequest(t, "GET", "/api/v1/user/gpg_keys?token="+tokenWithGPGKeyScope) // GET all keys
+		req := NewRequest(t, "GET", "/api/v1/user/gpg_keys"). // GET all keys
+									AddTokenAuth(tokenWithGPGKeyScope)
 		resp := MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &keys)
 		assert.Len(t, keys, 1)
@@ -95,7 +96,8 @@ func TestGPGKeys(t *testing.T) {
 		assert.Empty(t, subKey.Emails)
 
 		var key api.GPGKey
-		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey1.ID, 10)+"?token="+tokenWithGPGKeyScope) // Primary key 1
+		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey1.ID, 10)). // Primary key 1
+														AddTokenAuth(tokenWithGPGKeyScope)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &key)
 		assert.EqualValues(t, "38EA3BCED732982C", key.KeyID)
@@ -103,7 +105,8 @@ func TestGPGKeys(t *testing.T) {
 		assert.EqualValues(t, "user2@example.com", key.Emails[0].Email)
 		assert.True(t, key.Emails[0].Verified)
 
-		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(subKey.ID, 10)+"?token="+tokenWithGPGKeyScope) // Subkey of 38EA3BCED732982C
+		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(subKey.ID, 10)). // Subkey of 38EA3BCED732982C
+													AddTokenAuth(tokenWithGPGKeyScope)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &key)
 		assert.EqualValues(t, "70D7C694D17D03AD", key.KeyID)
@@ -114,7 +117,8 @@ func TestGPGKeys(t *testing.T) {
 	t.Run("CheckCommits", func(t *testing.T) {
 		t.Run("NotSigned", func(t *testing.T) {
 			var branch api.Branch
-			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/not-signed?token="+token)
+			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/not-signed").
+				AddTokenAuth(token)
 			resp := MakeRequest(t, req, http.StatusOK)
 			DecodeJSON(t, resp, &branch)
 			assert.False(t, branch.Commit.Verification.Verified)
@@ -122,7 +126,8 @@ func TestGPGKeys(t *testing.T) {
 
 		t.Run("SignedWithNotValidatedEmail", func(t *testing.T) {
 			var branch api.Branch
-			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign-not-yet-validated?token="+token)
+			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign-not-yet-validated").
+				AddTokenAuth(token)
 			resp := MakeRequest(t, req, http.StatusOK)
 			DecodeJSON(t, resp, &branch)
 			assert.False(t, branch.Commit.Verification.Verified)
@@ -130,7 +135,8 @@ func TestGPGKeys(t *testing.T) {
 
 		t.Run("SignedWithValidEmail", func(t *testing.T) {
 			var branch api.Branch
-			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign?token="+token)
+			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign").
+				AddTokenAuth(token)
 			resp := MakeRequest(t, req, http.StatusOK)
 			DecodeJSON(t, resp, &branch)
 			assert.True(t, branch.Commit.Verification.Verified)
@@ -139,29 +145,33 @@ func TestGPGKeys(t *testing.T) {
 }
 
 func testViewOwnGPGKeys(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
-	req := NewRequest(t, "GET", "/api/v1/user/gpg_keys?token="+token)
+	req := NewRequest(t, "GET", "/api/v1/user/gpg_keys").
+		AddTokenAuth(token)
 	makeRequest(t, req, expected)
 }
 
 func testViewGPGKeys(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
-	req := NewRequest(t, "GET", "/api/v1/users/user2/gpg_keys?token="+token)
+	req := NewRequest(t, "GET", "/api/v1/users/user2/gpg_keys").
+		AddTokenAuth(token)
 	makeRequest(t, req, expected)
 }
 
 func testGetGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
-	req := NewRequest(t, "GET", "/api/v1/user/gpg_keys/1?token="+token)
+	req := NewRequest(t, "GET", "/api/v1/user/gpg_keys/1").
+		AddTokenAuth(token)
 	makeRequest(t, req, expected)
 }
 
 func testDeleteGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
-	req := NewRequest(t, "DELETE", "/api/v1/user/gpg_keys/1?token="+token)
+	req := NewRequest(t, "DELETE", "/api/v1/user/gpg_keys/1").
+		AddTokenAuth(token)
 	makeRequest(t, req, expected)
 }
 
 func testCreateGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int, publicKey string) {
-	req := NewRequestWithJSON(t, "POST", "/api/v1/user/gpg_keys?token="+token, api.CreateGPGKeyOption{
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/gpg_keys", api.CreateGPGKeyOption{
 		ArmoredKey: publicKey,
-	})
+	}).AddTokenAuth(token)
 	makeRequest(t, req, expected)
 }
 
diff --git a/tests/integration/api_helper_for_declarative_test.go b/tests/integration/api_helper_for_declarative_test.go
index 3524ce9834add..7755b9861ae30 100644
--- a/tests/integration/api_helper_for_declarative_test.go
+++ b/tests/integration/api_helper_for_declarative_test.go
@@ -59,7 +59,8 @@ func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*tes
 			License:     "WTFPL",
 			Readme:      "Default",
 		}
-		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+ctx.Token, createRepoOption)
+		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos", createRepoOption).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -76,7 +77,8 @@ func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*tes
 
 func doAPIEditRepository(ctx APITestContext, editRepoOption *api.EditRepoOption, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
-		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame), ctx.Token), editRepoOption)
+		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)), editRepoOption).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -103,7 +105,8 @@ func doAPIAddCollaborator(ctx APITestContext, username string, mode perm.AccessM
 		addCollaboratorOption := &api.AddCollaboratorOption{
 			Permission: &permission,
 		}
-		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s?token=%s", ctx.Username, ctx.Reponame, username, ctx.Token), addCollaboratorOption)
+		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s", ctx.Username, ctx.Reponame, username), addCollaboratorOption).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -115,7 +118,8 @@ func doAPIAddCollaborator(ctx APITestContext, username string, mode perm.AccessM
 func doAPIForkRepository(ctx APITestContext, username string, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
 		createForkOption := &api.CreateForkOption{}
-		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks?token=%s", username, ctx.Reponame, ctx.Token), createForkOption)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks", username, ctx.Reponame), createForkOption).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -131,9 +135,8 @@ func doAPIForkRepository(ctx APITestContext, username string, callback ...func(*
 
 func doAPIGetRepository(ctx APITestContext, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
-
-		req := NewRequest(t, "GET", urlStr)
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s", ctx.Username, ctx.Reponame)).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -150,9 +153,8 @@ func doAPIGetRepository(ctx APITestContext, callback ...func(*testing.T, api.Rep
 
 func doAPIDeleteRepository(ctx APITestContext) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
-
-		req := NewRequest(t, "DELETE", urlStr)
+		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s", ctx.Username, ctx.Reponame)).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -163,14 +165,12 @@ func doAPIDeleteRepository(ctx APITestContext) func(*testing.T) {
 
 func doAPICreateUserKey(ctx APITestContext, keyname, keyFile string, callback ...func(*testing.T, api.PublicKey)) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/user/keys?token=%s", ctx.Token)
-
 		dataPubKey, err := os.ReadFile(keyFile + ".pub")
 		assert.NoError(t, err)
-		req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateKeyOption{
+		req := NewRequestWithJSON(t, "POST", "/api/v1/user/keys", &api.CreateKeyOption{
 			Title: keyname,
 			Key:   string(dataPubKey),
-		})
+		}).AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -186,9 +186,8 @@ func doAPICreateUserKey(ctx APITestContext, keyname, keyFile string, callback ..
 
 func doAPIDeleteUserKey(ctx APITestContext, keyID int64) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/user/keys/%d?token=%s", keyID, ctx.Token)
-
-		req := NewRequest(t, "DELETE", urlStr)
+		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/keys/%d", keyID)).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -199,15 +198,13 @@ func doAPIDeleteUserKey(ctx APITestContext, keyID int64) func(*testing.T) {
 
 func doAPICreateDeployKey(ctx APITestContext, keyname, keyFile string, readOnly bool) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
-
 		dataPubKey, err := os.ReadFile(keyFile + ".pub")
 		assert.NoError(t, err)
-		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateKeyOption{
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/keys", ctx.Username, ctx.Reponame), api.CreateKeyOption{
 			Title:    keyname,
 			Key:      string(dataPubKey),
 			ReadOnly: readOnly,
-		})
+		}).AddTokenAuth(ctx.Token)
 
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
@@ -219,13 +216,11 @@ func doAPICreateDeployKey(ctx APITestContext, keyname, keyFile string, readOnly
 
 func doAPICreatePullRequest(ctx APITestContext, owner, repo, baseBranch, headBranch string) func(*testing.T) (api.PullRequest, error) {
 	return func(t *testing.T) (api.PullRequest, error) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s",
-			owner, repo, ctx.Token)
-		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &api.CreatePullRequestOption{
+		req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner, repo), &api.CreatePullRequestOption{
 			Head:  headBranch,
 			Base:  baseBranch,
 			Title: fmt.Sprintf("create a pr from %s to %s", headBranch, baseBranch),
-		})
+		}).AddTokenAuth(ctx.Token)
 
 		expected := http.StatusCreated
 		if ctx.ExpectedCode != 0 {
@@ -242,9 +237,8 @@ func doAPICreatePullRequest(ctx APITestContext, owner, repo, baseBranch, headBra
 
 func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) (api.PullRequest, error) {
 	return func(t *testing.T) (api.PullRequest, error) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d?token=%s",
-			owner, repo, index, ctx.Token)
-		req := NewRequest(t, http.MethodGet, urlStr)
+		req := NewRequest(t, http.MethodGet, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d", owner, repo, index)).
+			AddTokenAuth(ctx.Token)
 
 		expected := http.StatusOK
 		if ctx.ExpectedCode != 0 {
@@ -261,17 +255,16 @@ func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) fu
 
 func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
-			owner, repo, index, ctx.Token)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge", owner, repo, index)
 
-		var req *http.Request
+		var req *RequestWrapper
 		var resp *httptest.ResponseRecorder
 
 		for i := 0; i < 6; i++ {
 			req = NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 				MergeMessageField: "doAPIMergePullRequest Merge",
 				Do:                string(repo_model.MergeStyleMerge),
-			})
+			}).AddTokenAuth(ctx.Token)
 
 			resp = ctx.Session.MakeRequest(t, req, NoExpectedStatus)
 
@@ -299,12 +292,11 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
 
 func doAPIManuallyMergePullRequest(ctx APITestContext, owner, repo, commitID string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
-			owner, repo, index, ctx.Token)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge", owner, repo, index)
 		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 			Do:            string(repo_model.MergeStyleManuallyMerged),
 			MergeCommitID: commitID,
-		})
+		}).AddTokenAuth(ctx.Token)
 
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
@@ -316,38 +308,37 @@ func doAPIManuallyMergePullRequest(ctx APITestContext, owner, repo, commitID str
 
 func doAPIAutoMergePullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
-			owner, repo, index, ctx.Token)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge", owner, repo, index)
 		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 			MergeMessageField:      "doAPIMergePullRequest Merge",
 			Do:                     string(repo_model.MergeStyleMerge),
 			MergeWhenChecksSucceed: true,
-		})
+		}).AddTokenAuth(ctx.Token)
 
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, 200)
+		ctx.Session.MakeRequest(t, req, http.StatusOK)
 	}
 }
 
 func doAPICancelAutoMergePullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
-			owner, repo, index, ctx.Token)
-		req := NewRequest(t, http.MethodDelete, urlStr)
+		req := NewRequest(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge", owner, repo, index)).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, 204)
+		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 
 func doAPIGetBranch(ctx APITestContext, branch string, callback ...func(*testing.T, api.Branch)) func(*testing.T) {
 	return func(t *testing.T) {
-		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/branches/%s?token=%s", ctx.Username, ctx.Reponame, branch, ctx.Token)
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/branches/%s", ctx.Username, ctx.Reponame, branch).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -364,8 +355,8 @@ func doAPIGetBranch(ctx APITestContext, branch string, callback ...func(*testing
 
 func doAPICreateFile(ctx APITestContext, treepath string, options *api.CreateFileOptions, callback ...func(*testing.T, api.FileResponse)) func(*testing.T) {
 	return func(t *testing.T) {
-		url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", ctx.Username, ctx.Reponame, treepath, ctx.Token)
-		req := NewRequestWithJSON(t, "POST", url, &options)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", ctx.Username, ctx.Reponame, treepath), &options).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -382,9 +373,8 @@ func doAPICreateFile(ctx APITestContext, treepath string, options *api.CreateFil
 
 func doAPICreateOrganization(ctx APITestContext, options *api.CreateOrgOption, callback ...func(*testing.T, api.Organization)) func(t *testing.T) {
 	return func(t *testing.T) {
-		url := fmt.Sprintf("/api/v1/orgs?token=%s", ctx.Token)
-
-		req := NewRequestWithJSON(t, "POST", url, &options)
+		req := NewRequestWithJSON(t, "POST", "/api/v1/orgs", &options).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -401,9 +391,8 @@ func doAPICreateOrganization(ctx APITestContext, options *api.CreateOrgOption, c
 
 func doAPICreateOrganizationRepository(ctx APITestContext, orgName string, options *api.CreateRepoOption, callback ...func(*testing.T, api.Repository)) func(t *testing.T) {
 	return func(t *testing.T) {
-		url := fmt.Sprintf("/api/v1/orgs/%s/repos?token=%s", orgName, ctx.Token)
-
-		req := NewRequestWithJSON(t, "POST", url, &options)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/repos", orgName), &options).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -420,9 +409,8 @@ func doAPICreateOrganizationRepository(ctx APITestContext, orgName string, optio
 
 func doAPICreateOrganizationTeam(ctx APITestContext, orgName string, options *api.CreateTeamOption, callback ...func(*testing.T, api.Team)) func(t *testing.T) {
 	return func(t *testing.T) {
-		url := fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", orgName, ctx.Token)
-
-		req := NewRequestWithJSON(t, "POST", url, &options)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams", orgName), &options).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -439,9 +427,8 @@ func doAPICreateOrganizationTeam(ctx APITestContext, orgName string, options *ap
 
 func doAPIAddUserToOrganizationTeam(ctx APITestContext, teamID int64, username string) func(t *testing.T) {
 	return func(t *testing.T) {
-		url := fmt.Sprintf("/api/v1/teams/%d/members/%s?token=%s", teamID, username, ctx.Token)
-
-		req := NewRequest(t, "PUT", url)
+		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/teams/%d/members/%s", teamID, username)).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
@@ -452,9 +439,8 @@ func doAPIAddUserToOrganizationTeam(ctx APITestContext, teamID int64, username s
 
 func doAPIAddRepoToOrganizationTeam(ctx APITestContext, teamID int64, orgName, repoName string) func(t *testing.T) {
 	return func(t *testing.T) {
-		url := fmt.Sprintf("/api/v1/teams/%d/repos/%s/%s?token=%s", teamID, orgName, repoName, ctx.Token)
-
-		req := NewRequest(t, "PUT", url)
+		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/teams/%d/repos/%s/%s", teamID, orgName, repoName)).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
diff --git a/tests/integration/api_httpsig_test.go b/tests/integration/api_httpsig_test.go
index 675ec54ff58f7..30aed3cacceb6 100644
--- a/tests/integration/api_httpsig_test.go
+++ b/tests/integration/api_httpsig_test.go
@@ -5,7 +5,6 @@ package integration
 
 import (
 	"encoding/base64"
-	"fmt"
 	"net/http"
 	"net/url"
 	"testing"
@@ -57,14 +56,14 @@ func TestHTTPSigPubKey(t *testing.T) {
 	defer test.MockVariableValue(&setting.SSH.MinimumKeySizeCheck, false)()
 	session := loginUser(t, "user1")
 	token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser))
-	keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)
 	keyType := "ssh-rsa"
 	keyContent := "AAAAB3NzaC1yc2EAAAADAQABAAABAQCqOZB5vkRvXFXups1/0StDRdG8plbNSwsWEnNnP4Bvurxa0+z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xUbiy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5/lUbZYqSZ4rRU744wkhh8TULpzM14npQCZwg6aEbG+MwjzddQ72fR+3BPBrKn5dTmmu8rH99O+U+Nuto81Tg7PA+NUupcHOmhdiEGq49plgVFXK98Vks5tiybL4GuzFyWgyX73Dg/QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6PX5oDR4LTNe6cR8td8YhVD8WFZwLLl/vaYyIqd"
 	rawKeyBody := api.CreateKeyOption{
 		Title: "test-key",
 		Key:   keyType + " " + keyContent,
 	}
-	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/keys", rawKeyBody).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
 	// parse our private key and create the httpsig request
@@ -73,7 +72,8 @@ func TestHTTPSigPubKey(t *testing.T) {
 
 	// create the request
 	token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadAdmin)
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/admin/users?token=%s", token))
+	req = NewRequest(t, "GET", "/api/v1/admin/users").
+		AddTokenAuth(token)
 
 	signer, _, err := httpsig.NewSSHSigner(sshSigner, httpsig.DigestSha512, []string{httpsig.RequestTarget, "(created)", "(expires)"}, httpsig.Signature, 10)
 	if err != nil {
@@ -81,7 +81,7 @@ func TestHTTPSigPubKey(t *testing.T) {
 	}
 
 	// sign the request
-	err = signer.SignRequest(keyID, req, nil)
+	err = signer.SignRequest(keyID, req.Request, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -124,7 +124,7 @@ func TestHTTPSigCert(t *testing.T) {
 
 	// add our cert to the request
 	certString := base64.RawStdEncoding.EncodeToString(pkcert.(*ssh.Certificate).Marshal())
-	req.Header.Add("x-ssh-certificate", certString)
+	req.SetHeader("x-ssh-certificate", certString)
 
 	signer, _, err := httpsig.NewSSHSigner(certSigner, httpsig.DigestSha512, []string{httpsig.RequestTarget, "(created)", "(expires)", "x-ssh-certificate"}, httpsig.Signature, 10)
 	if err != nil {
@@ -132,7 +132,7 @@ func TestHTTPSigCert(t *testing.T) {
 	}
 
 	// sign the request
-	err = signer.SignRequest(keyID, req, nil)
+	err = signer.SignRequest(keyID, req.Request, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/tests/integration/api_issue_attachment_test.go b/tests/integration/api_issue_attachment_test.go
index 3b43ba2c412c4..4b57d387d875d 100644
--- a/tests/integration/api_issue_attachment_test.go
+++ b/tests/integration/api_issue_attachment_test.go
@@ -33,10 +33,9 @@ func TestAPIGetIssueAttachment(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d?token=%s",
-		repoOwner.Name, repo.Name, issue.Index, attachment.ID, token)
 
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d", repoOwner.Name, repo.Name, issue.Index, attachment.ID)).
+		AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	apiAttachment := new(api.Attachment)
 	DecodeJSON(t, resp, &apiAttachment)
@@ -54,10 +53,9 @@ func TestAPIListIssueAttachments(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets?token=%s",
-		repoOwner.Name, repo.Name, issue.Index, token)
 
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets", repoOwner.Name, repo.Name, issue.Index)).
+		AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	apiAttachment := new([]api.Attachment)
 	DecodeJSON(t, resp, &apiAttachment)
@@ -74,8 +72,6 @@ func TestAPICreateIssueAttachment(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets?token=%s",
-		repoOwner.Name, repo.Name, issue.Index, token)
 
 	filename := "image.png"
 	buff := generateImg()
@@ -90,7 +86,8 @@ func TestAPICreateIssueAttachment(t *testing.T) {
 	err = writer.Close()
 	assert.NoError(t, err)
 
-	req := NewRequestWithBody(t, "POST", urlStr, body)
+	req := NewRequestWithBody(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets", repoOwner.Name, repo.Name, issue.Index), body).
+		AddTokenAuth(token)
 	req.Header.Add("Content-Type", writer.FormDataContentType())
 	resp := session.MakeRequest(t, req, http.StatusCreated)
 
@@ -112,11 +109,11 @@ func TestAPIEditIssueAttachment(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d?token=%s",
-		repoOwner.Name, repo.Name, issue.Index, attachment.ID, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d",
+		repoOwner.Name, repo.Name, issue.Index, attachment.ID)
 	req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
 		"name": newAttachmentName,
-	})
+	}).AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusCreated)
 	apiAttachment := new(api.Attachment)
 	DecodeJSON(t, resp, &apiAttachment)
@@ -134,10 +131,9 @@ func TestAPIDeleteIssueAttachment(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d?token=%s",
-		repoOwner.Name, repo.Name, issue.Index, attachment.ID, token)
 
-	req := NewRequest(t, "DELETE", urlStr)
+	req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d", repoOwner.Name, repo.Name, issue.Index, attachment.ID)).
+		AddTokenAuth(token)
 	session.MakeRequest(t, req, http.StatusNoContent)
 
 	unittest.AssertNotExistsBean(t, &repo_model.Attachment{ID: attachment.ID, IssueID: issue.ID})
diff --git a/tests/integration/api_issue_label_test.go b/tests/integration/api_issue_label_test.go
index d2d8af102b3bb..35c07182634e2 100644
--- a/tests/integration/api_issue_label_test.go
+++ b/tests/integration/api_issue_label_test.go
@@ -26,14 +26,14 @@ func TestAPIModifyLabels(t *testing.T) {
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/labels?token=%s", owner.Name, repo.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/labels", owner.Name, repo.Name)
 
 	// CreateLabel
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateLabelOption{
 		Name:        "TestL 1",
 		Color:       "abcdef",
 		Description: "test label",
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	apiLabel := new(api.Label)
 	DecodeJSON(t, resp, &apiLabel)
@@ -45,24 +45,26 @@ func TestAPIModifyLabels(t *testing.T) {
 		Name:        "TestL 2",
 		Color:       "#123456",
 		Description: "jet another test label",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 	req = NewRequestWithJSON(t, "POST", urlStr, &api.CreateLabelOption{
 		Name:  "WrongTestL",
 		Color: "#12345g",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// ListLabels
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", urlStr).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var apiLabels []*api.Label
 	DecodeJSON(t, resp, &apiLabels)
 	assert.Len(t, apiLabels, 2)
 
 	// GetLabel
-	singleURLStr := fmt.Sprintf("/api/v1/repos/%s/%s/labels/%d?token=%s", owner.Name, repo.Name, dbLabel.ID, token)
-	req = NewRequest(t, "GET", singleURLStr)
+	singleURLStr := fmt.Sprintf("/api/v1/repos/%s/%s/labels/%d", owner.Name, repo.Name, dbLabel.ID)
+	req = NewRequest(t, "GET", singleURLStr).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiLabel)
 	assert.EqualValues(t, strings.TrimLeft(dbLabel.Color, "#"), apiLabel.Color)
@@ -74,17 +76,18 @@ func TestAPIModifyLabels(t *testing.T) {
 	req = NewRequestWithJSON(t, "PATCH", singleURLStr, &api.EditLabelOption{
 		Name:  &newName,
 		Color: &newColor,
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiLabel)
 	assert.EqualValues(t, newColor, apiLabel.Color)
 	req = NewRequestWithJSON(t, "PATCH", singleURLStr, &api.EditLabelOption{
 		Color: &newColorWrong,
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// DeleteLabel
-	req = NewRequest(t, "DELETE", singleURLStr)
+	req = NewRequest(t, "DELETE", singleURLStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
 
@@ -98,11 +101,11 @@ func TestAPIAddIssueLabels(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
-		repo.OwnerName, repo.Name, issue.Index, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels",
+		repo.OwnerName, repo.Name, issue.Index)
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.IssueLabelsOption{
 		Labels: []int64{1, 2},
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiLabels []*api.Label
 	DecodeJSON(t, resp, &apiLabels)
@@ -121,11 +124,11 @@ func TestAPIReplaceIssueLabels(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
-		owner.Name, repo.Name, issue.Index, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels",
+		owner.Name, repo.Name, issue.Index)
 	req := NewRequestWithJSON(t, "PUT", urlStr, &api.IssueLabelsOption{
 		Labels: []int64{label.ID},
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiLabels []*api.Label
 	DecodeJSON(t, resp, &apiLabels)
@@ -145,14 +148,14 @@ func TestAPIModifyOrgLabels(t *testing.T) {
 	user := "user1"
 	session := loginUser(t, user)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteOrganization)
-	urlStr := fmt.Sprintf("/api/v1/orgs/%s/labels?token=%s", owner.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/orgs/%s/labels", owner.Name)
 
 	// CreateLabel
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateLabelOption{
 		Name:        "TestL 1",
 		Color:       "abcdef",
 		Description: "test label",
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	apiLabel := new(api.Label)
 	DecodeJSON(t, resp, &apiLabel)
@@ -164,24 +167,26 @@ func TestAPIModifyOrgLabels(t *testing.T) {
 		Name:        "TestL 2",
 		Color:       "#123456",
 		Description: "jet another test label",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 	req = NewRequestWithJSON(t, "POST", urlStr, &api.CreateLabelOption{
 		Name:  "WrongTestL",
 		Color: "#12345g",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// ListLabels
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", urlStr).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var apiLabels []*api.Label
 	DecodeJSON(t, resp, &apiLabels)
 	assert.Len(t, apiLabels, 4)
 
 	// GetLabel
-	singleURLStr := fmt.Sprintf("/api/v1/orgs/%s/labels/%d?token=%s", owner.Name, dbLabel.ID, token)
-	req = NewRequest(t, "GET", singleURLStr)
+	singleURLStr := fmt.Sprintf("/api/v1/orgs/%s/labels/%d", owner.Name, dbLabel.ID)
+	req = NewRequest(t, "GET", singleURLStr).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiLabel)
 	assert.EqualValues(t, strings.TrimLeft(dbLabel.Color, "#"), apiLabel.Color)
@@ -193,16 +198,17 @@ func TestAPIModifyOrgLabels(t *testing.T) {
 	req = NewRequestWithJSON(t, "PATCH", singleURLStr, &api.EditLabelOption{
 		Name:  &newName,
 		Color: &newColor,
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiLabel)
 	assert.EqualValues(t, newColor, apiLabel.Color)
 	req = NewRequestWithJSON(t, "PATCH", singleURLStr, &api.EditLabelOption{
 		Color: &newColorWrong,
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// DeleteLabel
-	req = NewRequest(t, "DELETE", singleURLStr)
+	req = NewRequest(t, "DELETE", singleURLStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
diff --git a/tests/integration/api_issue_milestone_test.go b/tests/integration/api_issue_milestone_test.go
index 3bd763f4b52cf..32ac56298fab4 100644
--- a/tests/integration/api_issue_milestone_test.go
+++ b/tests/integration/api_issue_milestone_test.go
@@ -34,48 +34,53 @@ func TestAPIIssuesMilestone(t *testing.T) {
 	// update values of issue
 	milestoneState := "closed"
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/milestones/%d?token=%s", owner.Name, repo.Name, milestone.ID, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/milestones/%d", owner.Name, repo.Name, milestone.ID)
 	req := NewRequestWithJSON(t, "PATCH", urlStr, structs.EditMilestoneOption{
 		State: &milestoneState,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiMilestone structs.Milestone
 	DecodeJSON(t, resp, &apiMilestone)
 	assert.EqualValues(t, "closed", apiMilestone.State)
 
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", urlStr).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var apiMilestone2 structs.Milestone
 	DecodeJSON(t, resp, &apiMilestone2)
 	assert.EqualValues(t, "closed", apiMilestone2.State)
 
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/milestones?token=%s", owner.Name, repo.Name, token), structs.CreateMilestoneOption{
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/milestones", owner.Name, repo.Name), structs.CreateMilestoneOption{
 		Title:       "wow",
 		Description: "closed one",
 		State:       "closed",
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, &apiMilestone)
 	assert.Equal(t, "wow", apiMilestone.Title)
 	assert.Equal(t, structs.StateClosed, apiMilestone.State)
 
 	var apiMilestones []structs.Milestone
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/milestones?state=%s&token=%s", owner.Name, repo.Name, "all", token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/milestones?state=%s", owner.Name, repo.Name, "all")).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiMilestones)
 	assert.Len(t, apiMilestones, 4)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/milestones/%s?token=%s", owner.Name, repo.Name, apiMilestones[2].Title, token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/milestones/%s", owner.Name, repo.Name, apiMilestones[2].Title)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiMilestone)
 	assert.EqualValues(t, apiMilestones[2], apiMilestone)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/milestones?state=%s&name=%s&token=%s", owner.Name, repo.Name, "all", "milestone2", token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/milestones?state=%s&name=%s", owner.Name, repo.Name, "all", "milestone2")).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiMilestones)
 	assert.Len(t, apiMilestones, 1)
 	assert.Equal(t, int64(2), apiMilestones[0].ID)
 
-	req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/milestones/%d?token=%s", owner.Name, repo.Name, apiMilestone.ID, token))
+	req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/milestones/%d", owner.Name, repo.Name, apiMilestone.ID)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
diff --git a/tests/integration/api_issue_pin_test.go b/tests/integration/api_issue_pin_test.go
index 5a9efc058bfba..1cff937254b85 100644
--- a/tests/integration/api_issue_pin_test.go
+++ b/tests/integration/api_issue_pin_test.go
@@ -32,14 +32,12 @@ func TestAPIPinIssue(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
 	// Pin the Issue
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
-		repo.OwnerName, repo.Name, issue.Index, token)
-	req := NewRequest(t, "POST", urlStr)
+	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin", repo.OwnerName, repo.Name, issue.Index)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Check if the Issue is pinned
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index)
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index))
 	resp := MakeRequest(t, req, http.StatusOK)
 	var issueAPI api.Issue
 	DecodeJSON(t, resp, &issueAPI)
@@ -59,28 +57,24 @@ func TestAPIUnpinIssue(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
 	// Pin the Issue
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
-		repo.OwnerName, repo.Name, issue.Index, token)
-	req := NewRequest(t, "POST", urlStr)
+	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin", repo.OwnerName, repo.Name, issue.Index)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Check if the Issue is pinned
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index)
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index))
 	resp := MakeRequest(t, req, http.StatusOK)
 	var issueAPI api.Issue
 	DecodeJSON(t, resp, &issueAPI)
 	assert.Equal(t, 1, issueAPI.PinOrder)
 
 	// Unpin the Issue
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
-		repo.OwnerName, repo.Name, issue.Index, token)
-	req = NewRequest(t, "DELETE", urlStr)
+	req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin", repo.OwnerName, repo.Name, issue.Index)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Check if the Issue is no longer pinned
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index)
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index))
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &issueAPI)
 	assert.Equal(t, 0, issueAPI.PinOrder)
@@ -100,42 +94,36 @@ func TestAPIMoveIssuePin(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
 	// Pin the first Issue
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
-		repo.OwnerName, repo.Name, issue.Index, token)
-	req := NewRequest(t, "POST", urlStr)
+	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin", repo.OwnerName, repo.Name, issue.Index)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Check if the first Issue is pinned at position 1
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index)
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index))
 	resp := MakeRequest(t, req, http.StatusOK)
 	var issueAPI api.Issue
 	DecodeJSON(t, resp, &issueAPI)
 	assert.Equal(t, 1, issueAPI.PinOrder)
 
 	// Pin the second Issue
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
-		repo.OwnerName, repo.Name, issue2.Index, token)
-	req = NewRequest(t, "POST", urlStr)
+	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin", repo.OwnerName, repo.Name, issue2.Index)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Move the first Issue to position 2
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin/2?token=%s",
-		repo.OwnerName, repo.Name, issue.Index, token)
-	req = NewRequest(t, "PATCH", urlStr)
+	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin/2", repo.OwnerName, repo.Name, issue.Index)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Check if the first Issue is pinned at position 2
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index)
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue.Index))
 	resp = MakeRequest(t, req, http.StatusOK)
 	var issueAPI3 api.Issue
 	DecodeJSON(t, resp, &issueAPI3)
 	assert.Equal(t, 2, issueAPI3.PinOrder)
 
 	// Check if the second Issue is pinned at position 1
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue2.Index)
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", repo.OwnerName, repo.Name, issue2.Index))
 	resp = MakeRequest(t, req, http.StatusOK)
 	var issueAPI4 api.Issue
 	DecodeJSON(t, resp, &issueAPI4)
@@ -155,14 +143,12 @@ func TestAPIListPinnedIssues(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
 	// Pin the Issue
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
-		repo.OwnerName, repo.Name, issue.Index, token)
-	req := NewRequest(t, "POST", urlStr)
+	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin", repo.OwnerName, repo.Name, issue.Index)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Check if the Issue is in the List
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/pinned", repo.OwnerName, repo.Name)
-	req = NewRequest(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/pinned", repo.OwnerName, repo.Name))
 	resp := MakeRequest(t, req, http.StatusOK)
 	var issueList []api.Issue
 	DecodeJSON(t, resp, &issueList)
@@ -178,8 +164,7 @@ func TestAPIListPinnedPullrequests(t *testing.T) {
 
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/pinned", repo.OwnerName, repo.Name)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/pulls/pinned", repo.OwnerName, repo.Name))
 	resp := MakeRequest(t, req, http.StatusOK)
 	var prList []api.PullRequest
 	DecodeJSON(t, resp, &prList)
@@ -193,8 +178,7 @@ func TestAPINewPinAllowed(t *testing.T) {
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/new_pin_allowed", owner.Name, repo.Name)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/new_pin_allowed", owner.Name, repo.Name))
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var newPinsAllowed api.NewIssuePinsAllowed
diff --git a/tests/integration/api_issue_reaction_test.go b/tests/integration/api_issue_reaction_test.go
index 124d729353ca7..4ca909f2812b9 100644
--- a/tests/integration/api_issue_reaction_test.go
+++ b/tests/integration/api_issue_reaction_test.go
@@ -33,25 +33,24 @@ func TestAPIIssuesReactions(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/reactions?token=%s",
-		owner.Name, issue.Repo.Name, issue.Index, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/reactions", owner.Name, issue.Repo.Name, issue.Index)
 
 	// Try to add not allowed reaction
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
 		Reaction: "wrong",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// Delete not allowed reaction
 	req = NewRequestWithJSON(t, "DELETE", urlStr, &api.EditReactionOption{
 		Reaction: "zzz",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Add allowed reaction
 	req = NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
 		Reaction: "rocket",
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	var apiNewReaction api.Reaction
 	DecodeJSON(t, resp, &apiNewReaction)
@@ -60,7 +59,8 @@ func TestAPIIssuesReactions(t *testing.T) {
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// Get end result of reaction list of issue #1
-	req = NewRequestf(t, "GET", urlStr)
+	req = NewRequest(t, "GET", urlStr).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var apiReactions []*api.Reaction
 	DecodeJSON(t, resp, &apiReactions)
@@ -93,19 +93,18 @@ func TestAPICommentReactions(t *testing.T) {
 
 	user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/reactions?token=%s",
-		owner.Name, issue.Repo.Name, comment.ID, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/reactions", owner.Name, issue.Repo.Name, comment.ID)
 
 	// Try to add not allowed reaction
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
 		Reaction: "wrong",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// Delete none existing reaction
 	req = NewRequestWithJSON(t, "DELETE", urlStr, &api.EditReactionOption{
 		Reaction: "eyes",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	t.Run("UnrelatedCommentID", func(t *testing.T) {
@@ -113,25 +112,25 @@ func TestAPICommentReactions(t *testing.T) {
 		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 		repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 		token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/reactions?token=%s",
-			repoOwner.Name, repo.Name, comment.ID, token)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/reactions", repoOwner.Name, repo.Name, comment.ID)
 		req = NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
 			Reaction: "+1",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 		req = NewRequestWithJSON(t, "DELETE", urlStr, &api.EditReactionOption{
 			Reaction: "+1",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequestf(t, "GET", urlStr)
+		req = NewRequest(t, "GET", urlStr).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	// Add allowed reaction
 	req = NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
 		Reaction: "+1",
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	var apiNewReaction api.Reaction
 	DecodeJSON(t, resp, &apiNewReaction)
@@ -140,7 +139,8 @@ func TestAPICommentReactions(t *testing.T) {
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// Get end result of reaction list of issue #1
-	req = NewRequestf(t, "GET", urlStr)
+	req = NewRequest(t, "GET", urlStr).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var apiReactions []*api.Reaction
 	DecodeJSON(t, resp, &apiReactions)
diff --git a/tests/integration/api_issue_stopwatch_test.go b/tests/integration/api_issue_stopwatch_test.go
index 09d404ce4e231..23066782173ac 100644
--- a/tests/integration/api_issue_stopwatch_test.go
+++ b/tests/integration/api_issue_stopwatch_test.go
@@ -27,7 +27,8 @@ func TestAPIListStopWatches(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository, auth_model.AccessTokenScopeReadUser)
-	req := NewRequestf(t, "GET", "/api/v1/user/stopwatches?token=%s", token)
+	req := NewRequest(t, "GET", "/api/v1/user/stopwatches").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiWatches []*api.StopWatch
 	DecodeJSON(t, resp, &apiWatches)
@@ -54,7 +55,8 @@ func TestAPIStopStopWatches(t *testing.T) {
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
-	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/stop?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
+	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/stop", owner.Name, issue.Repo.Name, issue.Index).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 	MakeRequest(t, req, http.StatusConflict)
 }
@@ -70,7 +72,8 @@ func TestAPICancelStopWatches(t *testing.T) {
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
-	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/stopwatch/delete?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/stopwatch/delete", owner.Name, issue.Repo.Name, issue.Index).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	MakeRequest(t, req, http.StatusConflict)
 }
@@ -86,7 +89,8 @@ func TestAPIStartStopWatches(t *testing.T) {
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
-	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/start?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
+	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/start", owner.Name, issue.Repo.Name, issue.Index).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 	MakeRequest(t, req, http.StatusConflict)
 }
diff --git a/tests/integration/api_issue_subscription_test.go b/tests/integration/api_issue_subscription_test.go
index 28650a337523f..7a716301c4667 100644
--- a/tests/integration/api_issue_subscription_test.go
+++ b/tests/integration/api_issue_subscription_test.go
@@ -37,8 +37,8 @@ func TestAPIIssueSubscriptions(t *testing.T) {
 	testSubscription := func(issue *issues_model.Issue, isWatching bool) {
 		issueRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
 
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/subscriptions/check?token=%s", issueRepo.OwnerName, issueRepo.Name, issue.Index, token)
-		req := NewRequest(t, "GET", urlStr)
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/subscriptions/check", issueRepo.OwnerName, issueRepo.Name, issue.Index)).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 		wi := new(api.WatchInfo)
 		DecodeJSON(t, resp, wi)
@@ -57,22 +57,26 @@ func TestAPIIssueSubscriptions(t *testing.T) {
 	testSubscription(issue5, false)
 
 	issue1Repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue1.RepoID})
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/subscriptions/%s?token=%s", issue1Repo.OwnerName, issue1Repo.Name, issue1.Index, owner.Name, token)
-	req := NewRequest(t, "DELETE", urlStr)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/subscriptions/%s", issue1Repo.OwnerName, issue1Repo.Name, issue1.Index, owner.Name)
+	req := NewRequest(t, "DELETE", urlStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 	testSubscription(issue1, false)
 
-	req = NewRequest(t, "DELETE", urlStr)
+	req = NewRequest(t, "DELETE", urlStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 	testSubscription(issue1, false)
 
 	issue5Repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue5.RepoID})
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/subscriptions/%s?token=%s", issue5Repo.OwnerName, issue5Repo.Name, issue5.Index, owner.Name, token)
-	req = NewRequest(t, "PUT", urlStr)
+	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/subscriptions/%s", issue5Repo.OwnerName, issue5Repo.Name, issue5.Index, owner.Name)
+	req = NewRequest(t, "PUT", urlStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 	testSubscription(issue5, true)
 
-	req = NewRequest(t, "PUT", urlStr)
+	req = NewRequest(t, "PUT", urlStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 	testSubscription(issue5, true)
 }
diff --git a/tests/integration/api_issue_test.go b/tests/integration/api_issue_test.go
index 29f09fa09e747..dcccafb0f29b3 100644
--- a/tests/integration/api_issue_test.go
+++ b/tests/integration/api_issue_test.go
@@ -84,12 +84,12 @@ func TestAPICreateIssue(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all", owner.Name, repoBefore.Name)
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
 		Body:     body,
 		Title:    title,
 		Assignee: owner.Name,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	var apiIssue api.Issue
 	DecodeJSON(t, resp, &apiIssue)
@@ -117,7 +117,7 @@ func TestAPICreateIssueParallel(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all", owner.Name, repoBefore.Name)
 
 	var wg sync.WaitGroup
 	for i := 0; i < 10; i++ {
@@ -130,7 +130,7 @@ func TestAPICreateIssueParallel(t *testing.T) {
 					Body:     newBody,
 					Title:    newTitle,
 					Assignee: owner.Name,
-				})
+				}).AddTokenAuth(token)
 				resp := MakeRequest(t, req, http.StatusCreated)
 				var apiIssue api.Issue
 				DecodeJSON(t, resp, &apiIssue)
@@ -171,7 +171,7 @@ func TestAPIEditIssue(t *testing.T) {
 	body := "new content!"
 	title := "new title from api set"
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d?token=%s", owner.Name, repoBefore.Name, issueBefore.Index, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d", owner.Name, repoBefore.Name, issueBefore.Index)
 	req := NewRequestWithJSON(t, "PATCH", urlStr, api.EditIssueOption{
 		State:          &issueState,
 		RemoveDeadline: &removeDeadline,
@@ -180,7 +180,7 @@ func TestAPIEditIssue(t *testing.T) {
 		Title:          title,
 
 		// ToDo change more
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	var apiIssue api.Issue
 	DecodeJSON(t, resp, &apiIssue)
diff --git a/tests/integration/api_issue_tracked_time_test.go b/tests/integration/api_issue_tracked_time_test.go
index d3e45456a6c61..fd2c452b20682 100644
--- a/tests/integration/api_issue_tracked_time_test.go
+++ b/tests/integration/api_issue_tracked_time_test.go
@@ -30,7 +30,8 @@ func TestAPIGetTrackedTimes(t *testing.T) {
 	session := loginUser(t, user2.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
 
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/times?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/times", user2.Name, issue2.Repo.Name, issue2.Index).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiTimes api.TrackedTimeList
 	DecodeJSON(t, resp, &apiTimes)
@@ -53,7 +54,8 @@ func TestAPIGetTrackedTimes(t *testing.T) {
 	since := "2000-01-01T00%3A00%3A02%2B00%3A00"  // 946684802
 	before := "2000-01-01T00%3A00%3A12%2B00%3A00" // 946684812
 
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/times?since=%s&before=%s&token=%s", user2.Name, issue2.Repo.Name, issue2.Index, since, before, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/times?since=%s&before=%s", user2.Name, issue2.Repo.Name, issue2.Index, since, before).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var filterAPITimes api.TrackedTimeList
 	DecodeJSON(t, resp, &filterAPITimes)
@@ -74,11 +76,13 @@ func TestAPIDeleteTrackedTime(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
 	// Deletion not allowed
-	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times/%d?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, time6.ID, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times/%d", user2.Name, issue2.Repo.Name, issue2.Index, time6.ID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 
 	time3 := unittest.AssertExistsAndLoadBean(t, &issues_model.TrackedTime{ID: 3})
-	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times/%d?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, time3.ID, token)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times/%d", user2.Name, issue2.Repo.Name, issue2.Index, time3.ID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	// Delete non existing time
 	MakeRequest(t, req, http.StatusNotFound)
@@ -88,7 +92,8 @@ func TestAPIDeleteTrackedTime(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, int64(3661), trackedSeconds)
 
-	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, token)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times", user2.Name, issue2.Repo.Name, issue2.Index).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	MakeRequest(t, req, http.StatusNotFound)
 
@@ -108,13 +113,13 @@ func TestAPIAddTrackedTimes(t *testing.T) {
 	session := loginUser(t, admin.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/times?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/times", user2.Name, issue2.Repo.Name, issue2.Index)
 
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.AddTimeOption{
 		Time:    33,
 		User:    user2.Name,
 		Created: time.Unix(947688818, 0),
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiNewTime api.TrackedTime
 	DecodeJSON(t, resp, &apiNewTime)
diff --git a/tests/integration/api_keys_test.go b/tests/integration/api_keys_test.go
index 03d28c9126656..89ad1ec0df510 100644
--- a/tests/integration/api_keys_test.go
+++ b/tests/integration/api_keys_test.go
@@ -55,13 +55,14 @@ func TestCreateReadOnlyDeployKey(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
+	keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys", repoOwner.Name, repo.Name)
 	rawKeyBody := api.CreateKeyOption{
 		Title:    "read-only",
 		Key:      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",
 		ReadOnly: true,
 	}
-	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)
+	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var newDeployKey api.DeployKey
@@ -75,12 +76,14 @@ func TestCreateReadOnlyDeployKey(t *testing.T) {
 
 	// Using the ID of a key that does not belong to the repository must fail
 	{
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/keys/%d?token=%s", repoOwner.Name, repo.Name, newDeployKey.ID, token))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/keys/%d", repoOwner.Name, repo.Name, newDeployKey.ID)).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusOK)
 
 		session5 := loginUser(t, "user5")
 		token5 := getTokenForLoggedInUser(t, session5, auth_model.AccessTokenScopeWriteRepository)
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/user5/repo4/keys/%d?token=%s", newDeployKey.ID, token5))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/user5/repo4/keys/%d", newDeployKey.ID)).
+			AddTokenAuth(token5)
 		MakeRequest(t, req, http.StatusNotFound)
 	}
 }
@@ -92,12 +95,13 @@ func TestCreateReadWriteDeployKey(t *testing.T) {
 
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
+	keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys", repoOwner.Name, repo.Name)
 	rawKeyBody := api.CreateKeyOption{
 		Title: "read-write",
 		Key:   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",
 	}
-	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)
+	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var newDeployKey api.DeployKey
@@ -116,14 +120,14 @@ func TestCreateUserKey(t *testing.T) {
 
 	session := loginUser(t, "user1")
 	token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser))
-	keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)
 	keyType := "ssh-rsa"
 	keyContent := "AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM="
 	rawKeyBody := api.CreateKeyOption{
 		Title: "test-key",
 		Key:   keyType + " " + keyContent,
 	}
-	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/keys", rawKeyBody).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var newPublicKey api.PublicKey
@@ -139,9 +143,8 @@ func TestCreateUserKey(t *testing.T) {
 	})
 
 	// Search by fingerprint
-	fingerprintURL := fmt.Sprintf("/api/v1/user/keys?token=%s&fingerprint=%s", token, newPublicKey.Fingerprint)
-
-	req = NewRequest(t, "GET", fingerprintURL)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/keys?fingerprint=%s", newPublicKey.Fingerprint)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	var fingerprintPublicKeys []api.PublicKey
@@ -150,9 +153,8 @@ func TestCreateUserKey(t *testing.T) {
 	assert.Equal(t, newPublicKey.ID, fingerprintPublicKeys[0].ID)
 	assert.Equal(t, user.ID, fingerprintPublicKeys[0].Owner.ID)
 
-	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", user.Name, token, newPublicKey.Fingerprint)
-
-	req = NewRequest(t, "GET", fingerprintURL)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/keys?fingerprint=%s", user.Name, newPublicKey.Fingerprint)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &fingerprintPublicKeys)
@@ -161,17 +163,16 @@ func TestCreateUserKey(t *testing.T) {
 	assert.Equal(t, user.ID, fingerprintPublicKeys[0].Owner.ID)
 
 	// Fail search by fingerprint
-	fingerprintURL = fmt.Sprintf("/api/v1/user/keys?token=%s&fingerprint=%sA", token, newPublicKey.Fingerprint)
-
-	req = NewRequest(t, "GET", fingerprintURL)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/keys?fingerprint=%sA", newPublicKey.Fingerprint)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &fingerprintPublicKeys)
 	assert.Len(t, fingerprintPublicKeys, 0)
 
 	// Fail searching for wrong users key
-	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", "user2", token, newPublicKey.Fingerprint)
-	req = NewRequest(t, "GET", fingerprintURL)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/keys?fingerprint=%s", "user2", newPublicKey.Fingerprint)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &fingerprintPublicKeys)
@@ -179,11 +180,11 @@ func TestCreateUserKey(t *testing.T) {
 
 	// Now login as user 2
 	session2 := loginUser(t, "user2")
-	token2 := url.QueryEscape(getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeWriteUser))
+	token2 := getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeWriteUser)
 
 	// Should find key even though not ours, but we shouldn't know whose it is
-	fingerprintURL = fmt.Sprintf("/api/v1/user/keys?token=%s&fingerprint=%s", token2, newPublicKey.Fingerprint)
-	req = NewRequest(t, "GET", fingerprintURL)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/keys?fingerprint=%s", newPublicKey.Fingerprint)).
+		AddTokenAuth(token2)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &fingerprintPublicKeys)
@@ -192,9 +193,8 @@ func TestCreateUserKey(t *testing.T) {
 	assert.Nil(t, fingerprintPublicKeys[0].Owner)
 
 	// Should find key even though not ours, but we shouldn't know whose it is
-	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", user.Name, token2, newPublicKey.Fingerprint)
-
-	req = NewRequest(t, "GET", fingerprintURL)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/keys?fingerprint=%s", user.Name, newPublicKey.Fingerprint)).
+		AddTokenAuth(token2)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &fingerprintPublicKeys)
@@ -203,8 +203,8 @@ func TestCreateUserKey(t *testing.T) {
 	assert.Nil(t, fingerprintPublicKeys[0].Owner)
 
 	// Fail when searching for key if it is not ours
-	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", "user2", token2, newPublicKey.Fingerprint)
-	req = NewRequest(t, "GET", fingerprintURL)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/keys?fingerprint=%s", "user2", newPublicKey.Fingerprint)).
+		AddTokenAuth(token2)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &fingerprintPublicKeys)
diff --git a/tests/integration/api_nodeinfo_test.go b/tests/integration/api_nodeinfo_test.go
index fb35d72ac2ffc..a727aea3ce8df 100644
--- a/tests/integration/api_nodeinfo_test.go
+++ b/tests/integration/api_nodeinfo_test.go
@@ -24,7 +24,7 @@ func TestNodeinfo(t *testing.T) {
 	}()
 
 	onGiteaRun(t, func(*testing.T, *url.URL) {
-		req := NewRequestf(t, "GET", "/api/v1/nodeinfo")
+		req := NewRequest(t, "GET", "/api/v1/nodeinfo")
 		resp := MakeRequest(t, req, http.StatusOK)
 		VerifyJSONSchema(t, resp, "nodeinfo_2.1.json")
 
diff --git a/tests/integration/api_notification_test.go b/tests/integration/api_notification_test.go
index c6ee576e5921c..528890ca22bd0 100644
--- a/tests/integration/api_notification_test.go
+++ b/tests/integration/api_notification_test.go
@@ -35,7 +35,8 @@ func TestAPINotification(t *testing.T) {
 	// -- GET /notifications --
 	// test filter
 	since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?since=%s&token=%s", since, token))
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?since=%s", since)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiNL []api.NotificationThread
 	DecodeJSON(t, resp, &apiNL)
@@ -46,7 +47,8 @@ func TestAPINotification(t *testing.T) {
 	// test filter
 	before := "2000-01-01T01%3A06%3A59%2B00%3A00" // 946688819
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=%s&before=%s&token=%s", "true", before, token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=%s&before=%s", "true", before)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
@@ -62,7 +64,8 @@ func TestAPINotification(t *testing.T) {
 	assert.False(t, apiNL[2].Pinned)
 
 	// -- GET /repos/{owner}/{repo}/notifications --
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread&token=%s", user2.Name, repo1.Name, token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread", user2.Name, repo1.Name)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
@@ -70,7 +73,8 @@ func TestAPINotification(t *testing.T) {
 	assert.EqualValues(t, 4, apiNL[0].ID)
 
 	// -- GET /repos/{owner}/{repo}/notifications -- multiple status-types
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread&status-types=pinned&token=%s", user2.Name, repo1.Name, token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread&status-types=pinned", user2.Name, repo1.Name)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
@@ -86,11 +90,13 @@ func TestAPINotification(t *testing.T) {
 
 	// -- GET /notifications/threads/{id} --
 	// get forbidden
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d", 1)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// get own
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d", thread5.ID)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var apiN api.NotificationThread
 	DecodeJSON(t, resp, &apiN)
@@ -110,28 +116,33 @@ func TestAPINotification(t *testing.T) {
 	}{}
 
 	// -- check notifications --
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/new?token=%s", token))
+	req = NewRequest(t, "GET", "/api/v1/notifications/new").
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &new)
 	assert.True(t, new.New > 0)
 
 	// -- mark notifications as read --
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
+	req = NewRequest(t, "GET", "/api/v1/notifications?status-types=unread").
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 2)
 
 	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 <- only Notification 4 is in this filter ...
-	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s&token=%s", user2.Name, repo1.Name, lastReadAt, token))
+	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s", user2.Name, repo1.Name, lastReadAt)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusResetContent)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
+	req = NewRequest(t, "GET", "/api/v1/notifications?status-types=unread").
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 1)
 
 	// -- PATCH /notifications/threads/{id} --
-	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
+	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/v1/notifications/threads/%d", thread5.ID)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusResetContent)
 
 	assert.Equal(t, activities_model.NotificationStatusUnread, thread5.Status)
@@ -139,7 +150,8 @@ func TestAPINotification(t *testing.T) {
 	assert.Equal(t, activities_model.NotificationStatusRead, thread5.Status)
 
 	// -- check notifications --
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/new?token=%s", token))
+	req = NewRequest(t, "GET", "/api/v1/notifications/new").
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &new)
 	assert.True(t, new.New == 0)
@@ -155,7 +167,8 @@ func TestAPINotificationPUT(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification)
 
 	// Check notifications are as expected
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=true&token=%s", token))
+	req := NewRequest(t, "GET", "/api/v1/notifications?all=true").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiNL []api.NotificationThread
 	DecodeJSON(t, resp, &apiNL)
@@ -178,7 +191,8 @@ func TestAPINotificationPUT(t *testing.T) {
 	// Notification ID 2 is the only one with status-type read & pinned
 	// change it to unread.
 	//
-	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/notifications?status-types=read&status-type=pinned&to-status=unread&token=%s", token))
+	req = NewRequest(t, "PUT", "/api/v1/notifications?status-types=read&status-type=pinned&to-status=unread").
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusResetContent)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 1)
@@ -189,7 +203,8 @@ func TestAPINotificationPUT(t *testing.T) {
 	//
 	// Now nofication ID 2 is the first in the list and is unread.
 	//
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=true&token=%s", token))
+	req = NewRequest(t, "GET", "/api/v1/notifications?all=true").
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
diff --git a/tests/integration/api_oauth2_apps_test.go b/tests/integration/api_oauth2_apps_test.go
index 72cdba2ea2f6e..0ea3dc72ff98a 100644
--- a/tests/integration/api_oauth2_apps_test.go
+++ b/tests/integration/api_oauth2_apps_test.go
@@ -36,8 +36,8 @@ func testAPICreateOAuth2Application(t *testing.T) {
 		ConfidentialClient: true,
 	}
 
-	req := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody)
-	req = AddBasicAuthHeader(req, user.Name)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody).
+		AddBasicAuth(user.Name)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var createdApp *api.OAuth2Application
@@ -66,8 +66,8 @@ func testAPIListOAuth2Applications(t *testing.T) {
 		ConfidentialClient: true,
 	})
 
-	urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2?token=%s", token)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", "/api/v1/user/applications/oauth2").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var appList api.OAuth2ApplicationList
@@ -93,14 +93,16 @@ func testAPIDeleteOAuth2Application(t *testing.T) {
 		Name: "test-app-1",
 	})
 
-	urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", oldApp.ID, token)
-	req := NewRequest(t, "DELETE", urlStr)
+	urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d", oldApp.ID)
+	req := NewRequest(t, "DELETE", urlStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	unittest.AssertNotExistsBean(t, &auth_model.OAuth2Application{UID: oldApp.UID, Name: oldApp.Name})
 
 	// Delete again will return not found
-	req = NewRequest(t, "DELETE", urlStr)
+	req = NewRequest(t, "DELETE", urlStr).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 }
 
@@ -118,8 +120,8 @@ func testAPIGetOAuth2Application(t *testing.T) {
 		ConfidentialClient: true,
 	})
 
-	urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", existApp.ID, token)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/applications/oauth2/%d", existApp.ID)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var app api.OAuth2Application
@@ -157,8 +159,8 @@ func testAPIUpdateOAuth2Application(t *testing.T) {
 	}
 
 	urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d", existApp.ID)
-	req := NewRequestWithJSON(t, "PATCH", urlStr, &appBody)
-	req = AddBasicAuthHeader(req, user.Name)
+	req := NewRequestWithJSON(t, "PATCH", urlStr, &appBody).
+		AddBasicAuth(user.Name)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var app api.OAuth2Application
diff --git a/tests/integration/api_org_avatar_test.go b/tests/integration/api_org_avatar_test.go
index 91100c8eb7833..cc1452c1535da 100644
--- a/tests/integration/api_org_avatar_test.go
+++ b/tests/integration/api_org_avatar_test.go
@@ -34,7 +34,8 @@ func TestAPIUpdateOrgAvatar(t *testing.T) {
 		Image: base64.StdEncoding.EncodeToString(avatar),
 	}
 
-	req := NewRequestWithJSON(t, "POST", "/api/v1/orgs/org3/avatar?token="+token, &opts)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/orgs/org3/avatar", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test what happens if you don't have a valid Base64 string
@@ -42,7 +43,8 @@ func TestAPIUpdateOrgAvatar(t *testing.T) {
 		Image: "Invalid",
 	}
 
-	req = NewRequestWithJSON(t, "POST", "/api/v1/orgs/org3/avatar?token="+token, &opts)
+	req = NewRequestWithJSON(t, "POST", "/api/v1/orgs/org3/avatar", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusBadRequest)
 
 	// Test what happens if you use a file that is not an image
@@ -56,7 +58,8 @@ func TestAPIUpdateOrgAvatar(t *testing.T) {
 		Image: base64.StdEncoding.EncodeToString(text),
 	}
 
-	req = NewRequestWithJSON(t, "POST", "/api/v1/orgs/org3/avatar?token="+token, &opts)
+	req = NewRequestWithJSON(t, "POST", "/api/v1/orgs/org3/avatar", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusInternalServerError)
 }
 
@@ -67,6 +70,7 @@ func TestAPIDeleteOrgAvatar(t *testing.T) {
 
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
 
-	req := NewRequest(t, "DELETE", "/api/v1/orgs/org3/avatar?token="+token)
+	req := NewRequest(t, "DELETE", "/api/v1/orgs/org3/avatar").
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
diff --git a/tests/integration/api_org_test.go b/tests/integration/api_org_test.go
index f19b46c2f449e..1cd82fe4e09ca 100644
--- a/tests/integration/api_org_test.go
+++ b/tests/integration/api_org_test.go
@@ -36,7 +36,8 @@ func TestAPIOrgCreate(t *testing.T) {
 			Location:    "Shanghai",
 			Visibility:  "limited",
 		}
-		req := NewRequestWithJSON(t, "POST", "/api/v1/orgs?token="+token, &org)
+		req := NewRequestWithJSON(t, "POST", "/api/v1/orgs", &org).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var apiOrg api.Organization
@@ -71,12 +72,14 @@ func TestAPIOrgCreate(t *testing.T) {
 			})
 		}
 
-		req = NewRequestf(t, "GET", "/api/v1/orgs/%s?token=%s", org.UserName, token)
+		req = NewRequestf(t, "GET", "/api/v1/orgs/%s", org.UserName).
+			AddTokenAuth(token)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &apiOrg)
 		assert.EqualValues(t, org.UserName, apiOrg.Name)
 
-		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token=%s", org.UserName, token)
+		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", org.UserName).
+			AddTokenAuth(token)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		var repos []*api.Repository
@@ -85,7 +88,8 @@ func TestAPIOrgCreate(t *testing.T) {
 			assert.False(t, repo.Private)
 		}
 
-		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members?token=%s", org.UserName, token)
+		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members", org.UserName).
+			AddTokenAuth(token)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		// user1 on this org is public
@@ -108,7 +112,8 @@ func TestAPIOrgEdit(t *testing.T) {
 			Location:    "Beijing",
 			Visibility:  "private",
 		}
-		req := NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3?token="+token, &org)
+		req := NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3", &org).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var apiOrg api.Organization
@@ -135,7 +140,8 @@ func TestAPIOrgEditBadVisibility(t *testing.T) {
 			Location:    "Beijing",
 			Visibility:  "badvisibility",
 		}
-		req := NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3?token="+token, &org)
+		req := NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/org3", &org).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusUnprocessableEntity)
 	})
 }
@@ -165,7 +171,8 @@ func TestAPIGetAll(t *testing.T) {
 	token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrganization)
 
 	// accessing with a token will return all orgs
-	req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
+	req := NewRequest(t, "GET", "/api/v1/orgs").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiOrgList []*api.Organization
 
@@ -175,7 +182,7 @@ func TestAPIGetAll(t *testing.T) {
 	assert.Equal(t, "limited", apiOrgList[1].Visibility)
 
 	// accessing without a token will return only public orgs
-	req = NewRequestf(t, "GET", "/api/v1/orgs")
+	req = NewRequest(t, "GET", "/api/v1/orgs")
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &apiOrgList)
@@ -190,22 +197,23 @@ func TestAPIOrgSearchEmptyTeam(t *testing.T) {
 		orgName := "org_with_empty_team"
 
 		// create org
-		req := NewRequestWithJSON(t, "POST", "/api/v1/orgs?token="+token, &api.CreateOrgOption{
+		req := NewRequestWithJSON(t, "POST", "/api/v1/orgs", &api.CreateOrgOption{
 			UserName: orgName,
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
 		// create team with no member
-		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", orgName, token), &api.CreateTeamOption{
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams", orgName), &api.CreateTeamOption{
 			Name:                    "Empty",
 			IncludesAllRepositories: true,
 			Permission:              "read",
 			Units:                   []string{"repo.code", "repo.issues", "repo.ext_issues", "repo.wiki", "repo.pulls"},
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
 		// case-insensitive search for teams that have no members
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/orgs/%s/teams/search?q=%s&token=%s", orgName, "empty", token))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/orgs/%s/teams/search?q=%s", orgName, "empty")).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 		data := struct {
 			Ok   bool
diff --git a/tests/integration/api_packages_alpine_test.go b/tests/integration/api_packages_alpine_test.go
index 9a2acf854c4d8..3cc7178e028b4 100644
--- a/tests/integration/api_packages_alpine_test.go
+++ b/tests/integration/api_packages_alpine_test.go
@@ -85,12 +85,12 @@ Djfa/2q5bH4699v++uMAAAAAAAAAAAAAAAAAAAAAAHbgA/eXQh8AKAAA`
 					req := NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader([]byte{}))
 					MakeRequest(t, req, http.StatusUnauthorized)
 
-					req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader([]byte{}))
-					AddBasicAuthHeader(req, user.Name)
+					req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader([]byte{})).
+						AddBasicAuth(user.Name)
 					MakeRequest(t, req, http.StatusBadRequest)
 
-					req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content))
-					AddBasicAuthHeader(req, user.Name)
+					req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content)).
+						AddBasicAuth(user.Name)
 					MakeRequest(t, req, http.StatusCreated)
 
 					pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeAlpine)
@@ -216,8 +216,8 @@ Djfa/2q5bH4699v++uMAAAAAAAAAAAAAAAAAAAAAAHbgA/eXQh8AKAAA`
 				req := NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s/x86_64/%s-%s.apk", rootURL, branch, repository, packageName, packageVersion))
 				MakeRequest(t, req, http.StatusUnauthorized)
 
-				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s/x86_64/%s-%s.apk", rootURL, branch, repository, packageName, packageVersion))
-				AddBasicAuthHeader(req, user.Name)
+				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s/x86_64/%s-%s.apk", rootURL, branch, repository, packageName, packageVersion)).
+					AddBasicAuth(user.Name)
 				MakeRequest(t, req, http.StatusNoContent)
 
 				// Deleting the last file of an architecture should remove that index
diff --git a/tests/integration/api_packages_cargo_test.go b/tests/integration/api_packages_cargo_test.go
index 03d8e0c5207e7..6b8154af457a6 100644
--- a/tests/integration/api_packages_cargo_test.go
+++ b/tests/integration/api_packages_cargo_test.go
@@ -132,8 +132,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 
 			content := createPackage("0test", "1.0.0")
 
-			req := NewRequestWithBody(t, "PUT", url+"/new", content)
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url+"/new", content).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusBadRequest)
 
 			var status cargo_router.StatusResponse
@@ -142,8 +142,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 
 			content = createPackage("test", "-1.0.0")
 
-			req = NewRequestWithBody(t, "PUT", url+"/new", content)
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", url+"/new", content).
+				AddBasicAuth(user.Name)
 			resp = MakeRequest(t, req, http.StatusBadRequest)
 
 			DecodeJSON(t, resp, &status)
@@ -161,8 +161,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 			binary.Write(&buf, binary.LittleEndian, uint32(4))
 			buf.WriteString("te")
 
-			req := NewRequestWithBody(t, "PUT", url+"/new", &buf)
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url+"/new", &buf).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 		})
 
@@ -172,8 +172,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 			req := NewRequestWithBody(t, "PUT", url+"/new", createPackage(packageName, packageVersion))
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequestWithBody(t, "PUT", url+"/new", createPackage(packageName, packageVersion))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", url+"/new", createPackage(packageName, packageVersion)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var status cargo_router.StatusResponse
@@ -201,8 +201,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 			assert.NoError(t, err)
 			assert.EqualValues(t, 4, pb.Size)
 
-			req = NewRequestWithBody(t, "PUT", url+"/new", createPackage(packageName, packageVersion))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", url+"/new", createPackage(packageName, packageVersion)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 
 			t.Run("Index", func(t *testing.T) {
@@ -288,8 +288,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 		assert.NoError(t, err)
 		assert.Len(t, pfs, 1)
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/download", url, neturl.PathEscape(packageName), neturl.PathEscape(pv.Version)))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/download", url, neturl.PathEscape(packageName), neturl.PathEscape(pv.Version))).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "test", resp.Body.String())
@@ -318,8 +318,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 		}
 
 		for i, c := range cases {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s?q=%s&page=%d&per_page=%d", url, c.Query, c.Page, c.PerPage))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s?q=%s&page=%d&per_page=%d", url, c.Query, c.Page, c.PerPage)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var result cargo_router.SearchResult
@@ -333,8 +333,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 	t.Run("Yank", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s/yank", url, neturl.PathEscape(packageName), neturl.PathEscape(packageVersion)))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s/yank", url, neturl.PathEscape(packageName), neturl.PathEscape(packageVersion))).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var status cargo_router.StatusResponse
@@ -353,8 +353,8 @@ func testPackageCargo(t *testing.T, _ *neturl.URL) {
 	t.Run("Unyank", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "PUT", fmt.Sprintf("%s/%s/%s/unyank", url, neturl.PathEscape(packageName), neturl.PathEscape(packageVersion)))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "PUT", fmt.Sprintf("%s/%s/%s/unyank", url, neturl.PathEscape(packageName), neturl.PathEscape(packageVersion))).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var status cargo_router.StatusResponse
diff --git a/tests/integration/api_packages_chef_test.go b/tests/integration/api_packages_chef_test.go
index 7f55a84f09198..4123c7216c4dd 100644
--- a/tests/integration/api_packages_chef_test.go
+++ b/tests/integration/api_packages_chef_test.go
@@ -93,7 +93,7 @@ nwIDAQAB
 			defer tests.PrintCurrentTest(t)()
 
 			req := NewRequest(t, "POST", "/dummy")
-			u, err := auth.Verify(req, nil, nil, nil)
+			u, err := auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.NoError(t, err)
 		})
@@ -101,9 +101,9 @@ nwIDAQAB
 		t.Run("NotExistingUser", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "POST", "/dummy")
-			req.Header.Set("X-Ops-Userid", "not-existing-user")
-			u, err := auth.Verify(req, nil, nil, nil)
+			req := NewRequest(t, "POST", "/dummy").
+				SetHeader("X-Ops-Userid", "not-existing-user")
+			u, err := auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 		})
@@ -111,14 +111,14 @@ nwIDAQAB
 		t.Run("Timestamp", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "POST", "/dummy")
-			req.Header.Set("X-Ops-Userid", user.Name)
-			u, err := auth.Verify(req, nil, nil, nil)
+			req := NewRequest(t, "POST", "/dummy").
+				SetHeader("X-Ops-Userid", user.Name)
+			u, err := auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 
-			req.Header.Set("X-Ops-Timestamp", "2023-01-01T00:00:00Z")
-			u, err = auth.Verify(req, nil, nil, nil)
+			req.SetHeader("X-Ops-Timestamp", "2023-01-01T00:00:00Z")
+			u, err = auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 		})
@@ -126,30 +126,30 @@ nwIDAQAB
 		t.Run("SigningVersion", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "POST", "/dummy")
-			req.Header.Set("X-Ops-Userid", user.Name)
-			req.Header.Set("X-Ops-Timestamp", time.Now().UTC().Format(time.RFC3339))
-			u, err := auth.Verify(req, nil, nil, nil)
+			req := NewRequest(t, "POST", "/dummy").
+				SetHeader("X-Ops-Userid", user.Name).
+				SetHeader("X-Ops-Timestamp", time.Now().UTC().Format(time.RFC3339))
+			u, err := auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 
-			req.Header.Set("X-Ops-Sign", "version=none")
-			u, err = auth.Verify(req, nil, nil, nil)
+			req.SetHeader("X-Ops-Sign", "version=none")
+			u, err = auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 
-			req.Header.Set("X-Ops-Sign", "version=1.4")
-			u, err = auth.Verify(req, nil, nil, nil)
+			req.SetHeader("X-Ops-Sign", "version=1.4")
+			u, err = auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 
-			req.Header.Set("X-Ops-Sign", "version=1.0;algorithm=sha2")
-			u, err = auth.Verify(req, nil, nil, nil)
+			req.SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha2")
+			u, err = auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 
-			req.Header.Set("X-Ops-Sign", "version=1.0;algorithm=sha256")
-			u, err = auth.Verify(req, nil, nil, nil)
+			req.SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha256")
+			u, err = auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 		})
@@ -159,17 +159,18 @@ nwIDAQAB
 
 			ts := time.Now().UTC().Format(time.RFC3339)
 
-			req := NewRequest(t, "POST", "/dummy")
-			req.Header.Set("X-Ops-Userid", user.Name)
-			req.Header.Set("X-Ops-Timestamp", ts)
-			req.Header.Set("X-Ops-Sign", "version=1.0;algorithm=sha1")
-			req.Header.Set("X-Ops-Content-Hash", "unused")
-			req.Header.Set("X-Ops-Authorization-4", "dummy")
-			u, err := auth.Verify(req, nil, nil, nil)
+			req := NewRequest(t, "POST", "/dummy").
+				SetHeader("X-Ops-Userid", user.Name).
+				SetHeader("X-Ops-Timestamp", ts).
+				SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha1").
+				SetHeader("X-Ops-Content-Hash", "unused").
+				SetHeader("X-Ops-Authorization-4", "dummy")
+			u, err := auth.Verify(req.Request, nil, nil, nil)
 			assert.Nil(t, u)
 			assert.Error(t, err)
 
-			signRequest := func(t *testing.T, req *http.Request, version string) {
+			signRequest := func(t *testing.T, rw *RequestWrapper, version string) {
+				req := rw.Request
 				username := req.Header.Get("X-Ops-Userid")
 				if version != "1.0" && version != "1.3" {
 					sum := sha1.Sum([]byte(username))
@@ -255,7 +256,7 @@ nwIDAQAB
 					defer tests.PrintCurrentTest(t)()
 
 					signRequest(t, req, v)
-					u, err = auth.Verify(req, nil, nil, nil)
+					u, err = auth.Verify(req.Request, nil, nil, nil)
 					assert.NotNil(t, u)
 					assert.NoError(t, err)
 				})
@@ -291,9 +292,9 @@ nwIDAQAB
 		zw.Close()
 		mpw.Close()
 
-		req := NewRequestWithBody(t, "POST", root+"/cookbooks", &body)
-		req.Header.Add("Content-Type", mpw.FormDataContentType())
-		AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "POST", root+"/cookbooks", &body).
+			SetHeader("Content-Type", mpw.FormDataContentType()).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, expectedStatus)
 	}
 
@@ -394,8 +395,8 @@ nwIDAQAB
 		}
 
 		for i, c := range cases {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/search?q=%s&start=%d&items=%d", root, c.Query, c.Start, c.Items))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/search?q=%s&start=%d&items=%d", root, c.Query, c.Start, c.Items)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var result Result
@@ -445,8 +446,8 @@ nwIDAQAB
 		}
 
 		for i, c := range cases {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/cookbooks?start=%d&items=%d&sort=%s", root, c.Start, c.Items, c.Sort))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/cookbooks?start=%d&items=%d&sort=%s", root, c.Start, c.Items, c.Sort)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var result Result
@@ -533,8 +534,8 @@ nwIDAQAB
 			req := NewRequest(t, "DELETE", fmt.Sprintf("%s/cookbooks/%s/versions/%s", root, packageName, "1.0.2"))
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/cookbooks/%s/versions/%s", root, packageName, "1.0.2"))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/cookbooks/%s/versions/%s", root, packageName, "1.0.2")).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusOK)
 
 			pv, err := packages.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages.TypeChef, packageName, "1.0.2")
@@ -548,8 +549,8 @@ nwIDAQAB
 			req := NewRequest(t, "DELETE", fmt.Sprintf("%s/cookbooks/%s", root, packageName))
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/cookbooks/%s", root, packageName))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/cookbooks/%s", root, packageName)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusOK)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeChef)
diff --git a/tests/integration/api_packages_composer_test.go b/tests/integration/api_packages_composer_test.go
index 896462d9a9fd0..6e0d2eee1b347 100644
--- a/tests/integration/api_packages_composer_test.go
+++ b/tests/integration/api_packages_composer_test.go
@@ -59,8 +59,8 @@ func TestPackageComposer(t *testing.T) {
 	t.Run("ServiceIndex", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/packages.json", url))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/packages.json", url)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var result composer.ServiceIndexResponse
@@ -75,8 +75,8 @@ func TestPackageComposer(t *testing.T) {
 		t.Run("MissingVersion", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(content))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 		})
 
@@ -85,8 +85,8 @@ func TestPackageComposer(t *testing.T) {
 
 			uploadURL := url + "?version=" + packageVersion
 
-			req := NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeComposer)
@@ -110,8 +110,8 @@ func TestPackageComposer(t *testing.T) {
 			assert.NoError(t, err)
 			assert.Equal(t, int64(len(content)), pb.Size)
 
-			req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 		})
 	})
@@ -128,8 +128,8 @@ func TestPackageComposer(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Len(t, pfs, 1)
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/files/%s/%s/%s", url, neturl.PathEscape(packageName), neturl.PathEscape(pvs[0].LowerVersion), neturl.PathEscape(pfs[0].LowerName)))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/files/%s/%s/%s", url, neturl.PathEscape(packageName), neturl.PathEscape(pvs[0].LowerVersion), neturl.PathEscape(pfs[0].LowerName))).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, content, resp.Body.Bytes())
@@ -162,8 +162,8 @@ func TestPackageComposer(t *testing.T) {
 		}
 
 		for i, c := range cases {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/search.json?q=%s&type=%s&page=%d&per_page=%d", url, c.Query, c.Type, c.Page, c.PerPage))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/search.json?q=%s&type=%s&page=%d&per_page=%d", url, c.Query, c.Type, c.Page, c.PerPage)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var result composer.SearchResultResponse
@@ -177,8 +177,8 @@ func TestPackageComposer(t *testing.T) {
 	t.Run("EnumeratePackages", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", url+"/list.json")
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", url+"/list.json").
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var result map[string][]string
@@ -193,8 +193,8 @@ func TestPackageComposer(t *testing.T) {
 	t.Run("PackageMetadata", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/p2/%s/%s.json", url, vendorName, projectName))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/p2/%s/%s.json", url, vendorName, projectName)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var result composer.PackageMetadataResponse
diff --git a/tests/integration/api_packages_conan_test.go b/tests/integration/api_packages_conan_test.go
index ab128bf4a5eb6..a25713f039ffd 100644
--- a/tests/integration/api_packages_conan_test.go
+++ b/tests/integration/api_packages_conan_test.go
@@ -62,11 +62,6 @@ const (
 CC=gcc-10`
 )
 
-func addTokenAuthHeader(request *http.Request, token string) *http.Request {
-	request.Header.Set("Authorization", token)
-	return request
-}
-
 func buildConanfileContent(name, version string) string {
 	return `from conans import ConanFile, CMake, tools
 
@@ -90,16 +85,16 @@ func uploadConanPackageV1(t *testing.T, baseURL, token, name, version, user, cha
 
 	recipeURL := fmt.Sprintf("%s/v1/conans/%s/%s/%s/%s", baseURL, name, version, user, channel)
 
-	req := NewRequest(t, "GET", recipeURL)
-	req = addTokenAuthHeader(req, token)
+	req := NewRequest(t, "GET", recipeURL).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("%s/digest", recipeURL))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", fmt.Sprintf("%s/digest", recipeURL)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("%s/download_urls", recipeURL))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", fmt.Sprintf("%s/download_urls", recipeURL)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	req = NewRequest(t, "POST", fmt.Sprintf("%s/upload_urls", recipeURL))
@@ -108,8 +103,7 @@ func uploadConanPackageV1(t *testing.T, baseURL, token, name, version, user, cha
 	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("%s/upload_urls", recipeURL), map[string]int64{
 		conanfileName: int64(len(contentConanfile)),
 		"removed.txt": 0,
-	})
-	req = addTokenAuthHeader(req, token)
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	uploadURLs := make(map[string]string)
@@ -121,22 +115,22 @@ func uploadConanPackageV1(t *testing.T, baseURL, token, name, version, user, cha
 	uploadURL := uploadURLs[conanfileName]
 	assert.NotEmpty(t, uploadURL)
 
-	req = NewRequestWithBody(t, "PUT", uploadURL, strings.NewReader(contentConanfile))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequestWithBody(t, "PUT", uploadURL, strings.NewReader(contentConanfile)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
 	packageURL := fmt.Sprintf("%s/packages/%s", recipeURL, conanPackageReference)
 
-	req = NewRequest(t, "GET", packageURL)
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", packageURL).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("%s/digest", packageURL))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", fmt.Sprintf("%s/digest", packageURL)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("%s/download_urls", packageURL))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", fmt.Sprintf("%s/download_urls", packageURL)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	req = NewRequest(t, "POST", fmt.Sprintf("%s/upload_urls", packageURL))
@@ -145,8 +139,7 @@ func uploadConanPackageV1(t *testing.T, baseURL, token, name, version, user, cha
 	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("%s/upload_urls", packageURL), map[string]int64{
 		conaninfoName: int64(len(contentConaninfo)),
 		"removed.txt": 0,
-	})
-	req = addTokenAuthHeader(req, token)
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	uploadURLs = make(map[string]string)
@@ -158,8 +151,8 @@ func uploadConanPackageV1(t *testing.T, baseURL, token, name, version, user, cha
 	uploadURL = uploadURLs[conaninfoName]
 	assert.NotEmpty(t, uploadURL)
 
-	req = NewRequestWithBody(t, "PUT", uploadURL, strings.NewReader(contentConaninfo))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequestWithBody(t, "PUT", uploadURL, strings.NewReader(contentConaninfo)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 }
 
@@ -168,12 +161,12 @@ func uploadConanPackageV2(t *testing.T, baseURL, token, name, version, user, cha
 
 	recipeURL := fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s", baseURL, name, version, user, channel, recipeRevision)
 
-	req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/files/%s", recipeURL, conanfileName), strings.NewReader(contentConanfile))
-	req = addTokenAuthHeader(req, token)
+	req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/files/%s", recipeURL, conanfileName), strings.NewReader(contentConanfile)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("%s/files", recipeURL))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", fmt.Sprintf("%s/files", recipeURL)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var list *struct {
@@ -185,16 +178,16 @@ func uploadConanPackageV2(t *testing.T, baseURL, token, name, version, user, cha
 
 	packageURL := fmt.Sprintf("%s/packages/%s/revisions/%s", recipeURL, conanPackageReference, packageRevision)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("%s/files", packageURL))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", fmt.Sprintf("%s/files", packageURL)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
-	req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/files/%s", packageURL, conaninfoName), strings.NewReader(contentConaninfo))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/files/%s", packageURL, conaninfoName), strings.NewReader(contentConaninfo)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("%s/files", packageURL))
-	req = addTokenAuthHeader(req, token)
+	req = NewRequest(t, "GET", fmt.Sprintf("%s/files", packageURL)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	list = nil
@@ -235,21 +228,19 @@ func TestPackageConan(t *testing.T) {
 		t.Run("Authenticate", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/v1/users/authenticate", url))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/v1/users/authenticate", url)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
-			body := resp.Body.String()
-			assert.NotEmpty(t, body)
-
-			token = fmt.Sprintf("Bearer %s", body)
+			token = resp.Body.String()
+			assert.NotEmpty(t, token)
 		})
 
 		t.Run("CheckCredentials", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/v1/users/check_credentials", url))
-			req = addTokenAuthHeader(req, token)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/v1/users/check_credentials", url)).
+				AddTokenAuth(token)
 			MakeRequest(t, req, http.StatusOK)
 		})
 
@@ -440,8 +431,7 @@ func TestPackageConan(t *testing.T) {
 
 					req := NewRequestWithJSON(t, "POST", fmt.Sprintf("%s/v1/conans/%s/%s/%s/%s/packages/delete", url, name, version1, user1, c.Channel), map[string][]string{
 						"package_ids": c.References,
-					})
-					req = addTokenAuthHeader(req, token)
+					}).AddTokenAuth(token)
 					MakeRequest(t, req, http.StatusOK)
 
 					references, err = conan_model.GetPackageReferences(db.DefaultContext, user.ID, rref)
@@ -466,8 +456,8 @@ func TestPackageConan(t *testing.T) {
 					assert.NoError(t, err)
 					assert.NotEmpty(t, revisions)
 
-					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/v1/conans/%s/%s/%s/%s", url, name, version1, user1, c.Channel))
-					req = addTokenAuthHeader(req, token)
+					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/v1/conans/%s/%s/%s/%s", url, name, version1, user1, c.Channel)).
+						AddTokenAuth(token)
 					MakeRequest(t, req, http.StatusOK)
 
 					revisions, err = conan_model.GetRecipeRevisions(db.DefaultContext, user.ID, rref)
@@ -493,8 +483,8 @@ func TestPackageConan(t *testing.T) {
 		t.Run("Authenticate", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/v2/users/authenticate", url))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/v2/users/authenticate", url)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			body := resp.Body.String()
@@ -506,8 +496,8 @@ func TestPackageConan(t *testing.T) {
 		t.Run("CheckCredentials", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/v2/users/check_credentials", url))
-			req = addTokenAuthHeader(req, token)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/v2/users/check_credentials", url)).
+				AddTokenAuth(token)
 			MakeRequest(t, req, http.StatusOK)
 		})
 
@@ -672,14 +662,14 @@ func TestPackageConan(t *testing.T) {
 
 				checkPackageRevisionCount(2)
 
-				req := NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s/packages/%s/revisions/%s", url, name, version1, user1, channel1, revision1, conanPackageReference, revision1))
-				req = addTokenAuthHeader(req, token)
+				req := NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s/packages/%s/revisions/%s", url, name, version1, user1, channel1, revision1, conanPackageReference, revision1)).
+					AddTokenAuth(token)
 				MakeRequest(t, req, http.StatusOK)
 
 				checkPackageRevisionCount(1)
 
-				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s/packages/%s", url, name, version1, user1, channel1, revision1, conanPackageReference))
-				req = addTokenAuthHeader(req, token)
+				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s/packages/%s", url, name, version1, user1, channel1, revision1, conanPackageReference)).
+					AddTokenAuth(token)
 				MakeRequest(t, req, http.StatusOK)
 
 				checkPackageRevisionCount(0)
@@ -688,8 +678,8 @@ func TestPackageConan(t *testing.T) {
 
 				checkPackageReferenceCount(1)
 
-				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s/packages", url, name, version1, user1, channel1, revision2))
-				req = addTokenAuthHeader(req, token)
+				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s/packages", url, name, version1, user1, channel1, revision2)).
+					AddTokenAuth(token)
 				MakeRequest(t, req, http.StatusOK)
 
 				checkPackageReferenceCount(0)
@@ -708,14 +698,14 @@ func TestPackageConan(t *testing.T) {
 
 				checkRecipeRevisionCount(2)
 
-				req := NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s", url, name, version1, user1, channel1, revision1))
-				req = addTokenAuthHeader(req, token)
+				req := NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s", url, name, version1, user1, channel1, revision1)).
+					AddTokenAuth(token)
 				MakeRequest(t, req, http.StatusOK)
 
 				checkRecipeRevisionCount(1)
 
-				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s", url, name, version1, user1, channel1))
-				req = addTokenAuthHeader(req, token)
+				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s", url, name, version1, user1, channel1)).
+					AddTokenAuth(token)
 				MakeRequest(t, req, http.StatusOK)
 
 				checkRecipeRevisionCount(0)
diff --git a/tests/integration/api_packages_conda_test.go b/tests/integration/api_packages_conda_test.go
index daa7dca55fa2e..bb269e82d603a 100644
--- a/tests/integration/api_packages_conda_test.go
+++ b/tests/integration/api_packages_conda_test.go
@@ -66,12 +66,12 @@ func TestPackageConda(t *testing.T) {
 			req := NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes()))
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes()))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes())).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
-			req = NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes()))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes())).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeConda)
@@ -107,12 +107,12 @@ func TestPackageConda(t *testing.T) {
 			req := NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes()))
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes()))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes())).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
-			req = NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes()))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes())).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeConda)
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index 93b4ff46241a0..f32d33888b400 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -103,8 +103,8 @@ func TestPackageContainer(t *testing.T) {
 
 			anonymousToken = fmt.Sprintf("Bearer %s", tokenResponse.Token)
 
-			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
-			addTokenAuthHeader(req, anonymousToken)
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)).
+				AddTokenAuth(anonymousToken)
 			MakeRequest(t, req, http.StatusOK)
 		})
 
@@ -116,8 +116,8 @@ func TestPackageContainer(t *testing.T) {
 
 			assert.ElementsMatch(t, authenticate, resp.Header().Values("WWW-Authenticate"))
 
-			req = NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL)).
+				AddBasicAuth(user.Name)
 			resp = MakeRequest(t, req, http.StatusOK)
 
 			tokenResponse := &TokenResponse{}
@@ -127,8 +127,8 @@ func TestPackageContainer(t *testing.T) {
 
 			userToken = fmt.Sprintf("Bearer %s", tokenResponse.Token)
 
-			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
-			addTokenAuthHeader(req, userToken)
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)).
+				AddTokenAuth(userToken)
 			MakeRequest(t, req, http.StatusOK)
 		})
 	})
@@ -136,8 +136,8 @@ func TestPackageContainer(t *testing.T) {
 	t.Run("DetermineSupport", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
-		addTokenAuthHeader(req, userToken)
+		req := NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)).
+			AddTokenAuth(userToken)
 		resp := MakeRequest(t, req, http.StatusOK)
 		assert.Equal(t, "registry/2.0", resp.Header().Get("Docker-Distribution-Api-Version"))
 	})
@@ -149,16 +149,16 @@ func TestPackageContainer(t *testing.T) {
 			t.Run("UploadBlob/Monolithic", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads", url))
-				addTokenAuthHeader(req, anonymousToken)
+				req := NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads", url)).
+					AddTokenAuth(anonymousToken)
 				MakeRequest(t, req, http.StatusUnauthorized)
 
-				req = NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, unknownDigest), bytes.NewReader(blobContent))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, unknownDigest), bytes.NewReader(blobContent)).
+					AddTokenAuth(userToken)
 				MakeRequest(t, req, http.StatusBadRequest)
 
-				req = NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, blobDigest), bytes.NewReader(blobContent))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, blobDigest), bytes.NewReader(blobContent)).
+					AddTokenAuth(userToken)
 				resp := MakeRequest(t, req, http.StatusCreated)
 
 				assert.Equal(t, fmt.Sprintf("/v2/%s/%s/blobs/%s", user.Name, image, blobDigest), resp.Header().Get("Location"))
@@ -179,8 +179,8 @@ func TestPackageContainer(t *testing.T) {
 			t.Run("UploadBlob/Chunked", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads", url))
-				addTokenAuthHeader(req, userToken)
+				req := NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads", url)).
+					AddTokenAuth(userToken)
 				resp := MakeRequest(t, req, http.StatusAccepted)
 
 				uuid := resp.Header().Get("Docker-Upload-Uuid")
@@ -193,18 +193,17 @@ func TestPackageContainer(t *testing.T) {
 				uploadURL := resp.Header().Get("Location")
 				assert.NotEmpty(t, uploadURL)
 
-				req = NewRequestWithBody(t, "PATCH", setting.AppURL+uploadURL[1:]+"000", bytes.NewReader(blobContent))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequestWithBody(t, "PATCH", setting.AppURL+uploadURL[1:]+"000", bytes.NewReader(blobContent)).
+					AddTokenAuth(userToken)
 				MakeRequest(t, req, http.StatusNotFound)
 
-				req = NewRequestWithBody(t, "PATCH", setting.AppURL+uploadURL[1:], bytes.NewReader(blobContent))
-				addTokenAuthHeader(req, userToken)
-
-				req.Header.Set("Content-Range", "1-10")
+				req = NewRequestWithBody(t, "PATCH", setting.AppURL+uploadURL[1:], bytes.NewReader(blobContent)).
+					AddTokenAuth(userToken).
+					SetHeader("Content-Range", "1-10")
 				MakeRequest(t, req, http.StatusRequestedRangeNotSatisfiable)
 
 				contentRange := fmt.Sprintf("0-%d", len(blobContent)-1)
-				req.Header.Set("Content-Range", contentRange)
+				req.SetHeader("Content-Range", contentRange)
 				resp = MakeRequest(t, req, http.StatusAccepted)
 
 				assert.Equal(t, uuid, resp.Header().Get("Docker-Upload-Uuid"))
@@ -212,8 +211,8 @@ func TestPackageContainer(t *testing.T) {
 
 				uploadURL = resp.Header().Get("Location")
 
-				req = NewRequest(t, "GET", setting.AppURL+uploadURL[1:])
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "GET", setting.AppURL+uploadURL[1:]).
+					AddTokenAuth(userToken)
 				resp = MakeRequest(t, req, http.StatusNoContent)
 
 				assert.Equal(t, uuid, resp.Header().Get("Docker-Upload-Uuid"))
@@ -223,8 +222,8 @@ func TestPackageContainer(t *testing.T) {
 				assert.NoError(t, err)
 				assert.EqualValues(t, len(blobContent), pbu.BytesReceived)
 
-				req = NewRequest(t, "PUT", fmt.Sprintf("%s?digest=%s", setting.AppURL+uploadURL[1:], blobDigest))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "PUT", fmt.Sprintf("%s?digest=%s", setting.AppURL+uploadURL[1:], blobDigest)).
+					AddTokenAuth(userToken)
 				resp = MakeRequest(t, req, http.StatusCreated)
 
 				assert.Equal(t, fmt.Sprintf("/v2/%s/%s/blobs/%s", user.Name, image, blobDigest), resp.Header().Get("Location"))
@@ -233,8 +232,8 @@ func TestPackageContainer(t *testing.T) {
 				t.Run("Cancel", func(t *testing.T) {
 					defer tests.PrintCurrentTest(t)()
 
-					req := NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads", url))
-					addTokenAuthHeader(req, userToken)
+					req := NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads", url)).
+						AddTokenAuth(userToken)
 					resp := MakeRequest(t, req, http.StatusAccepted)
 
 					uuid := resp.Header().Get("Docker-Upload-Uuid")
@@ -243,19 +242,19 @@ func TestPackageContainer(t *testing.T) {
 					uploadURL := resp.Header().Get("Location")
 					assert.NotEmpty(t, uploadURL)
 
-					req = NewRequest(t, "GET", setting.AppURL+uploadURL[1:])
-					addTokenAuthHeader(req, userToken)
+					req = NewRequest(t, "GET", setting.AppURL+uploadURL[1:]).
+						AddTokenAuth(userToken)
 					resp = MakeRequest(t, req, http.StatusNoContent)
 
 					assert.Equal(t, uuid, resp.Header().Get("Docker-Upload-Uuid"))
 					assert.Equal(t, "0-0", resp.Header().Get("Range"))
 
-					req = NewRequest(t, "DELETE", setting.AppURL+uploadURL[1:])
-					addTokenAuthHeader(req, userToken)
+					req = NewRequest(t, "DELETE", setting.AppURL+uploadURL[1:]).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusNoContent)
 
-					req = NewRequest(t, "GET", setting.AppURL+uploadURL[1:])
-					addTokenAuthHeader(req, userToken)
+					req = NewRequest(t, "GET", setting.AppURL+uploadURL[1:]).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusNotFound)
 				})
 			})
@@ -264,31 +263,31 @@ func TestPackageContainer(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
 				privateBlobDigest := "sha256:6ccce4863b70f258d691f59609d31b4502e1ba5199942d3bc5d35d17a4ce771d"
-				req := NewRequestWithBody(t, "POST", fmt.Sprintf("%sv2/%s/%s/blobs/uploads?digest=%s", setting.AppURL, privateUser.Name, image, privateBlobDigest), strings.NewReader("gitea"))
-				req = AddBasicAuthHeader(req, privateUser.Name)
+				req := NewRequestWithBody(t, "POST", fmt.Sprintf("%sv2/%s/%s/blobs/uploads?digest=%s", setting.AppURL, privateUser.Name, image, privateBlobDigest), strings.NewReader("gitea")).
+					AddBasicAuth(privateUser.Name)
 				MakeRequest(t, req, http.StatusCreated)
 
-				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s", url, unknownDigest))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s", url, unknownDigest)).
+					AddTokenAuth(userToken)
 				MakeRequest(t, req, http.StatusAccepted)
 
-				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s", url, privateBlobDigest))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s", url, privateBlobDigest)).
+					AddTokenAuth(userToken)
 				MakeRequest(t, req, http.StatusAccepted)
 
-				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s", url, blobDigest))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s", url, blobDigest)).
+					AddTokenAuth(userToken)
 				resp := MakeRequest(t, req, http.StatusCreated)
 
 				assert.Equal(t, fmt.Sprintf("/v2/%s/%s/blobs/%s", user.Name, image, blobDigest), resp.Header().Get("Location"))
 				assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))
 
-				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s&from=%s", url, unknownDigest, "unknown/image"))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s&from=%s", url, unknownDigest, "unknown/image")).
+					AddTokenAuth(userToken)
 				MakeRequest(t, req, http.StatusAccepted)
 
-				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s&from=%s/%s", url, blobDigest, user.Name, image))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "POST", fmt.Sprintf("%s/blobs/uploads?mount=%s&from=%s/%s", url, blobDigest, user.Name, image)).
+					AddTokenAuth(userToken)
 				resp = MakeRequest(t, req, http.StatusCreated)
 
 				assert.Equal(t, fmt.Sprintf("/v2/%s/%s/blobs/%s", user.Name, image, blobDigest), resp.Header().Get("Location"))
@@ -300,18 +299,18 @@ func TestPackageContainer(t *testing.T) {
 					t.Run("UploadManifest", func(t *testing.T) {
 						defer tests.PrintCurrentTest(t)()
 
-						req := NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, configDigest), strings.NewReader(configContent))
-						addTokenAuthHeader(req, userToken)
+						req := NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, configDigest), strings.NewReader(configContent)).
+							AddTokenAuth(userToken)
 						MakeRequest(t, req, http.StatusCreated)
 
-						req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, tag), strings.NewReader(manifestContent))
-						addTokenAuthHeader(req, anonymousToken)
-						req.Header.Set("Content-Type", "application/vnd.docker.distribution.manifest.v2+json")
+						req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, tag), strings.NewReader(manifestContent)).
+							AddTokenAuth(anonymousToken).
+							SetHeader("Content-Type", "application/vnd.docker.distribution.manifest.v2+json")
 						MakeRequest(t, req, http.StatusUnauthorized)
 
-						req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, tag), strings.NewReader(manifestContent))
-						addTokenAuthHeader(req, userToken)
-						req.Header.Set("Content-Type", "application/vnd.docker.distribution.manifest.v2+json")
+						req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, tag), strings.NewReader(manifestContent)).
+							AddTokenAuth(userToken).
+							SetHeader("Content-Type", "application/vnd.docker.distribution.manifest.v2+json")
 						resp := MakeRequest(t, req, http.StatusCreated)
 
 						assert.Equal(t, manifestDigest, resp.Header().Get("Docker-Content-Digest"))
@@ -353,8 +352,8 @@ func TestPackageContainer(t *testing.T) {
 							}
 						}
 
-						req = NewRequest(t, "GET", fmt.Sprintf("%s/manifests/%s", url, tag))
-						addTokenAuthHeader(req, userToken)
+						req = NewRequest(t, "GET", fmt.Sprintf("%s/manifests/%s", url, tag)).
+							AddTokenAuth(userToken)
 						MakeRequest(t, req, http.StatusOK)
 
 						pv, err = packages_model.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeContainer, image, tag)
@@ -362,9 +361,9 @@ func TestPackageContainer(t *testing.T) {
 						assert.EqualValues(t, 1, pv.DownloadCount)
 
 						// Overwrite existing tag should keep the download count
-						req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, tag), strings.NewReader(manifestContent))
-						addTokenAuthHeader(req, userToken)
-						req.Header.Set("Content-Type", oci.MediaTypeImageManifest)
+						req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, tag), strings.NewReader(manifestContent)).
+							AddTokenAuth(userToken).
+							SetHeader("Content-Type", oci.MediaTypeImageManifest)
 						MakeRequest(t, req, http.StatusCreated)
 
 						pv, err = packages_model.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeContainer, image, tag)
@@ -375,12 +374,12 @@ func TestPackageContainer(t *testing.T) {
 					t.Run("HeadManifest", func(t *testing.T) {
 						defer tests.PrintCurrentTest(t)()
 
-						req := NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/unknown-tag", url))
-						addTokenAuthHeader(req, userToken)
+						req := NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/unknown-tag", url)).
+							AddTokenAuth(userToken)
 						MakeRequest(t, req, http.StatusNotFound)
 
-						req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, tag))
-						addTokenAuthHeader(req, userToken)
+						req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, tag)).
+							AddTokenAuth(userToken)
 						resp := MakeRequest(t, req, http.StatusOK)
 
 						assert.Equal(t, fmt.Sprintf("%d", len(manifestContent)), resp.Header().Get("Content-Length"))
@@ -390,12 +389,12 @@ func TestPackageContainer(t *testing.T) {
 					t.Run("GetManifest", func(t *testing.T) {
 						defer tests.PrintCurrentTest(t)()
 
-						req := NewRequest(t, "GET", fmt.Sprintf("%s/manifests/unknown-tag", url))
-						addTokenAuthHeader(req, userToken)
+						req := NewRequest(t, "GET", fmt.Sprintf("%s/manifests/unknown-tag", url)).
+							AddTokenAuth(userToken)
 						MakeRequest(t, req, http.StatusNotFound)
 
-						req = NewRequest(t, "GET", fmt.Sprintf("%s/manifests/%s", url, tag))
-						addTokenAuthHeader(req, userToken)
+						req = NewRequest(t, "GET", fmt.Sprintf("%s/manifests/%s", url, tag)).
+							AddTokenAuth(userToken)
 						resp := MakeRequest(t, req, http.StatusOK)
 
 						assert.Equal(t, fmt.Sprintf("%d", len(manifestContent)), resp.Header().Get("Content-Length"))
@@ -409,15 +408,15 @@ func TestPackageContainer(t *testing.T) {
 			t.Run("UploadUntaggedManifest", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest), strings.NewReader(untaggedManifestContent))
-				addTokenAuthHeader(req, userToken)
-				req.Header.Set("Content-Type", oci.MediaTypeImageManifest)
+				req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest), strings.NewReader(untaggedManifestContent)).
+					AddTokenAuth(userToken).
+					SetHeader("Content-Type", oci.MediaTypeImageManifest)
 				resp := MakeRequest(t, req, http.StatusCreated)
 
 				assert.Equal(t, untaggedManifestDigest, resp.Header().Get("Docker-Content-Digest"))
 
-				req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest)).
+					AddTokenAuth(userToken)
 				resp = MakeRequest(t, req, http.StatusOK)
 
 				assert.Equal(t, fmt.Sprintf("%d", len(untaggedManifestContent)), resp.Header().Get("Content-Length"))
@@ -449,9 +448,9 @@ func TestPackageContainer(t *testing.T) {
 			t.Run("UploadIndexManifest", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, multiTag), strings.NewReader(indexManifestContent))
-				addTokenAuthHeader(req, userToken)
-				req.Header.Set("Content-Type", oci.MediaTypeImageIndex)
+				req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/manifests/%s", url, multiTag), strings.NewReader(indexManifestContent)).
+					AddTokenAuth(userToken).
+					SetHeader("Content-Type", oci.MediaTypeImageIndex)
 				resp := MakeRequest(t, req, http.StatusCreated)
 
 				assert.Equal(t, indexManifestDigest, resp.Header().Get("Docker-Content-Digest"))
@@ -498,31 +497,31 @@ func TestPackageContainer(t *testing.T) {
 			t.Run("HeadBlob", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, unknownDigest))
-				addTokenAuthHeader(req, userToken)
+				req := NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, unknownDigest)).
+					AddTokenAuth(userToken)
 				MakeRequest(t, req, http.StatusNotFound)
 
-				req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest)).
+					AddTokenAuth(userToken)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
 				assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))
 
-				req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
-				addTokenAuthHeader(req, anonymousToken)
+				req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest)).
+					AddTokenAuth(anonymousToken)
 				MakeRequest(t, req, http.StatusOK)
 			})
 
 			t.Run("GetBlob", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequest(t, "GET", fmt.Sprintf("%s/blobs/%s", url, unknownDigest))
-				addTokenAuthHeader(req, userToken)
+				req := NewRequest(t, "GET", fmt.Sprintf("%s/blobs/%s", url, unknownDigest)).
+					AddTokenAuth(userToken)
 				MakeRequest(t, req, http.StatusNotFound)
 
-				req = NewRequest(t, "GET", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
-				addTokenAuthHeader(req, userToken)
+				req = NewRequest(t, "GET", fmt.Sprintf("%s/blobs/%s", url, blobDigest)).
+					AddTokenAuth(userToken)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
@@ -566,8 +565,8 @@ func TestPackageContainer(t *testing.T) {
 				}
 
 				for _, c := range cases {
-					req := NewRequest(t, "GET", c.URL)
-					addTokenAuthHeader(req, userToken)
+					req := NewRequest(t, "GET", c.URL).
+						AddTokenAuth(userToken)
 					resp := MakeRequest(t, req, http.StatusOK)
 
 					type TagList struct {
@@ -583,7 +582,8 @@ func TestPackageContainer(t *testing.T) {
 					assert.Equal(t, c.ExpectedLink, resp.Header().Get("Link"))
 				}
 
-				req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?type=container&q=%s&token=%s", user.Name, image, token))
+				req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?type=container&q=%s", user.Name, image)).
+					AddTokenAuth(token)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				var apiPackages []*api.Package
@@ -595,36 +595,36 @@ func TestPackageContainer(t *testing.T) {
 				t.Run("Blob", func(t *testing.T) {
 					defer tests.PrintCurrentTest(t)()
 
-					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
-					addTokenAuthHeader(req, userToken)
+					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/blobs/%s", url, blobDigest)).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusAccepted)
 
-					req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
-					addTokenAuthHeader(req, userToken)
+					req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest)).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusNotFound)
 				})
 
 				t.Run("ManifestByDigest", func(t *testing.T) {
 					defer tests.PrintCurrentTest(t)()
 
-					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest))
-					addTokenAuthHeader(req, userToken)
+					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest)).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusAccepted)
 
-					req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest))
-					addTokenAuthHeader(req, userToken)
+					req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, untaggedManifestDigest)).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusNotFound)
 				})
 
 				t.Run("ManifestByTag", func(t *testing.T) {
 					defer tests.PrintCurrentTest(t)()
 
-					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/manifests/%s", url, multiTag))
-					addTokenAuthHeader(req, userToken)
+					req := NewRequest(t, "DELETE", fmt.Sprintf("%s/manifests/%s", url, multiTag)).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusAccepted)
 
-					req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, multiTag))
-					addTokenAuthHeader(req, userToken)
+					req = NewRequest(t, "HEAD", fmt.Sprintf("%s/manifests/%s", url, multiTag)).
+						AddTokenAuth(userToken)
 					MakeRequest(t, req, http.StatusNotFound)
 				})
 			})
@@ -647,8 +647,8 @@ func TestPackageContainer(t *testing.T) {
 			go func() {
 				defer wg.Done()
 
-				req := NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, digest), bytes.NewReader(content))
-				addTokenAuthHeader(req, userToken)
+				req := NewRequestWithBody(t, "POST", fmt.Sprintf("%s/blobs/uploads?digest=%s", url, digest), bytes.NewReader(content)).
+					AddTokenAuth(userToken)
 				resp := MakeRequest(t, req, http.StatusCreated)
 
 				assert.Equal(t, digest, resp.Header().Get("Docker-Content-Digest"))
@@ -664,8 +664,8 @@ func TestPackageContainer(t *testing.T) {
 			return func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequest(t, "GET", fmt.Sprintf("%sv2/_catalog", setting.AppURL))
-				addTokenAuthHeader(req, userToken)
+				req := NewRequest(t, "GET", fmt.Sprintf("%sv2/_catalog", setting.AppURL)).
+					AddTokenAuth(userToken)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				type RepositoryList struct {
diff --git a/tests/integration/api_packages_cran_test.go b/tests/integration/api_packages_cran_test.go
index 9ef23226db07f..d307e87d4e0f8 100644
--- a/tests/integration/api_packages_cran_test.go
+++ b/tests/integration/api_packages_cran_test.go
@@ -74,15 +74,13 @@ func TestPackageCran(t *testing.T) {
 			req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(
 				"dummy.txt",
 				[]byte{},
-			))
-			req = AddBasicAuthHeader(req, user.Name)
+			)).AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 
 			req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(
 				"package/DESCRIPTION",
 				createDescription(packageName, packageVersion),
-			))
-			req = AddBasicAuthHeader(req, user.Name)
+			)).AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeCran)
@@ -105,24 +103,23 @@ func TestPackageCran(t *testing.T) {
 			req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(
 				"package/DESCRIPTION",
 				createDescription(packageName, packageVersion),
-			))
-			req = AddBasicAuthHeader(req, user.Name)
+			)).AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 		})
 
 		t.Run("Download", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/src/contrib/%s_%s.tar.gz", url, packageName, packageVersion))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/src/contrib/%s_%s.tar.gz", url, packageName, packageVersion)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusOK)
 		})
 
 		t.Run("Enumerate", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", url+"/src/contrib/PACKAGES")
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", url+"/src/contrib/PACKAGES").
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Contains(t, resp.Header().Get("Content-Type"), "text/plain")
@@ -131,8 +128,8 @@ func TestPackageCran(t *testing.T) {
 			assert.Contains(t, body, fmt.Sprintf("Package: %s", packageName))
 			assert.Contains(t, body, fmt.Sprintf("Version: %s", packageVersion))
 
-			req = NewRequest(t, "GET", url+"/src/contrib/PACKAGES.gz")
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", url+"/src/contrib/PACKAGES.gz").
+				AddBasicAuth(user.Name)
 			resp = MakeRequest(t, req, http.StatusOK)
 
 			assert.Contains(t, resp.Header().Get("Content-Type"), "application/x-gzip")
@@ -160,15 +157,13 @@ func TestPackageCran(t *testing.T) {
 			req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(
 				"dummy.txt",
 				[]byte{},
-			))
-			req = AddBasicAuthHeader(req, user.Name)
+			)).AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 
 			req = NewRequestWithBody(t, "PUT", uploadURL+"?platform=&rversion=", createArchive(
 				"package/DESCRIPTION",
 				createDescription(packageName, packageVersion),
-			))
-			req = AddBasicAuthHeader(req, user.Name)
+			)).AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 
 			uploadURL += "?platform=windows&rversion=4.2"
@@ -176,8 +171,7 @@ func TestPackageCran(t *testing.T) {
 			req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(
 				"package/DESCRIPTION",
 				createDescription(packageName, packageVersion),
-			))
-			req = AddBasicAuthHeader(req, user.Name)
+			)).AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeCran)
@@ -191,8 +185,7 @@ func TestPackageCran(t *testing.T) {
 			req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(
 				"package/DESCRIPTION",
 				createDescription(packageName, packageVersion),
-			))
-			req = AddBasicAuthHeader(req, user.Name)
+			)).AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 		})
 
@@ -210,8 +203,8 @@ func TestPackageCran(t *testing.T) {
 			}
 
 			for _, c := range cases {
-				req := NewRequest(t, "GET", fmt.Sprintf("%s/bin/%s/contrib/%s/%s_%s.zip", url, c.Platform, c.RVersion, packageName, packageVersion))
-				req = AddBasicAuthHeader(req, user.Name)
+				req := NewRequest(t, "GET", fmt.Sprintf("%s/bin/%s/contrib/%s/%s_%s.zip", url, c.Platform, c.RVersion, packageName, packageVersion)).
+					AddBasicAuth(user.Name)
 				MakeRequest(t, req, c.ExpectedStatus)
 			}
 		})
@@ -222,8 +215,8 @@ func TestPackageCran(t *testing.T) {
 			req := NewRequest(t, "GET", url+"/bin/windows/contrib/4.1/PACKAGES")
 			MakeRequest(t, req, http.StatusNotFound)
 
-			req = NewRequest(t, "GET", url+"/bin/windows/contrib/4.2/PACKAGES")
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", url+"/bin/windows/contrib/4.2/PACKAGES").
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Contains(t, resp.Header().Get("Content-Type"), "text/plain")
@@ -232,8 +225,8 @@ func TestPackageCran(t *testing.T) {
 			assert.Contains(t, body, fmt.Sprintf("Package: %s", packageName))
 			assert.Contains(t, body, fmt.Sprintf("Version: %s", packageVersion))
 
-			req = NewRequest(t, "GET", url+"/bin/windows/contrib/4.2/PACKAGES.gz")
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", url+"/bin/windows/contrib/4.2/PACKAGES.gz").
+				AddBasicAuth(user.Name)
 			resp = MakeRequest(t, req, http.StatusOK)
 
 			assert.Contains(t, resp.Header().Get("Content-Type"), "application/x-gzip")
diff --git a/tests/integration/api_packages_debian_test.go b/tests/integration/api_packages_debian_test.go
index 6c43f72a71daa..05979fccb546c 100644
--- a/tests/integration/api_packages_debian_test.go
+++ b/tests/integration/api_packages_debian_test.go
@@ -89,16 +89,16 @@ func TestPackageDebian(t *testing.T) {
 							req := NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader([]byte{}))
 							MakeRequest(t, req, http.StatusUnauthorized)
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader([]byte{}))
-							AddBasicAuthHeader(req, user.Name)
+							req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader([]byte{})).
+								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusBadRequest)
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive("", "", ""))
-							AddBasicAuthHeader(req, user.Name)
+							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive("", "", "")).
+								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusBadRequest)
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion, architecture))
-							AddBasicAuthHeader(req, user.Name)
+							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion, architecture)).
+								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusCreated)
 
 							pv, err := packages.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages.TypeDebian, packageName, packageVersion)
@@ -145,8 +145,8 @@ func TestPackageDebian(t *testing.T) {
 								return seen
 							})
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion, architecture))
-							AddBasicAuthHeader(req, user.Name)
+							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion, architecture)).
+								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusConflict)
 						})
 
@@ -162,8 +162,8 @@ func TestPackageDebian(t *testing.T) {
 						t.Run("Packages", func(t *testing.T) {
 							defer tests.PrintCurrentTest(t)()
 
-							req := NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion2, architecture))
-							AddBasicAuthHeader(req, user.Name)
+							req := NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion2, architecture)).
+								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusCreated)
 
 							url := fmt.Sprintf("%s/dists/%s/%s/binary-%s/Packages", rootURL, distribution, component, architecture)
@@ -243,12 +243,12 @@ func TestPackageDebian(t *testing.T) {
 			req := NewRequest(t, "DELETE", fmt.Sprintf("%s/pool/%s/%s/%s/%s/%s", rootURL, distribution, component, packageName, packageVersion, architecture))
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/pool/%s/%s/%s/%s/%s", rootURL, distribution, component, packageName, packageVersion, architecture))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/pool/%s/%s/%s/%s/%s", rootURL, distribution, component, packageName, packageVersion, architecture)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNoContent)
 
-			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/pool/%s/%s/%s/%s/%s", rootURL, distribution, component, packageName, packageVersion2, architecture))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/pool/%s/%s/%s/%s/%s", rootURL, distribution, component, packageName, packageVersion2, architecture)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNoContent)
 
 			req = NewRequest(t, "GET", fmt.Sprintf("%s/dists/%s/%s/binary-%s/Packages", rootURL, distribution, component, architecture))
diff --git a/tests/integration/api_packages_generic_test.go b/tests/integration/api_packages_generic_test.go
index f5d8def0f3379..93525ac4b19cc 100644
--- a/tests/integration/api_packages_generic_test.go
+++ b/tests/integration/api_packages_generic_test.go
@@ -35,8 +35,8 @@ func TestPackageGeneric(t *testing.T) {
 	t.Run("Upload", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequestWithBody(t, "PUT", url+"/"+filename, bytes.NewReader(content))
-		AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "PUT", url+"/"+filename, bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeGeneric)
@@ -62,16 +62,16 @@ func TestPackageGeneric(t *testing.T) {
 		t.Run("Exists", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequestWithBody(t, "PUT", url+"/"+filename, bytes.NewReader(content))
-			AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url+"/"+filename, bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 		})
 
 		t.Run("Additional", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequestWithBody(t, "PUT", url+"/dummy.bin", bytes.NewReader(content))
-			AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url+"/dummy.bin", bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
 			// Check deduplication
@@ -84,16 +84,16 @@ func TestPackageGeneric(t *testing.T) {
 		t.Run("InvalidParameter", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, "invalid+package name", packageVersion, filename), bytes.NewReader(content))
-			AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, "invalid+package name", packageVersion, filename), bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 
-			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, "%20test ", filename), bytes.NewReader(content))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, "%20test ", filename), bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 
-			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, packageVersion, "inval+id.na me"), bytes.NewReader(content))
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, packageVersion, "inval+id.na me"), bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 		})
 	})
@@ -187,15 +187,15 @@ func TestPackageGeneric(t *testing.T) {
 			req := NewRequest(t, "DELETE", url+"/"+filename)
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequest(t, "DELETE", url+"/"+filename)
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", url+"/"+filename).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNoContent)
 
 			req = NewRequest(t, "GET", url+"/"+filename)
 			MakeRequest(t, req, http.StatusNotFound)
 
-			req = NewRequest(t, "DELETE", url+"/"+filename)
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", url+"/"+filename).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNotFound)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeGeneric)
@@ -205,8 +205,8 @@ func TestPackageGeneric(t *testing.T) {
 			t.Run("RemovesVersion", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req = NewRequest(t, "DELETE", url+"/dummy.bin")
-				AddBasicAuthHeader(req, user.Name)
+				req = NewRequest(t, "DELETE", url+"/dummy.bin").
+					AddBasicAuth(user.Name)
 				MakeRequest(t, req, http.StatusNoContent)
 
 				pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeGeneric)
@@ -218,15 +218,15 @@ func TestPackageGeneric(t *testing.T) {
 		t.Run("Version", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequestWithBody(t, "PUT", url+"/"+filename, bytes.NewReader(content))
-			AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url+"/"+filename, bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
 			req = NewRequest(t, "DELETE", url)
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequest(t, "DELETE", url)
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", url).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNoContent)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeGeneric)
@@ -236,8 +236,8 @@ func TestPackageGeneric(t *testing.T) {
 			req = NewRequest(t, "GET", url+"/"+filename)
 			MakeRequest(t, req, http.StatusNotFound)
 
-			req = NewRequest(t, "DELETE", url)
-			AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "DELETE", url).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNotFound)
 		})
 	})
diff --git a/tests/integration/api_packages_goproxy_test.go b/tests/integration/api_packages_goproxy_test.go
index 08c1ca54f1403..dab9fefc5e17e 100644
--- a/tests/integration/api_packages_goproxy_test.go
+++ b/tests/integration/api_packages_goproxy_test.go
@@ -51,16 +51,16 @@ func TestPackageGo(t *testing.T) {
 		req := NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content))
 		MakeRequest(t, req, http.StatusUnauthorized)
 
-		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content))
-		AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusBadRequest)
 
 		content = createArchive(map[string][]byte{
 			packageName + "@" + packageVersion + "/go.mod": []byte(goModContent),
 		})
 
-		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content))
-		AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeGo)
@@ -83,8 +83,8 @@ func TestPackageGo(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, int64(len(content)), pb.Size)
 
-		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content))
-		AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusConflict)
 
 		time.Sleep(time.Second)
@@ -93,8 +93,8 @@ func TestPackageGo(t *testing.T) {
 			packageName + "@" + packageVersion2 + "/go.mod": []byte(goModContent),
 		})
 
-		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content))
-		AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "PUT", url+"/upload", bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 	})
 
diff --git a/tests/integration/api_packages_helm_test.go b/tests/integration/api_packages_helm_test.go
index 4f61452071b66..76285add11796 100644
--- a/tests/integration/api_packages_helm_test.go
+++ b/tests/integration/api_packages_helm_test.go
@@ -68,8 +68,8 @@ dependencies:
 
 		uploadURL := url + "/api/charts"
 
-		req := NewRequestWithBody(t, "POST", uploadURL, bytes.NewReader(content))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "POST", uploadURL, bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeHelm)
@@ -93,8 +93,8 @@ dependencies:
 		assert.NoError(t, err)
 		assert.Equal(t, int64(len(content)), pb.Size)
 
-		req = NewRequestWithBody(t, "POST", uploadURL, bytes.NewReader(content))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "POST", uploadURL, bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 	})
 
@@ -110,8 +110,8 @@ dependencies:
 
 		checkDownloadCount(0)
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s", url, filename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s", url, filename)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, content, resp.Body.Bytes())
@@ -122,8 +122,8 @@ dependencies:
 	t.Run("Index", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/index.yaml", url))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/index.yaml", url)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		type ChartVersion struct {
diff --git a/tests/integration/api_packages_maven_test.go b/tests/integration/api_packages_maven_test.go
index c78024563f4df..c7ed554a9d7f7 100644
--- a/tests/integration/api_packages_maven_test.go
+++ b/tests/integration/api_packages_maven_test.go
@@ -35,8 +35,8 @@ func TestPackageMaven(t *testing.T) {
 	filename := fmt.Sprintf("%s-%s.jar", packageName, packageVersion)
 
 	putFile := func(t *testing.T, path, content string, expectedStatus int) {
-		req := NewRequestWithBody(t, "PUT", root+path, strings.NewReader(content))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "PUT", root+path, strings.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, expectedStatus)
 	}
 
@@ -84,14 +84,14 @@ func TestPackageMaven(t *testing.T) {
 	t.Run("Download", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		checkHeaders(t, resp.Header(), "application/java-archive", 4)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename)).
+			AddBasicAuth(user.Name)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		checkHeaders(t, resp.Header(), "application/java-archive", 4)
@@ -165,14 +165,14 @@ func TestPackageMaven(t *testing.T) {
 	t.Run("DownloadPOM", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s.pom", root, packageVersion, filename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s.pom", root, packageVersion, filename)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		checkHeaders(t, resp.Header(), "text/xml", int64(len(pomContent)))
 
-		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s.pom", root, packageVersion, filename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s.pom", root, packageVersion, filename)).
+			AddBasicAuth(user.Name)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		checkHeaders(t, resp.Header(), "text/xml", int64(len(pomContent)))
@@ -188,8 +188,8 @@ func TestPackageMaven(t *testing.T) {
 	t.Run("DownloadChecksums", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/1.2.3/%s", root, filename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/1.2.3/%s", root, filename)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		for key, checksum := range map[string]string{
@@ -198,8 +198,8 @@ func TestPackageMaven(t *testing.T) {
 			"sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
 			"sha512": "ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff",
 		} {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s.%s", root, packageVersion, filename, key))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s.%s", root, packageVersion, filename, key)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Equal(t, checksum, resp.Body.String())
@@ -209,8 +209,8 @@ func TestPackageMaven(t *testing.T) {
 	t.Run("DownloadMetadata", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", root+"/maven-metadata.xml")
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", root+"/maven-metadata.xml").
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		expectedMetadata := `<?xml version="1.0" encoding="UTF-8"?>` + "\n<metadata><groupId>com.gitea</groupId><artifactId>test-project</artifactId><versioning><release>1.0.1</release><latest>1.0.1</latest><versions><version>1.0.1</version></versions></versioning></metadata>"
@@ -225,8 +225,8 @@ func TestPackageMaven(t *testing.T) {
 			"sha256": "3f48322f81c4b2c3bb8649ae1e5c9801476162b520e1c2734ac06b2c06143208",
 			"sha512": "cb075aa2e2ef1a83cdc14dd1e08c505b72d633399b39e73a21f00f0deecb39a3e2c79f157c1163f8a3854828750706e0dec3a0f5e4778e91f8ec2cf351a855f2",
 		} {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/maven-metadata.xml.%s", root, key))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/maven-metadata.xml.%s", root, key)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Equal(t, checksum, resp.Body.String())
diff --git a/tests/integration/api_packages_npm_test.go b/tests/integration/api_packages_npm_test.go
index bd3bfeeff067c..9c888972ffb43 100644
--- a/tests/integration/api_packages_npm_test.go
+++ b/tests/integration/api_packages_npm_test.go
@@ -87,8 +87,8 @@ func TestPackageNpm(t *testing.T) {
 	t.Run("Upload", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequestWithBody(t, "PUT", root, strings.NewReader(buildUpload(packageVersion)))
-		req = addTokenAuthHeader(req, token)
+		req := NewRequestWithBody(t, "PUT", root, strings.NewReader(buildUpload(packageVersion))).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeNpm)
@@ -119,23 +119,23 @@ func TestPackageNpm(t *testing.T) {
 	t.Run("UploadExists", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequestWithBody(t, "PUT", root, strings.NewReader(buildUpload(packageVersion)))
-		req = addTokenAuthHeader(req, token)
+		req := NewRequestWithBody(t, "PUT", root, strings.NewReader(buildUpload(packageVersion))).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusConflict)
 	})
 
 	t.Run("Download", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/-/%s/%s", root, packageVersion, filename))
-		req = addTokenAuthHeader(req, token)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/-/%s/%s", root, packageVersion, filename)).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		b, _ := base64.StdEncoding.DecodeString(data)
 		assert.Equal(t, b, resp.Body.Bytes())
 
-		req = NewRequest(t, "GET", fmt.Sprintf("%s/-/%s", root, filename))
-		req = addTokenAuthHeader(req, token)
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/-/%s", root, filename)).
+			AddTokenAuth(token)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, b, resp.Body.Bytes())
@@ -149,12 +149,12 @@ func TestPackageNpm(t *testing.T) {
 	t.Run("PackageMetadata", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/packages/%s/npm/%s", user.Name, "does-not-exist"))
-		req = addTokenAuthHeader(req, token)
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/packages/%s/npm/%s", user.Name, "does-not-exist")).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "GET", root)
-		req = addTokenAuthHeader(req, token)
+		req = NewRequest(t, "GET", root).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var result npm.PackageMetadata
@@ -184,8 +184,8 @@ func TestPackageNpm(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		test := func(t *testing.T, status int, tag, version string) {
-			req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/%s", tagsRoot, tag), strings.NewReader(`"`+version+`"`))
-			req = addTokenAuthHeader(req, token)
+			req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/%s", tagsRoot, tag), strings.NewReader(`"`+version+`"`)).
+				AddTokenAuth(token)
 			MakeRequest(t, req, status)
 		}
 
@@ -199,8 +199,8 @@ func TestPackageNpm(t *testing.T) {
 	t.Run("ListTags", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", tagsRoot)
-		req = addTokenAuthHeader(req, token)
+		req := NewRequest(t, "GET", tagsRoot).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var result map[string]string
@@ -216,8 +216,8 @@ func TestPackageNpm(t *testing.T) {
 	t.Run("PackageMetadataDistTags", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", root)
-		req = addTokenAuthHeader(req, token)
+		req := NewRequest(t, "GET", root).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var result npm.PackageMetadata
@@ -234,8 +234,8 @@ func TestPackageNpm(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		test := func(t *testing.T, status int, tag string) {
-			req := NewRequest(t, "DELETE", fmt.Sprintf("%s/%s", tagsRoot, tag))
-			req = addTokenAuthHeader(req, token)
+			req := NewRequest(t, "DELETE", fmt.Sprintf("%s/%s", tagsRoot, tag)).
+				AddTokenAuth(token)
 			MakeRequest(t, req, status)
 		}
 
@@ -279,15 +279,15 @@ func TestPackageNpm(t *testing.T) {
 	t.Run("Delete", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequestWithBody(t, "PUT", root, strings.NewReader(buildUpload(packageVersion+"-dummy")))
-		req = addTokenAuthHeader(req, token)
+		req := NewRequestWithBody(t, "PUT", root, strings.NewReader(buildUpload(packageVersion+"-dummy"))).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
 		req = NewRequest(t, "PUT", root+"/-rev/dummy")
 		MakeRequest(t, req, http.StatusUnauthorized)
 
-		req = NewRequest(t, "PUT", root+"/-rev/dummy")
-		req = addTokenAuthHeader(req, token)
+		req = NewRequest(t, "PUT", root+"/-rev/dummy").
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusOK)
 
 		t.Run("Version", func(t *testing.T) {
@@ -300,8 +300,8 @@ func TestPackageNpm(t *testing.T) {
 			req := NewRequest(t, "DELETE", fmt.Sprintf("%s/-/%s/%s/-rev/dummy", root, packageVersion, filename))
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/-/%s/%s/-rev/dummy", root, packageVersion, filename))
-			req = addTokenAuthHeader(req, token)
+			req = NewRequest(t, "DELETE", fmt.Sprintf("%s/-/%s/%s/-rev/dummy", root, packageVersion, filename)).
+				AddTokenAuth(token)
 			MakeRequest(t, req, http.StatusOK)
 
 			pvs, err = packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeNpm)
@@ -319,8 +319,8 @@ func TestPackageNpm(t *testing.T) {
 			req := NewRequest(t, "DELETE", root+"/-rev/dummy")
 			MakeRequest(t, req, http.StatusUnauthorized)
 
-			req = NewRequest(t, "DELETE", root+"/-rev/dummy")
-			req = addTokenAuthHeader(req, token)
+			req = NewRequest(t, "DELETE", root+"/-rev/dummy").
+				AddTokenAuth(token)
 			MakeRequest(t, req, http.StatusOK)
 
 			pvs, err = packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeNpm)
diff --git a/tests/integration/api_packages_nuget_test.go b/tests/integration/api_packages_nuget_test.go
index 04c2fbce0ec56..20dafd5cc799f 100644
--- a/tests/integration/api_packages_nuget_test.go
+++ b/tests/integration/api_packages_nuget_test.go
@@ -31,9 +31,8 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func addNuGetAPIKeyHeader(request *http.Request, token string) *http.Request {
-	request.Header.Set("X-NuGet-ApiKey", token)
-	return request
+func addNuGetAPIKeyHeader(req *RequestWrapper, token string) {
+	req.SetHeader("X-NuGet-ApiKey", token)
 }
 
 func decodeXML(t testing.TB, resp *httptest.ResponseRecorder, v any) {
@@ -141,9 +140,9 @@ func TestPackageNuGet(t *testing.T) {
 
 				req := NewRequest(t, "GET", url)
 				if c.UseBasicAuth {
-					req = AddBasicAuthHeader(req, user.Name)
+					req.AddBasicAuth(user.Name)
 				} else if c.UseTokenAuth {
-					req = addNuGetAPIKeyHeader(req, token)
+					addNuGetAPIKeyHeader(req, token)
 				}
 				resp := MakeRequest(t, req, http.StatusOK)
 
@@ -178,9 +177,9 @@ func TestPackageNuGet(t *testing.T) {
 
 				req := NewRequest(t, "GET", fmt.Sprintf("%s/index.json", url))
 				if c.UseBasicAuth {
-					req = AddBasicAuthHeader(req, user.Name)
+					req.AddBasicAuth(user.Name)
 				} else if c.UseTokenAuth {
-					req = addNuGetAPIKeyHeader(req, token)
+					addNuGetAPIKeyHeader(req, token)
 				}
 				resp := MakeRequest(t, req, http.StatusOK)
 
@@ -219,8 +218,8 @@ func TestPackageNuGet(t *testing.T) {
 		t.Run("DependencyPackage", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(content))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeNuGet)
@@ -244,8 +243,8 @@ func TestPackageNuGet(t *testing.T) {
 			assert.NoError(t, err)
 			assert.Equal(t, int64(len(content)), pb.Size)
 
-			req = NewRequestWithBody(t, "PUT", url, bytes.NewReader(content))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", url, bytes.NewReader(content)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 		})
 
@@ -278,16 +277,16 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 				return &buf
 			}
 
-			req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage("unknown-package", "SymbolsPackage"))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage("unknown-package", "SymbolsPackage")).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNotFound)
 
-			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage(packageName, "DummyPackage"))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage(packageName, "DummyPackage")).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusBadRequest)
 
-			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage(packageName, "SymbolsPackage"))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage(packageName, "SymbolsPackage")).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusCreated)
 
 			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeNuGet)
@@ -330,8 +329,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 				}
 			}
 
-			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage(packageName, "SymbolsPackage"))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/symbolpackage", url), createSymbolPackage(packageName, "SymbolsPackage")).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusConflict)
 		})
 	})
@@ -348,16 +347,16 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 
 		checkDownloadCount(0)
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.nupkg", url, packageName, packageVersion, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.nupkg", url, packageName, packageVersion, packageName, packageVersion)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, content, resp.Body.Bytes())
 
 		checkDownloadCount(1)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.snupkg", url, packageName, packageVersion, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.snupkg", url, packageName, packageVersion, packageName, packageVersion)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusOK)
 
 		checkDownloadCount(1)
@@ -368,12 +367,12 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			req := NewRequest(t, "GET", fmt.Sprintf("%s/symbols/%s/%sFFFFFFFF/gitea.pdb", url, symbolFilename, symbolID))
 			MakeRequest(t, req, http.StatusBadRequest)
 
-			req = NewRequest(t, "GET", fmt.Sprintf("%s/symbols/%s/%sFFFFFFFF/%s", url, symbolFilename, "00000000000000000000000000000000", symbolFilename))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", fmt.Sprintf("%s/symbols/%s/%sFFFFFFFF/%s", url, symbolFilename, "00000000000000000000000000000000", symbolFilename)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusNotFound)
 
-			req = NewRequest(t, "GET", fmt.Sprintf("%s/symbols/%s/%sFFFFffff/%s", url, symbolFilename, symbolID, symbolFilename))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", fmt.Sprintf("%s/symbols/%s/%sFFFFffff/%s", url, symbolFilename, symbolID, symbolFilename)).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusOK)
 
 			checkDownloadCount(1)
@@ -414,8 +413,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			{"test", 1, 10, 1, 0},
 		}
 
-		req := NewRequestWithBody(t, "PUT", url, createPackage(packageName, "1.0.99"))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "PUT", url, createPackage(packageName, "1.0.99")).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 
 		t.Run("v2", func(t *testing.T) {
@@ -423,8 +422,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 				defer tests.PrintCurrentTest(t)()
 
 				for i, c := range cases {
-					req := NewRequest(t, "GET", fmt.Sprintf("%s/Search()?searchTerm='%s'&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take))
-					req = AddBasicAuthHeader(req, user.Name)
+					req := NewRequest(t, "GET", fmt.Sprintf("%s/Search()?searchTerm='%s'&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take)).
+						AddBasicAuth(user.Name)
 					resp := MakeRequest(t, req, http.StatusOK)
 
 					var result FeedResponse
@@ -433,8 +432,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 					assert.Equal(t, c.ExpectedTotal, result.Count, "case %d: unexpected total hits", i)
 					assert.Len(t, result.Entries, c.ExpectedResults, "case %d: unexpected result count", i)
 
-					req = NewRequest(t, "GET", fmt.Sprintf("%s/Search()/$count?searchTerm='%s'&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take))
-					req = AddBasicAuthHeader(req, user.Name)
+					req = NewRequest(t, "GET", fmt.Sprintf("%s/Search()/$count?searchTerm='%s'&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take)).
+						AddBasicAuth(user.Name)
 					resp = MakeRequest(t, req, http.StatusOK)
 
 					assert.Equal(t, strconv.FormatInt(c.ExpectedTotal, 10), resp.Body.String(), "case %d: unexpected total hits", i)
@@ -445,8 +444,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 				defer tests.PrintCurrentTest(t)()
 
 				for i, c := range cases {
-					req := NewRequest(t, "GET", fmt.Sprintf("%s/Packages()?$filter=substringof('%s',tolower(Id))&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take))
-					req = AddBasicAuthHeader(req, user.Name)
+					req := NewRequest(t, "GET", fmt.Sprintf("%s/Packages()?$filter=substringof('%s',tolower(Id))&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take)).
+						AddBasicAuth(user.Name)
 					resp := MakeRequest(t, req, http.StatusOK)
 
 					var result FeedResponse
@@ -455,8 +454,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 					assert.Equal(t, c.ExpectedTotal, result.Count, "case %d: unexpected total hits", i)
 					assert.Len(t, result.Entries, c.ExpectedResults, "case %d: unexpected result count", i)
 
-					req = NewRequest(t, "GET", fmt.Sprintf("%s/Packages()/$count?$filter=substringof('%s',tolower(Id))&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take))
-					req = AddBasicAuthHeader(req, user.Name)
+					req = NewRequest(t, "GET", fmt.Sprintf("%s/Packages()/$count?$filter=substringof('%s',tolower(Id))&$skip=%d&$top=%d", url, c.Query, c.Skip, c.Take)).
+						AddBasicAuth(user.Name)
 					resp = MakeRequest(t, req, http.StatusOK)
 
 					assert.Equal(t, strconv.FormatInt(c.ExpectedTotal, 10), resp.Body.String(), "case %d: unexpected total hits", i)
@@ -464,8 +463,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			})
 
 			t.Run("Next", func(t *testing.T) {
-				req := NewRequest(t, "GET", fmt.Sprintf("%s/Search()?searchTerm='test'&$skip=0&$top=1", url))
-				req = AddBasicAuthHeader(req, user.Name)
+				req := NewRequest(t, "GET", fmt.Sprintf("%s/Search()?searchTerm='test'&$skip=0&$top=1", url)).
+					AddBasicAuth(user.Name)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				var result FeedResponse
@@ -479,8 +478,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			defer tests.PrintCurrentTest(t)()
 
 			for i, c := range cases {
-				req := NewRequest(t, "GET", fmt.Sprintf("%s/query?q=%s&skip=%d&take=%d", url, c.Query, c.Skip, c.Take))
-				req = AddBasicAuthHeader(req, user.Name)
+				req := NewRequest(t, "GET", fmt.Sprintf("%s/query?q=%s&skip=%d&take=%d", url, c.Query, c.Skip, c.Take)).
+					AddBasicAuth(user.Name)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				var result nuget.SearchResultResponse
@@ -493,12 +492,12 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			t.Run("EnforceGrouped", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequestWithBody(t, "PUT", url, createPackage(packageName+".dummy", "1.0.0"))
-				req = AddBasicAuthHeader(req, user.Name)
+				req := NewRequestWithBody(t, "PUT", url, createPackage(packageName+".dummy", "1.0.0")).
+					AddBasicAuth(user.Name)
 				MakeRequest(t, req, http.StatusCreated)
 
-				req = NewRequest(t, "GET", fmt.Sprintf("%s/query?q=%s", url, packageName))
-				req = AddBasicAuthHeader(req, user.Name)
+				req = NewRequest(t, "GET", fmt.Sprintf("%s/query?q=%s", url, packageName)).
+					AddBasicAuth(user.Name)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				var result nuget.SearchResultResponse
@@ -514,14 +513,14 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 					}
 				}
 
-				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s", url, packageName+".dummy", "1.0.0"))
-				req = AddBasicAuthHeader(req, user.Name)
+				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s", url, packageName+".dummy", "1.0.0")).
+					AddBasicAuth(user.Name)
 				MakeRequest(t, req, http.StatusNoContent)
 			})
 		})
 
-		req = NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s", url, packageName, "1.0.99"))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s", url, packageName, "1.0.99")).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 
@@ -533,8 +532,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 		t.Run("RegistrationIndex", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/registration/%s/index.json", url, packageName))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/registration/%s/index.json", url, packageName)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var result nuget.RegistrationIndexResponse
@@ -560,8 +559,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			t.Run("v2", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequest(t, "GET", fmt.Sprintf("%s/Packages(Id='%s',Version='%s')", url, packageName, packageVersion))
-				req = AddBasicAuthHeader(req, user.Name)
+				req := NewRequest(t, "GET", fmt.Sprintf("%s/Packages(Id='%s',Version='%s')", url, packageName, packageVersion)).
+					AddBasicAuth(user.Name)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				var result FeedEntry
@@ -577,8 +576,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			t.Run("v3", func(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
-				req := NewRequest(t, "GET", fmt.Sprintf("%s/registration/%s/%s.json", url, packageName, packageVersion))
-				req = AddBasicAuthHeader(req, user.Name)
+				req := NewRequest(t, "GET", fmt.Sprintf("%s/registration/%s/%s.json", url, packageName, packageVersion)).
+					AddBasicAuth(user.Name)
 				resp := MakeRequest(t, req, http.StatusOK)
 
 				var result nuget.RegistrationLeafResponse
@@ -595,8 +594,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 		t.Run("v2", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/FindPackagesById()?id='%s'&$top=1", url, packageName))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/FindPackagesById()?id='%s'&$top=1", url, packageName)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var result FeedResponse
@@ -606,8 +605,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 			assert.Equal(t, packageVersion, result.Entries[0].Properties.Version)
 			assert.Condition(t, containsOneNextLink(t, result.Links))
 
-			req = NewRequest(t, "GET", fmt.Sprintf("%s/FindPackagesById()/$count?id='%s'", url, packageName))
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", fmt.Sprintf("%s/FindPackagesById()/$count?id='%s'", url, packageName)).
+				AddBasicAuth(user.Name)
 			resp = MakeRequest(t, req, http.StatusOK)
 
 			assert.Equal(t, "1", resp.Body.String())
@@ -616,8 +615,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 		t.Run("v3", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/index.json", url, packageName))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/index.json", url, packageName)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var result nuget.PackageVersionsResponse
@@ -631,8 +630,8 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 	t.Run("Delete", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s", url, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "DELETE", fmt.Sprintf("%s/%s/%s", url, packageName, packageVersion)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNoContent)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeNuGet)
@@ -643,20 +642,20 @@ AAAjQmxvYgAAAGm7ENm9SGxMtAFVvPUsPJTF6PbtAAAAAFcVogEJAAAAAQAAAA==`)
 	t.Run("DownloadNotExists", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.nupkg", url, packageName, packageVersion, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.nupkg", url, packageName, packageVersion, packageName, packageVersion)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.snupkg", url, packageName, packageVersion, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s.%s.snupkg", url, packageName, packageVersion, packageName, packageVersion)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	t.Run("DeleteNotExists", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s", url, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s", url, packageName, packageVersion)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 }
diff --git a/tests/integration/api_packages_pub_test.go b/tests/integration/api_packages_pub_test.go
index 6e9d8742f472d..11da894ddf3da 100644
--- a/tests/integration/api_packages_pub_test.go
+++ b/tests/integration/api_packages_pub_test.go
@@ -66,8 +66,8 @@ description: ` + packageDescription
 		req := NewRequest(t, "GET", uploadURL)
 		MakeRequest(t, req, http.StatusUnauthorized)
 
-		req = NewRequest(t, "GET", uploadURL)
-		addTokenAuthHeader(req, token)
+		req = NewRequest(t, "GET", uploadURL).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		type UploadRequest struct {
@@ -88,16 +88,16 @@ description: ` + packageDescription
 
 			_ = writer.Close()
 
-			req := NewRequestWithBody(t, "POST", url, body)
-			req.Header.Add("Content-Type", writer.FormDataContentType())
-			addTokenAuthHeader(req, token)
+			req := NewRequestWithBody(t, "POST", url, body).
+				SetHeader("Content-Type", writer.FormDataContentType()).
+				AddTokenAuth(token)
 			return MakeRequest(t, req, expectedStatus)
 		}
 
 		resp = uploadFile(t, result.URL, content, http.StatusNoContent)
 
-		req = NewRequest(t, "GET", resp.Header().Get("Location"))
-		addTokenAuthHeader(req, token)
+		req = NewRequest(t, "GET", resp.Header().Get("Location")).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusOK)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypePub)
diff --git a/tests/integration/api_packages_pypi_test.go b/tests/integration/api_packages_pypi_test.go
index 76013b79c840f..a090b31e20642 100644
--- a/tests/integration/api_packages_pypi_test.go
+++ b/tests/integration/api_packages_pypi_test.go
@@ -54,9 +54,9 @@ func TestPackagePyPI(t *testing.T) {
 
 		_ = writer.Close()
 
-		req := NewRequestWithBody(t, "POST", root, body)
-		req.Header.Add("Content-Type", writer.FormDataContentType())
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "POST", root, body).
+			SetHeader("Content-Type", writer.FormDataContentType()).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, expectedStatus)
 	}
 
@@ -137,8 +137,8 @@ func TestPackagePyPI(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		downloadFile := func(filename string) {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/files/%s/%s/%s", root, packageName, packageVersion, filename))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/files/%s/%s/%s", root, packageName, packageVersion, filename)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Equal(t, []byte(content), resp.Body.Bytes())
@@ -156,8 +156,8 @@ func TestPackagePyPI(t *testing.T) {
 	t.Run("PackageMetadata", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/simple/%s", root, packageName))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/simple/%s", root, packageName)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		htmlDoc := NewHTMLParser(t, resp.Body)
diff --git a/tests/integration/api_packages_rpm_test.go b/tests/integration/api_packages_rpm_test.go
index 6d3b0688f2a31..caf6f86381e20 100644
--- a/tests/integration/api_packages_rpm_test.go
+++ b/tests/integration/api_packages_rpm_test.go
@@ -105,8 +105,8 @@ gpgkey=%sapi/packages/%s/rpm/repository.key`, user.Name, user.Name, setting.AppN
 		req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(content))
 		MakeRequest(t, req, http.StatusUnauthorized)
 
-		req = NewRequestWithBody(t, "PUT", url, bytes.NewReader(content))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "PUT", url, bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeRpm)
@@ -130,8 +130,8 @@ gpgkey=%sapi/packages/%s/rpm/repository.key`, user.Name, user.Name, setting.AppN
 		assert.NoError(t, err)
 		assert.Equal(t, int64(len(content)), pb.Size)
 
-		req = NewRequestWithBody(t, "PUT", url, bytes.NewReader(content))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "PUT", url, bytes.NewReader(content)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusConflict)
 	})
 
@@ -404,16 +404,16 @@ gpgkey=%sapi/packages/%s/rpm/repository.key`, user.Name, user.Name, setting.AppN
 		req := NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s/%s", rootURL, packageName, packageVersion, packageArchitecture))
 		MakeRequest(t, req, http.StatusUnauthorized)
 
-		req = NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s/%s", rootURL, packageName, packageVersion, packageArchitecture))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s/%s", rootURL, packageName, packageVersion, packageArchitecture)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNoContent)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeRpm)
 		assert.NoError(t, err)
 		assert.Empty(t, pvs)
 
-		req = NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s/%s", rootURL, packageName, packageVersion, packageArchitecture))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s/%s", rootURL, packageName, packageVersion, packageArchitecture)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 }
diff --git a/tests/integration/api_packages_rubygems_test.go b/tests/integration/api_packages_rubygems_test.go
index a3df143209a5c..5670731c4926c 100644
--- a/tests/integration/api_packages_rubygems_test.go
+++ b/tests/integration/api_packages_rubygems_test.go
@@ -115,8 +115,8 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`)
 	root := fmt.Sprintf("/api/packages/%s/rubygems", user.Name)
 
 	uploadFile := func(t *testing.T, expectedStatus int) {
-		req := NewRequestWithBody(t, "POST", fmt.Sprintf("%s/api/v1/gems", root), bytes.NewReader(gemContent))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "POST", fmt.Sprintf("%s/api/v1/gems", root), bytes.NewReader(gemContent)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, expectedStatus)
 	}
 
@@ -156,8 +156,8 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`)
 	t.Run("Download", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/gems/%s", root, packageFilename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/gems/%s", root, packageFilename)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, gemContent, resp.Body.Bytes())
@@ -171,8 +171,8 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`)
 	t.Run("DownloadGemspec", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/quick/Marshal.4.8/%sspec.rz", root, packageFilename))
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/quick/Marshal.4.8/%sspec.rz", root, packageFilename)).
+			AddBasicAuth(user.Name)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		b, _ := base64.StdEncoding.DecodeString(`eJxi4Si1EndPzbWyCi5ITc5My0xOLMnMz2M8zMIRLeGpxGWsZ6RnzGbF5hqSyempxJWeWZKayGbN
@@ -191,8 +191,8 @@ gAAAAP//MS06Gw==`)
 		defer tests.PrintCurrentTest(t)()
 
 		enumeratePackages := func(t *testing.T, endpoint string, expectedContent []byte) {
-			req := NewRequest(t, "GET", fmt.Sprintf("%s/%s", root, endpoint))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/%s", root, endpoint)).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Equal(t, expectedContent, resp.Body.Bytes())
@@ -215,9 +215,9 @@ gAAAAP//MS06Gw==`)
 		writer.WriteField("version", packageVersion)
 		writer.Close()
 
-		req := NewRequestWithBody(t, "DELETE", fmt.Sprintf("%s/api/v1/gems/yank", root), &body)
-		req.Header.Add("Content-Type", writer.FormDataContentType())
-		req = AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "DELETE", fmt.Sprintf("%s/api/v1/gems/yank", root), &body).
+			SetHeader("Content-Type", writer.FormDataContentType()).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusOK)
 
 		pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeRubyGems)
diff --git a/tests/integration/api_packages_swift_test.go b/tests/integration/api_packages_swift_test.go
index a3035ea60485d..7d4ff954e2274 100644
--- a/tests/integration/api_packages_swift_test.go
+++ b/tests/integration/api_packages_swift_test.go
@@ -62,9 +62,9 @@ func TestPackageSwift(t *testing.T) {
 			assert.Equal(t, "application/problem+json", resp.Header().Get("Content-Type"))
 		}
 
-		req := NewRequestWithBody(t, "PUT", url+"/scope/package/1.0.0", strings.NewReader(""))
-		req = AddBasicAuthHeader(req, user.Name)
-		req.Header.Add("Accept", "application/unknown")
+		req := NewRequestWithBody(t, "PUT", url+"/scope/package/1.0.0", strings.NewReader("")).
+			AddBasicAuth(user.Name).
+			SetHeader("Accept", "application/unknown")
 		resp := MakeRequest(t, req, http.StatusBadRequest)
 
 		assert.Equal(t, "1", resp.Header().Get("Content-Version"))
@@ -87,10 +87,10 @@ func TestPackageSwift(t *testing.T) {
 
 			mpw.Close()
 
-			req := NewRequestWithBody(t, "PUT", url, &body)
-			req.Header.Add("Content-Type", mpw.FormDataContentType())
-			req.Header.Add("Accept", swift_router.AcceptJSON)
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url, &body).
+				SetHeader("Content-Type", mpw.FormDataContentType()).
+				SetHeader("Accept", swift_router.AcceptJSON).
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, expectedStatus)
 		}
 
@@ -106,8 +106,8 @@ func TestPackageSwift(t *testing.T) {
 		}
 
 		for _, triple := range []string{"/sc_ope/package/1.0.0", "/scope/pack~age/1.0.0", "/scope/package/1_0.0"} {
-			req := NewRequestWithBody(t, "PUT", url+triple, bytes.NewReader([]byte{}))
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequestWithBody(t, "PUT", url+triple, bytes.NewReader([]byte{})).
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusBadRequest)
 
 			assert.Equal(t, "1", resp.Header().Get("Content-Version"))
@@ -168,9 +168,9 @@ func TestPackageSwift(t *testing.T) {
 	t.Run("Download", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/%s.zip", url, packageScope, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
-		req.Header.Add("Accept", swift_router.AcceptZip)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/%s.zip", url, packageScope, packageName, packageVersion)).
+			AddBasicAuth(user.Name).
+			SetHeader("Accept", swift_router.AcceptZip)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "1", resp.Header().Get("Content-Version"))
@@ -188,9 +188,9 @@ func TestPackageSwift(t *testing.T) {
 	t.Run("EnumeratePackageVersions", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s", url, packageScope, packageName))
-		req = AddBasicAuthHeader(req, user.Name)
-		req.Header.Add("Accept", swift_router.AcceptJSON)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s", url, packageScope, packageName)).
+			AddBasicAuth(user.Name).
+			SetHeader("Accept", swift_router.AcceptJSON)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		versionURL := setting.AppURL + url[1:] + fmt.Sprintf("/%s/%s/%s", packageScope, packageName, packageVersion)
@@ -207,8 +207,8 @@ func TestPackageSwift(t *testing.T) {
 		assert.Contains(t, result.Releases, packageVersion)
 		assert.Equal(t, versionURL, result.Releases[packageVersion].URL)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s.json", url, packageScope, packageName))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s.json", url, packageScope, packageName)).
+			AddBasicAuth(user.Name)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, body, resp.Body.String())
@@ -217,9 +217,9 @@ func TestPackageSwift(t *testing.T) {
 	t.Run("PackageVersionMetadata", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/%s", url, packageScope, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
-		req.Header.Add("Accept", swift_router.AcceptJSON)
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/%s", url, packageScope, packageName, packageVersion)).
+			AddBasicAuth(user.Name).
+			SetHeader("Accept", swift_router.AcceptJSON)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "1", resp.Header().Get("Content-Version"))
@@ -249,8 +249,8 @@ func TestPackageSwift(t *testing.T) {
 		assert.Equal(t, "Swift", result.Metadata.ProgrammingLanguage.Name)
 		assert.Equal(t, packageAuthor, result.Metadata.Author.GivenName)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/%s.json", url, packageScope, packageName, packageVersion))
-		req = AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/%s/%s.json", url, packageScope, packageName, packageVersion)).
+			AddBasicAuth(user.Name)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, body, resp.Body.String())
@@ -262,9 +262,9 @@ func TestPackageSwift(t *testing.T) {
 		t.Run("Default", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", manifestURL)
-			req = AddBasicAuthHeader(req, user.Name)
-			req.Header.Add("Accept", swift_router.AcceptSwift)
+			req := NewRequest(t, "GET", manifestURL).
+				AddBasicAuth(user.Name).
+				SetHeader("Accept", swift_router.AcceptSwift)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Equal(t, "1", resp.Header().Get("Content-Version"))
@@ -275,24 +275,24 @@ func TestPackageSwift(t *testing.T) {
 		t.Run("DifferentVersion", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", manifestURL+"?swift-version=5.6")
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", manifestURL+"?swift-version=5.6").
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			assert.Equal(t, "1", resp.Header().Get("Content-Version"))
 			assert.Equal(t, "text/x-swift", resp.Header().Get("Content-Type"))
 			assert.Equal(t, contentManifest2, resp.Body.String())
 
-			req = NewRequest(t, "GET", manifestURL+"?swift-version=5.6.0")
-			req = AddBasicAuthHeader(req, user.Name)
+			req = NewRequest(t, "GET", manifestURL+"?swift-version=5.6.0").
+				AddBasicAuth(user.Name)
 			MakeRequest(t, req, http.StatusOK)
 		})
 
 		t.Run("Redirect", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", manifestURL+"?swift-version=1.0")
-			req = AddBasicAuthHeader(req, user.Name)
+			req := NewRequest(t, "GET", manifestURL+"?swift-version=1.0").
+				AddBasicAuth(user.Name)
 			resp := MakeRequest(t, req, http.StatusSeeOther)
 
 			assert.Equal(t, "1", resp.Header().Get("Content-Version"))
@@ -303,8 +303,8 @@ func TestPackageSwift(t *testing.T) {
 	t.Run("LookupPackageIdentifiers", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", url+"/identifiers")
-		req.Header.Add("Accept", swift_router.AcceptJSON)
+		req := NewRequest(t, "GET", url+"/identifiers").
+			SetHeader("Accept", swift_router.AcceptJSON)
 		resp := MakeRequest(t, req, http.StatusBadRequest)
 
 		assert.Equal(t, "1", resp.Header().Get("Content-Version"))
@@ -313,8 +313,8 @@ func TestPackageSwift(t *testing.T) {
 		req = NewRequest(t, "GET", url+"/identifiers?url=https://unknown.host/")
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "GET", url+"/identifiers?url="+packageRepositoryURL)
-		req.Header.Add("Accept", swift_router.AcceptJSON)
+		req = NewRequest(t, "GET", url+"/identifiers?url="+packageRepositoryURL).
+			SetHeader("Accept", swift_router.AcceptJSON)
 		resp = MakeRequest(t, req, http.StatusOK)
 
 		var result *swift_router.LookupPackageIdentifiersResponse
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
index e530b2c1ad79d..8c981566b6028 100644
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@@ -41,14 +41,15 @@ func TestPackageAPI(t *testing.T) {
 	filename := "file.bin"
 
 	url := fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, packageVersion, filename)
-	req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{}))
-	AddBasicAuthHeader(req, user.Name)
+	req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{})).
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusCreated)
 
 	t.Run("ListPackages", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?token=%s", user.Name, tokenReadPackage))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", user.Name)).
+			AddTokenAuth(tokenReadPackage)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var apiPackages []*api.Package
@@ -65,10 +66,12 @@ func TestPackageAPI(t *testing.T) {
 	t.Run("GetPackage", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s?token=%s", user.Name, packageName, packageVersion, tokenReadPackage))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s", user.Name, packageName, packageVersion)).
+			AddTokenAuth(tokenReadPackage)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s?token=%s", user.Name, packageName, packageVersion, tokenReadPackage))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
+			AddTokenAuth(tokenReadPackage)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var p *api.Package
@@ -87,7 +90,8 @@ func TestPackageAPI(t *testing.T) {
 			assert.NoError(t, err)
 
 			// no repository link
-			req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s?token=%s", user.Name, packageName, packageVersion, tokenReadPackage))
+			req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
+				AddTokenAuth(tokenReadPackage)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var ap1 *api.Package
@@ -97,7 +101,8 @@ func TestPackageAPI(t *testing.T) {
 			// link to public repository
 			assert.NoError(t, packages_model.SetRepositoryLink(db.DefaultContext, p.ID, 1))
 
-			req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s?token=%s", user.Name, packageName, packageVersion, tokenReadPackage))
+			req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
+				AddTokenAuth(tokenReadPackage)
 			resp = MakeRequest(t, req, http.StatusOK)
 
 			var ap2 *api.Package
@@ -108,7 +113,8 @@ func TestPackageAPI(t *testing.T) {
 			// link to private repository
 			assert.NoError(t, packages_model.SetRepositoryLink(db.DefaultContext, p.ID, 2))
 
-			req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s?token=%s", user.Name, packageName, packageVersion, tokenReadPackage))
+			req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
+				AddTokenAuth(tokenReadPackage)
 			resp = MakeRequest(t, req, http.StatusOK)
 
 			var ap3 *api.Package
@@ -122,10 +128,12 @@ func TestPackageAPI(t *testing.T) {
 	t.Run("ListPackageFiles", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s/files?token=%s", user.Name, packageName, packageVersion, tokenReadPackage))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s/files", user.Name, packageName, packageVersion)).
+			AddTokenAuth(tokenReadPackage)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s/files?token=%s", user.Name, packageName, packageVersion, tokenReadPackage))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s/files", user.Name, packageName, packageVersion)).
+			AddTokenAuth(tokenReadPackage)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var files []*api.PackageFile
@@ -143,10 +151,12 @@ func TestPackageAPI(t *testing.T) {
 	t.Run("DeletePackage", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s?token=%s", user.Name, packageName, packageVersion, tokenDeletePackage))
+		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s", user.Name, packageName, packageVersion)).
+			AddTokenAuth(tokenDeletePackage)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s?token=%s", user.Name, packageName, packageVersion, tokenDeletePackage))
+		req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
+			AddTokenAuth(tokenDeletePackage)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 }
@@ -170,7 +180,7 @@ func TestPackageAccess(t *testing.T) {
 		url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/%s.bin", owner.Name, filename)
 		req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
 		if doer != nil {
-			AddBasicAuthHeader(req, doer.Name)
+			req.AddBasicAuth(doer.Name)
 		}
 		MakeRequest(t, req, expectedStatus)
 	}
@@ -179,7 +189,7 @@ func TestPackageAccess(t *testing.T) {
 		url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/admin.bin", owner.Name)
 		req := NewRequest(t, "GET", url)
 		if doer != nil {
-			AddBasicAuthHeader(req, doer.Name)
+			req.AddBasicAuth(doer.Name)
 		}
 		MakeRequest(t, req, expectedStatus)
 	}
@@ -374,7 +384,8 @@ func TestPackageAccess(t *testing.T) {
 			{limitedOrgNoMember, http.StatusOK},
 			{publicOrgNoMember, http.StatusOK},
 		} {
-			req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?token=%s", target.Owner.Name, tokenReadPackage))
+			req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", target.Owner.Name)).
+				AddTokenAuth(tokenReadPackage)
 			MakeRequest(t, req, target.ExpectedStatus)
 		}
 	})
@@ -396,8 +407,8 @@ func TestPackageQuota(t *testing.T) {
 
 		uploadPackage := func(doer *user_model.User, version string, expectedStatus int) {
 			url := fmt.Sprintf("/api/packages/%s/generic/test-package/%s/file.bin", user.Name, version)
-			req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
-			AddBasicAuthHeader(req, doer.Name)
+			req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1})).
+				AddBasicAuth(doer.Name)
 			MakeRequest(t, req, expectedStatus)
 		}
 
@@ -424,8 +435,8 @@ func TestPackageQuota(t *testing.T) {
 
 		uploadBlob := func(doer *user_model.User, data string, expectedStatus int) {
 			url := fmt.Sprintf("/v2/%s/quota-test/blobs/uploads?digest=sha256:%x", user.Name, sha256.Sum256([]byte(data)))
-			req := NewRequestWithBody(t, "POST", url, strings.NewReader(data))
-			AddBasicAuthHeader(req, doer.Name)
+			req := NewRequestWithBody(t, "POST", url, strings.NewReader(data)).
+				AddBasicAuth(doer.Name)
 			MakeRequest(t, req, expectedStatus)
 		}
 
@@ -454,18 +465,18 @@ func TestPackageCleanup(t *testing.T) {
 		// Upload and delete a generic package and upload a container blob
 		data, _ := util.CryptoRandomBytes(5)
 		url := fmt.Sprintf("/api/packages/%s/generic/cleanup-test/1.1.1/file.bin", user.Name)
-		req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(data))
-		AddBasicAuthHeader(req, user.Name)
+		req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(data)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 
-		req = NewRequest(t, "DELETE", url)
-		AddBasicAuthHeader(req, user.Name)
+		req = NewRequest(t, "DELETE", url).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusNoContent)
 
 		data, _ = util.CryptoRandomBytes(5)
 		url = fmt.Sprintf("/v2/%s/cleanup-test/blobs/uploads?digest=sha256:%x", user.Name, sha256.Sum256(data))
-		req = NewRequestWithBody(t, "POST", url, bytes.NewReader(data))
-		AddBasicAuthHeader(req, user.Name)
+		req = NewRequestWithBody(t, "POST", url, bytes.NewReader(data)).
+			AddBasicAuth(user.Name)
 		MakeRequest(t, req, http.StatusCreated)
 
 		pbs, err := packages_model.FindExpiredUnreferencedBlobs(db.DefaultContext, duration)
@@ -592,8 +603,8 @@ func TestPackageCleanup(t *testing.T) {
 
 				for _, v := range c.Versions {
 					url := fmt.Sprintf("/api/packages/%s/generic/package/%s/file.bin", user.Name, v.Version)
-					req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
-					AddBasicAuthHeader(req, user.Name)
+					req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1})).
+						AddBasicAuth(user.Name)
 					MakeRequest(t, req, http.StatusCreated)
 
 					if v.Created != 0 {
diff --git a/tests/integration/api_packages_vagrant_test.go b/tests/integration/api_packages_vagrant_test.go
index cbfc362f32d51..a5e954f3a27db 100644
--- a/tests/integration/api_packages_vagrant_test.go
+++ b/tests/integration/api_packages_vagrant_test.go
@@ -64,8 +64,8 @@ func TestPackageVagrant(t *testing.T) {
 		req := NewRequest(t, "GET", authenticateURL)
 		MakeRequest(t, req, http.StatusUnauthorized)
 
-		req = NewRequest(t, "GET", authenticateURL)
-		addTokenAuthHeader(req, token)
+		req = NewRequest(t, "GET", authenticateURL).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusOK)
 	})
 
@@ -82,8 +82,8 @@ func TestPackageVagrant(t *testing.T) {
 		req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content))
 		MakeRequest(t, req, http.StatusUnauthorized)
 
-		req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content))
-		addTokenAuthHeader(req, token)
+		req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content)).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
 		req = NewRequest(t, "HEAD", boxURL)
@@ -111,8 +111,8 @@ func TestPackageVagrant(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, int64(len(content)), pb.Size)
 
-		req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content))
-		addTokenAuthHeader(req, token)
+		req = NewRequestWithBody(t, "PUT", uploadURL, bytes.NewReader(content)).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusConflict)
 	})
 
diff --git a/tests/integration/api_pull_review_test.go b/tests/integration/api_pull_review_test.go
index 0e9bace44c9d6..daa136b21e45c 100644
--- a/tests/integration/api_pull_review_test.go
+++ b/tests/integration/api_pull_review_test.go
@@ -29,7 +29,8 @@ func TestAPIPullReview(t *testing.T) {
 	// test ListPullReviews
 	session := loginUser(t, "user2")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token)
+	req := NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews", repo.OwnerName, repo.Name, pullIssue.Index).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var reviews []*api.PullReview
@@ -54,20 +55,23 @@ func TestAPIPullReview(t *testing.T) {
 	assert.True(t, reviews[5].Official)
 
 	// test GetPullReview
-	req = NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews/%d?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, reviews[3].ID, token)
+	req = NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews/%d", repo.OwnerName, repo.Name, pullIssue.Index, reviews[3].ID).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var review api.PullReview
 	DecodeJSON(t, resp, &review)
 	assert.EqualValues(t, *reviews[3], review)
 
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls/%d/reviews/%d?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, reviews[5].ID, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls/%d/reviews/%d", repo.OwnerName, repo.Name, pullIssue.Index, reviews[5].ID).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &review)
 	assert.EqualValues(t, *reviews[5], review)
 
 	// test GetPullReviewComments
 	comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 7})
-	req = NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews/%d/comments?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, 10, token)
+	req = NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews/%d/comments", repo.OwnerName, repo.Name, pullIssue.Index, 10).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var reviewComments []*api.PullReviewComment
 	DecodeJSON(t, resp, &reviewComments)
@@ -79,7 +83,7 @@ func TestAPIPullReview(t *testing.T) {
 	assert.EqualValues(t, comment.HTMLURL(db.DefaultContext), reviewComments[0].HTMLURL)
 
 	// test CreatePullReview
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.CreatePullReviewOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews", repo.OwnerName, repo.Name, pullIssue.Index), &api.CreatePullReviewOptions{
 		Body: "body1",
 		// Event: "" # will result in PENDING
 		Comments: []api.CreatePullReviewComment{
@@ -100,7 +104,7 @@ func TestAPIPullReview(t *testing.T) {
 				NewLineNum: 1,
 			},
 		},
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &review)
 	assert.EqualValues(t, 6, review.ID)
@@ -108,10 +112,10 @@ func TestAPIPullReview(t *testing.T) {
 	assert.EqualValues(t, 3, review.CodeCommentsCount)
 
 	// test SubmitPullReview
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews/%d?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, review.ID, token), &api.SubmitPullReviewOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews/%d", repo.OwnerName, repo.Name, pullIssue.Index, review.ID), &api.SubmitPullReviewOptions{
 		Event: "APPROVED",
 		Body:  "just two nits",
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &review)
 	assert.EqualValues(t, 6, review.ID)
@@ -119,35 +123,37 @@ func TestAPIPullReview(t *testing.T) {
 	assert.EqualValues(t, 3, review.CodeCommentsCount)
 
 	// test dismiss review
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews/%d/dismissals?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, review.ID, token), &api.DismissPullReviewOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews/%d/dismissals", repo.OwnerName, repo.Name, pullIssue.Index, review.ID), &api.DismissPullReviewOptions{
 		Message: "test",
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &review)
 	assert.EqualValues(t, 6, review.ID)
 	assert.True(t, review.Dismissed)
 
 	// test dismiss review
-	req = NewRequest(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews/%d/undismissals?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, review.ID, token))
+	req = NewRequest(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews/%d/undismissals", repo.OwnerName, repo.Name, pullIssue.Index, review.ID)).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &review)
 	assert.EqualValues(t, 6, review.ID)
 	assert.False(t, review.Dismissed)
 
 	// test DeletePullReview
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.CreatePullReviewOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews", repo.OwnerName, repo.Name, pullIssue.Index), &api.CreatePullReviewOptions{
 		Body:  "just a comment",
 		Event: "COMMENT",
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &review)
 	assert.EqualValues(t, "COMMENT", review.State)
 	assert.EqualValues(t, 0, review.CodeCommentsCount)
-	req = NewRequestf(t, http.MethodDelete, "/api/v1/repos/%s/%s/pulls/%d/reviews/%d?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, review.ID, token)
+	req = NewRequestf(t, http.MethodDelete, "/api/v1/repos/%s/%s/pulls/%d/reviews/%d", repo.OwnerName, repo.Name, pullIssue.Index, review.ID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// test CreatePullReview Comment without body but with comments
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.CreatePullReviewOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews", repo.OwnerName, repo.Name, pullIssue.Index), &api.CreatePullReviewOptions{
 		// Body:  "",
 		Event: "COMMENT",
 		Comments: []api.CreatePullReviewComment{
@@ -163,7 +169,7 @@ func TestAPIPullReview(t *testing.T) {
 				NewLineNum: 0,
 			},
 		},
-	})
+	}).AddTokenAuth(token)
 	var commentReview api.PullReview
 
 	resp = MakeRequest(t, req, http.StatusOK)
@@ -175,11 +181,11 @@ func TestAPIPullReview(t *testing.T) {
 
 	// test CreatePullReview Comment with body but without comments
 	commentBody := "This is a body of the comment."
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.CreatePullReviewOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews", repo.OwnerName, repo.Name, pullIssue.Index), &api.CreatePullReviewOptions{
 		Body:     commentBody,
 		Event:    "COMMENT",
 		Comments: []api.CreatePullReviewComment{},
-	})
+	}).AddTokenAuth(token)
 
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &commentReview)
@@ -189,11 +195,11 @@ func TestAPIPullReview(t *testing.T) {
 	assert.False(t, commentReview.Dismissed)
 
 	// test CreatePullReview Comment without body and no comments
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.CreatePullReviewOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/reviews", repo.OwnerName, repo.Name, pullIssue.Index), &api.CreatePullReviewOptions{
 		Body:     "",
 		Event:    "COMMENT",
 		Comments: []api.CreatePullReviewComment{},
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusUnprocessableEntity)
 	errMap := make(map[string]any)
 	json.Unmarshal(resp.Body.Bytes(), &errMap)
@@ -205,7 +211,8 @@ func TestAPIPullReview(t *testing.T) {
 	assert.NoError(t, pullIssue12.LoadAttributes(db.DefaultContext))
 	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: pullIssue12.RepoID})
 
-	req = NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo3.OwnerName, repo3.Name, pullIssue12.Index, token)
+	req = NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews", repo3.OwnerName, repo3.Name, pullIssue12.Index).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &reviews)
 	assert.EqualValues(t, 11, reviews[0].ID)
@@ -232,41 +239,41 @@ func TestAPIPullReviewRequest(t *testing.T) {
 	// Test add Review Request
 	session := loginUser(t, "user2")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.PullReviewRequestOptions{
+	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo.OwnerName, repo.Name, pullIssue.Index), &api.PullReviewRequestOptions{
 		Reviewers: []string{"user4@example.com", "user8"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
 	// poster of pr can't be reviewer
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo.OwnerName, repo.Name, pullIssue.Index), &api.PullReviewRequestOptions{
 		Reviewers: []string{"user1"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// test user not exist
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo.OwnerName, repo.Name, pullIssue.Index), &api.PullReviewRequestOptions{
 		Reviewers: []string{"testOther"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Test Remove Review Request
 	session2 := loginUser(t, "user4")
 	token2 := getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeWriteRepository)
 
-	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token2), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo.OwnerName, repo.Name, pullIssue.Index), &api.PullReviewRequestOptions{
 		Reviewers: []string{"user4"},
-	})
+	}).AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// doer is not admin
-	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token2), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo.OwnerName, repo.Name, pullIssue.Index), &api.PullReviewRequestOptions{
 		Reviewers: []string{"user8"},
-	})
+	}).AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
-	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo.OwnerName, repo.Name, pullIssue.Index), &api.PullReviewRequestOptions{
 		Reviewers: []string{"user8"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test team review request
@@ -275,33 +282,35 @@ func TestAPIPullReviewRequest(t *testing.T) {
 	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: pullIssue12.RepoID})
 
 	// Test add Team Review Request
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo3.OwnerName, repo3.Name, pullIssue12.Index, token), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo3.OwnerName, repo3.Name, pullIssue12.Index), &api.PullReviewRequestOptions{
 		TeamReviewers: []string{"team1", "owners"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
 	// Test add Team Review Request to not allowned
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo3.OwnerName, repo3.Name, pullIssue12.Index, token), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo3.OwnerName, repo3.Name, pullIssue12.Index), &api.PullReviewRequestOptions{
 		TeamReviewers: []string{"test_team"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// Test add Team Review Request to not exist
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo3.OwnerName, repo3.Name, pullIssue12.Index, token), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo3.OwnerName, repo3.Name, pullIssue12.Index), &api.PullReviewRequestOptions{
 		TeamReviewers: []string{"not_exist_team"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Test Remove team Review Request
-	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo3.OwnerName, repo3.Name, pullIssue12.Index, token), &api.PullReviewRequestOptions{
+	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo3.OwnerName, repo3.Name, pullIssue12.Index), &api.PullReviewRequestOptions{
 		TeamReviewers: []string{"team1"},
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// empty request test
-	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo3.OwnerName, repo3.Name, pullIssue12.Index, token), &api.PullReviewRequestOptions{})
+	req = NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo3.OwnerName, repo3.Name, pullIssue12.Index), &api.PullReviewRequestOptions{}).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
-	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo3.OwnerName, repo3.Name, pullIssue12.Index, token), &api.PullReviewRequestOptions{})
+	req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers", repo3.OwnerName, repo3.Name, pullIssue12.Index), &api.PullReviewRequestOptions{}).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
diff --git a/tests/integration/api_pull_test.go b/tests/integration/api_pull_test.go
index 9d590630e4510..33cc826e5eaa2 100644
--- a/tests/integration/api_pull_test.go
+++ b/tests/integration/api_pull_test.go
@@ -31,7 +31,8 @@ func TestAPIViewPulls(t *testing.T) {
 
 	ctx := NewAPITestContext(t, "user2", repo.Name, auth_model.AccessTokenScopeReadRepository)
 
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&token="+ctx.Token, owner.Name, repo.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all", owner.Name, repo.Name).
+		AddTokenAuth(ctx.Token)
 	resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
 
 	var pulls []*api.PullRequest
@@ -76,10 +77,10 @@ func TestAPIMergePullWIP(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s", owner.Name, repo.Name, pr.Index, token), &forms.MergePullRequestForm{
+	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge", owner.Name, repo.Name, pr.Index), &forms.MergePullRequestForm{
 		MergeMessageField: pr.Issue.Title,
 		Do:                string(repo_model.MergeStyleMerge),
-	})
+	}).AddTokenAuth(token)
 
 	MakeRequest(t, req, http.StatusMethodNotAllowed)
 }
@@ -95,11 +96,11 @@ func TestAPICreatePullSuccess(t *testing.T) {
 
 	session := loginUser(t, owner11.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), &api.CreatePullRequestOption{
+	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner10.Name, repo10.Name), &api.CreatePullRequestOption{
 		Head:  fmt.Sprintf("%s:master", owner11.Name),
 		Base:  "master",
 		Title: "create a failure pr",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 	MakeRequest(t, req, http.StatusUnprocessableEntity) // second request should fail
 }
@@ -126,7 +127,8 @@ func TestAPICreatePullWithFieldsSuccess(t *testing.T) {
 		Labels:    []int64{5},
 	}
 
-	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), opts)
+	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner10.Name, repo10.Name), opts).
+		AddTokenAuth(token)
 
 	res := MakeRequest(t, req, http.StatusCreated)
 	pull := new(api.PullRequest)
@@ -158,7 +160,8 @@ func TestAPICreatePullWithFieldsFailure(t *testing.T) {
 		Base: "master",
 	}
 
-	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), opts)
+	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner10.Name, repo10.Name), opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 	opts.Title = "is required"
 
@@ -182,35 +185,34 @@ func TestAPIEditPull(t *testing.T) {
 
 	session := loginUser(t, owner10.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), &api.CreatePullRequestOption{
+	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner10.Name, repo10.Name), &api.CreatePullRequestOption{
 		Head:  "develop",
 		Base:  "master",
 		Title: "create a success pr",
-	})
+	}).AddTokenAuth(token)
 	pull := new(api.PullRequest)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, pull)
 	assert.EqualValues(t, "master", pull.Base.Name)
 
-	req = NewRequestWithJSON(t, http.MethodPatch, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d?token=%s", owner10.Name, repo10.Name, pull.Index, token), &api.EditPullRequestOption{
+	req = NewRequestWithJSON(t, http.MethodPatch, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d", owner10.Name, repo10.Name, pull.Index), &api.EditPullRequestOption{
 		Base:  "feature/1",
 		Title: "edit a this pr",
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, pull)
 	assert.EqualValues(t, "feature/1", pull.Base.Name)
 
-	req = NewRequestWithJSON(t, http.MethodPatch, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d?token=%s", owner10.Name, repo10.Name, pull.Index, token), &api.EditPullRequestOption{
+	req = NewRequestWithJSON(t, http.MethodPatch, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d", owner10.Name, repo10.Name, pull.Index), &api.EditPullRequestOption{
 		Base: "not-exist",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 }
 
 func doAPIGetPullFiles(ctx APITestContext, pr *api.PullRequest, callback func(*testing.T, []*api.ChangedFile)) func(*testing.T) {
 	return func(t *testing.T) {
-		url := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/files?token=%s", ctx.Username, ctx.Reponame, pr.Index, ctx.Token)
-
-		req := NewRequest(t, http.MethodGet, url)
+		req := NewRequest(t, http.MethodGet, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/files", ctx.Username, ctx.Reponame, pr.Index)).
+			AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode == 0 {
 			ctx.ExpectedCode = http.StatusOK
 		}
diff --git a/tests/integration/api_releases_test.go b/tests/integration/api_releases_test.go
index 526842d5ac07c..6ec3fcc4b8b11 100644
--- a/tests/integration/api_releases_test.go
+++ b/tests/integration/api_releases_test.go
@@ -59,11 +59,12 @@ func TestAPIListReleases(t *testing.T) {
 
 	// test filter
 	testFilterByLen := func(auth bool, query url.Values, expectedLength int, msgAndArgs ...string) {
+		link.RawQuery = query.Encode()
+		req := NewRequest(t, "GET", link.String())
 		if auth {
-			query.Set("token", token)
+			req.AddTokenAuth(token)
 		}
-		link.RawQuery = query.Encode()
-		resp = MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &apiReleases)
 		assert.Len(t, apiReleases, expectedLength, msgAndArgs)
 	}
@@ -77,8 +78,7 @@ func TestAPIListReleases(t *testing.T) {
 }
 
 func createNewReleaseUsingAPI(t *testing.T, session *TestSession, token string, owner *user_model.User, repo *repo_model.Repository, name, target, title, desc string) *api.Release {
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases?token=%s",
-		owner.Name, repo.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases", owner.Name, repo.Name)
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateReleaseOption{
 		TagName:      name,
 		Title:        title,
@@ -86,7 +86,7 @@ func createNewReleaseUsingAPI(t *testing.T, session *TestSession, token string,
 		IsDraft:      false,
 		IsPrerelease: false,
 		Target:       target,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var newRelease api.Release
@@ -122,9 +122,9 @@ func TestAPICreateAndUpdateRelease(t *testing.T) {
 
 	newRelease := createNewReleaseUsingAPI(t, session, token, owner, repo, "v0.0.1", target, "v0.0.1", "test")
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d?token=%s",
-		owner.Name, repo.Name, newRelease.ID, token)
-	req := NewRequest(t, "GET", urlStr)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d", owner.Name, repo.Name, newRelease.ID)
+	req := NewRequest(t, "GET", urlStr).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var release api.Release
@@ -141,7 +141,7 @@ func TestAPICreateAndUpdateRelease(t *testing.T) {
 		IsDraft:      &release.IsDraft,
 		IsPrerelease: &release.IsPrerelease,
 		Target:       release.Target,
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &newRelease)
@@ -189,10 +189,7 @@ func TestAPIGetLatestRelease(t *testing.T) {
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases/latest",
-		owner.Name, repo.Name)
-
-	req := NewRequestf(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/latest", owner.Name, repo.Name))
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var release *api.Release
@@ -209,10 +206,7 @@ func TestAPIGetReleaseByTag(t *testing.T) {
 
 	tag := "v1.1"
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/%s",
-		owner.Name, repo.Name, tag)
-
-	req := NewRequestf(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/%s", owner.Name, repo.Name, tag))
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var release *api.Release
@@ -222,10 +216,7 @@ func TestAPIGetReleaseByTag(t *testing.T) {
 
 	nonexistingtag := "nonexistingtag"
 
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/%s",
-		owner.Name, repo.Name, nonexistingtag)
-
-	req = NewRequestf(t, "GET", urlStr)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/%s", owner.Name, repo.Name, nonexistingtag))
 	resp = MakeRequest(t, req, http.StatusNotFound)
 
 	var err *api.APIError
@@ -244,15 +235,18 @@ func TestAPIDeleteReleaseByTagName(t *testing.T) {
 	createNewReleaseUsingAPI(t, session, token, owner, repo, "release-tag", "", "Release Tag", "test")
 
 	// delete release
-	req := NewRequestf(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/release-tag?token=%s", owner.Name, repo.Name, token))
+	req := NewRequestf(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/release-tag", owner.Name, repo.Name)).
+		AddTokenAuth(token)
 	_ = MakeRequest(t, req, http.StatusNoContent)
 
 	// make sure release is deleted
-	req = NewRequestf(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/release-tag?token=%s", owner.Name, repo.Name, token))
+	req = NewRequestf(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/releases/tags/release-tag", owner.Name, repo.Name)).
+		AddTokenAuth(token)
 	_ = MakeRequest(t, req, http.StatusNotFound)
 
 	// delete release tag too
-	req = NewRequestf(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/tags/release-tag?token=%s", owner.Name, repo.Name, token))
+	req = NewRequestf(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/tags/release-tag", owner.Name, repo.Name)).
+		AddTokenAuth(token)
 	_ = MakeRequest(t, req, http.StatusNoContent)
 }
 
@@ -278,7 +272,8 @@ func TestAPIUploadAssetRelease(t *testing.T) {
 	err = writer.Close()
 	assert.NoError(t, err)
 
-	req := NewRequestWithBody(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets?name=test-asset&token=%s", owner.Name, repo.Name, r.ID, token), body)
+	req := NewRequestWithBody(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets?name=test-asset", owner.Name, repo.Name, r.ID), body).
+		AddTokenAuth(token)
 	req.Header.Add("Content-Type", writer.FormDataContentType())
 	resp := MakeRequest(t, req, http.StatusCreated)
 
diff --git a/tests/integration/api_repo_avatar_test.go b/tests/integration/api_repo_avatar_test.go
index 58a4fc536c87e..6677885f7eb20 100644
--- a/tests/integration/api_repo_avatar_test.go
+++ b/tests/integration/api_repo_avatar_test.go
@@ -38,7 +38,8 @@ func TestAPIUpdateRepoAvatar(t *testing.T) {
 		Image: base64.StdEncoding.EncodeToString(avatar),
 	}
 
-	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/avatar?token=%s", repo.OwnerName, repo.Name, token), &opts)
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/avatar", repo.OwnerName, repo.Name), &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test what happens if you don't have a valid Base64 string
@@ -46,7 +47,8 @@ func TestAPIUpdateRepoAvatar(t *testing.T) {
 		Image: "Invalid",
 	}
 
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/avatar?token=%s", repo.OwnerName, repo.Name, token), &opts)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/avatar", repo.OwnerName, repo.Name), &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusBadRequest)
 
 	// Test what happens if you use a file that is not an image
@@ -60,7 +62,8 @@ func TestAPIUpdateRepoAvatar(t *testing.T) {
 		Image: base64.StdEncoding.EncodeToString(text),
 	}
 
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/avatar?token=%s", repo.OwnerName, repo.Name, token), &opts)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/avatar", repo.OwnerName, repo.Name), &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusInternalServerError)
 }
 
@@ -71,6 +74,7 @@ func TestAPIDeleteRepoAvatar(t *testing.T) {
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 	token := getUserToken(t, user2.LowerName, auth_model.AccessTokenScopeWriteRepository)
 
-	req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/avatar?token=%s", repo.OwnerName, repo.Name, token))
+	req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/avatar", repo.OwnerName, repo.Name)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
diff --git a/tests/integration/api_repo_collaborator_test.go b/tests/integration/api_repo_collaborator_test.go
index b7280a4f6c417..59cf85fef33d8 100644
--- a/tests/integration/api_repo_collaborator_test.go
+++ b/tests/integration/api_repo_collaborator_test.go
@@ -31,7 +31,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 		testCtx := NewAPITestContext(t, repo2Owner.Name, repo2.Name, auth_model.AccessTokenScopeWriteRepository)
 
 		t.Run("RepoOwnerShouldBeOwner", func(t *testing.T) {
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, repo2Owner.Name, testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, repo2Owner.Name).
+				AddTokenAuth(testCtx.Token)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var repoPermission api.RepoCollaboratorPermission
@@ -43,7 +44,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 		t.Run("CollaboratorWithReadAccess", func(t *testing.T) {
 			t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user4.Name, perm.AccessModeRead))
 
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user4.Name, testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, user4.Name).
+				AddTokenAuth(testCtx.Token)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var repoPermission api.RepoCollaboratorPermission
@@ -55,7 +57,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 		t.Run("CollaboratorWithWriteAccess", func(t *testing.T) {
 			t.Run("AddUserAsCollaboratorWithWriteAccess", doAPIAddCollaborator(testCtx, user4.Name, perm.AccessModeWrite))
 
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user4.Name, testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, user4.Name).
+				AddTokenAuth(testCtx.Token)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var repoPermission api.RepoCollaboratorPermission
@@ -67,7 +70,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 		t.Run("CollaboratorWithAdminAccess", func(t *testing.T) {
 			t.Run("AddUserAsCollaboratorWithAdminAccess", doAPIAddCollaborator(testCtx, user4.Name, perm.AccessModeAdmin))
 
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user4.Name, testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, user4.Name).
+				AddTokenAuth(testCtx.Token)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var repoPermission api.RepoCollaboratorPermission
@@ -77,7 +81,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 		})
 
 		t.Run("CollaboratorNotFound", func(t *testing.T) {
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, "non-existent-user", testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, "non-existent-user").
+				AddTokenAuth(testCtx.Token)
 			MakeRequest(t, req, http.StatusNotFound)
 		})
 
@@ -87,7 +92,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 			_session := loginUser(t, user5.Name)
 			_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, auth_model.AccessTokenScopeReadRepository)
 
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, user5.Name).
+				AddTokenAuth(_testCtx.Token)
 			resp := _session.MakeRequest(t, req, http.StatusOK)
 
 			var repoPermission api.RepoCollaboratorPermission
@@ -102,7 +108,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 			_session := loginUser(t, user5.Name)
 			_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, auth_model.AccessTokenScopeReadRepository)
 
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, user5.Name).
+				AddTokenAuth(_testCtx.Token)
 			resp := _session.MakeRequest(t, req, http.StatusOK)
 
 			var repoPermission api.RepoCollaboratorPermission
@@ -118,7 +125,8 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 			_session := loginUser(t, user10.Name)
 			_testCtx := NewAPITestContext(t, user10.Name, repo2.Name, auth_model.AccessTokenScopeReadRepository)
 
-			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user11.Name, _testCtx.Token)
+			req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, user11.Name).
+				AddTokenAuth(_testCtx.Token)
 			resp := _session.MakeRequest(t, req, http.StatusOK)
 
 			var repoPermission api.RepoCollaboratorPermission
diff --git a/tests/integration/api_repo_edit_test.go b/tests/integration/api_repo_edit_test.go
index 0e992c2df2491..c4fc2177b4ce1 100644
--- a/tests/integration/api_repo_edit_test.go
+++ b/tests/integration/api_repo_edit_test.go
@@ -155,8 +155,8 @@ func TestAPIRepoEdit(t *testing.T) {
 		// Test editing a repo1 which user2 owns, changing name and many properties
 		origRepoEditOption := getRepoEditOptionFromRepo(repo1)
 		repoEditOption := getNewRepoEditOption(origRepoEditOption)
-		url := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, repo1.Name, token2)
-		req := NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo1.Name), &repoEditOption).
+			AddTokenAuth(token2)
 		resp := MakeRequest(t, req, http.StatusOK)
 		var repo api.Repository
 		DecodeJSON(t, resp, &repo)
@@ -186,8 +186,9 @@ func TestAPIRepoEdit(t *testing.T) {
 		}
 		*repoEditOption.HasWiki = true
 		repoEditOption.ExternalWiki = nil
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, *repoEditOption.Name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		url := fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, *repoEditOption.Name)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &repo)
 		assert.NotNil(t, repo)
@@ -209,7 +210,8 @@ func TestAPIRepoEdit(t *testing.T) {
 		repoEditOption.ExternalWiki = &api.ExternalWiki{
 			ExternalWikiURL: "http://www.somewebsite.com",
 		}
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &repo)
 		assert.NotNil(t, repo)
@@ -223,7 +225,8 @@ func TestAPIRepoEdit(t *testing.T) {
 
 		repoEditOption.ExternalTracker.ExternalTrackerStyle = "regexp"
 		repoEditOption.ExternalTracker.ExternalTrackerRegexpPattern = `(\d+)`
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &repo)
 		assert.NotNil(t, repo)
@@ -234,15 +237,18 @@ func TestAPIRepoEdit(t *testing.T) {
 
 		// Do some tests with invalid URL for external tracker and wiki
 		repoEditOption.ExternalTracker.ExternalTrackerURL = "htp://www.somewebsite.com"
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusUnprocessableEntity)
 		repoEditOption.ExternalTracker.ExternalTrackerURL = "http://www.somewebsite.com"
 		repoEditOption.ExternalTracker.ExternalTrackerFormat = "http://www.somewebsite.com/{user/{repo}?issue={index}"
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusUnprocessableEntity)
 		repoEditOption.ExternalTracker.ExternalTrackerFormat = "http://www.somewebsite.com/{user}/{repo}?issue={index}"
 		repoEditOption.ExternalWiki.ExternalWikiURL = "htp://www.somewebsite.com"
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 		// Test small repo change through API with issue and wiki option not set; They shall not be touched.
@@ -251,7 +257,8 @@ func TestAPIRepoEdit(t *testing.T) {
 		repoEditOption.ExternalTracker = nil
 		repoEditOption.HasWiki = nil
 		repoEditOption.ExternalWiki = nil
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &repo)
 		assert.NotNil(t, repo)
@@ -265,39 +272,38 @@ func TestAPIRepoEdit(t *testing.T) {
 		assert.NotNil(t, *repo1editedOption.ExternalWiki)
 
 		// reset repo in db
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, *repoEditOption.Name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &origRepoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, *repoEditOption.Name), &origRepoEditOption).
+			AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 
 		// Test editing a non-existing repo
 		name := "repodoesnotexist"
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &api.EditRepoOption{Name: &name})
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, name), &api.EditRepoOption{Name: &name}).
+			AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusNotFound)
 
 		// Test editing repo16 by user4 who does not have write access
 		origRepoEditOption = getRepoEditOptionFromRepo(repo16)
 		repoEditOption = getNewRepoEditOption(origRepoEditOption)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, repo16.Name, token4)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo16.Name), &repoEditOption).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Tests a repo with no token given so will fail
 		origRepoEditOption = getRepoEditOptionFromRepo(repo16)
 		repoEditOption = getNewRepoEditOption(origRepoEditOption)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo16.Name)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo16.Name), &repoEditOption)
 		_ = MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using access token for a private repo that the user of the token owns
 		origRepoEditOption = getRepoEditOptionFromRepo(repo16)
 		repoEditOption = getNewRepoEditOption(origRepoEditOption)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, repo16.Name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo16.Name), &repoEditOption).
+			AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 		// reset repo in db
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, *repoEditOption.Name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &origRepoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, *repoEditOption.Name), &origRepoEditOption).
+			AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 
 		// Test making a repo public that is private
@@ -306,53 +312,54 @@ func TestAPIRepoEdit(t *testing.T) {
 		repoEditOption = &api.EditRepoOption{
 			Private: &bFalse,
 		}
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, repo16.Name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		url = fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo16.Name)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 		repo16 = unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 16})
 		assert.False(t, repo16.IsPrivate)
 		// Make it private again
 		repoEditOption.Private = &bTrue
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption).
+			AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 
 		// Test to change empty repo
 		assert.False(t, repo15.IsArchived)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, repo15.Name, token2)
+		url = fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo15.Name)
 		req = NewRequestWithJSON(t, "PATCH", url, &api.EditRepoOption{
 			Archived: &bTrue,
-		})
+		}).AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 		repo15 = unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 15})
 		assert.True(t, repo15.IsArchived)
 		req = NewRequestWithJSON(t, "PATCH", url, &api.EditRepoOption{
 			Archived: &bFalse,
-		})
+		}).AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 
 		// Test using org repo "org3/repo3" where user2 is a collaborator
 		origRepoEditOption = getRepoEditOptionFromRepo(repo3)
 		repoEditOption = getNewRepoEditOption(origRepoEditOption)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", org3.Name, repo3.Name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", org3.Name, repo3.Name), &repoEditOption).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusOK)
 		// reset repo in db
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", org3.Name, *repoEditOption.Name, token2)
-		req = NewRequestWithJSON(t, "PATCH", url, &origRepoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", org3.Name, *repoEditOption.Name), &origRepoEditOption).
+			AddTokenAuth(token2)
 		_ = MakeRequest(t, req, http.StatusOK)
 
 		// Test using org repo "org3/repo3" with no user token
 		origRepoEditOption = getRepoEditOptionFromRepo(repo3)
 		repoEditOption = getNewRepoEditOption(origRepoEditOption)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s", org3.Name, repo3.Name)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", org3.Name, repo3.Name), &repoEditOption)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using repo "user2/repo1" where user4 is a NOT collaborator
 		origRepoEditOption = getRepoEditOptionFromRepo(repo1)
 		repoEditOption = getNewRepoEditOption(origRepoEditOption)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", user2.Name, repo1.Name, token4)
-		req = NewRequestWithJSON(t, "PATCH", url, &repoEditOption)
+		req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", user2.Name, repo1.Name), &repoEditOption).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusForbidden)
 	})
 }
diff --git a/tests/integration/api_repo_file_create_test.go b/tests/integration/api_repo_file_create_test.go
index fbe0b5bcd0555..f78909eb32582 100644
--- a/tests/integration/api_repo_file_create_test.go
+++ b/tests/integration/api_repo_file_create_test.go
@@ -164,8 +164,8 @@ func TestAPICreateFile(t *testing.T) {
 			createFileOptions.BranchName = branch
 			fileID++
 			treePath := fmt.Sprintf("new/file%d.txt", fileID)
-			url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-			req := NewRequestWithJSON(t, "POST", url, &createFileOptions)
+			req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &createFileOptions).
+				AddTokenAuth(token2)
 			resp := MakeRequest(t, req, http.StatusCreated)
 			gitRepo, _ := git.OpenRepository(stdCtx.Background(), repo1.RepoPath())
 			commitID, _ := gitRepo.GetBranchCommitID(createFileOptions.NewBranchName)
@@ -191,8 +191,8 @@ func TestAPICreateFile(t *testing.T) {
 		createFileOptions.NewBranchName = "new_branch"
 		fileID++
 		treePath := fmt.Sprintf("new/file%d.txt", fileID)
-		url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req := NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &createFileOptions).
+			AddTokenAuth(token2)
 		resp := MakeRequest(t, req, http.StatusCreated)
 		var fileResponse api.FileResponse
 		DecodeJSON(t, resp, &fileResponse)
@@ -209,8 +209,8 @@ func TestAPICreateFile(t *testing.T) {
 		createFileOptions.Message = ""
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &createFileOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusCreated)
 		DecodeJSON(t, resp, &fileResponse)
 		expectedMessage := "Add " + treePath + "\n"
@@ -219,8 +219,8 @@ func TestAPICreateFile(t *testing.T) {
 		// Test trying to create a file that already exists, should fail
 		createFileOptions = getCreateFileOptions()
 		treePath = "README.md"
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &createFileOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusUnprocessableEntity)
 		expectedAPIError := context.APIError{
 			Message: "repository file already exists [path: " + treePath + "]",
@@ -234,48 +234,46 @@ func TestAPICreateFile(t *testing.T) {
 		createFileOptions = getCreateFileOptions()
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token4)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &createFileOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Tests a repo with no token given so will fail
 		createFileOptions = getCreateFileOptions()
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &createFileOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using access token for a private repo that the user of the token owns
 		createFileOptions = getCreateFileOptions()
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &createFileOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusCreated)
 
 		// Test using org repo "org3/repo3" where user2 is a collaborator
 		createFileOptions = getCreateFileOptions()
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", org3.Name, repo3.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath), &createFileOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusCreated)
 
 		// Test using org repo "org3/repo3" with no user token
 		createFileOptions = getCreateFileOptions()
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath), &createFileOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using repo "user2/repo1" where user4 is a NOT collaborator
 		createFileOptions = getCreateFileOptions()
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token4)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &createFileOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusForbidden)
 
 		// Test creating a file in an empty repository
@@ -283,8 +281,8 @@ func TestAPICreateFile(t *testing.T) {
 		createFileOptions = getCreateFileOptions()
 		fileID++
 		treePath = fmt.Sprintf("new/file%d.txt", fileID)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, "empty-repo", treePath, token2)
-		req = NewRequestWithJSON(t, "POST", url, &createFileOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, "empty-repo", treePath), &createFileOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusCreated)
 		emptyRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{OwnerName: "user2", Name: "empty-repo"}) // public repo
 		gitRepo, _ := git.OpenRepository(stdCtx.Background(), emptyRepo.RepoPath())
diff --git a/tests/integration/api_repo_file_delete_test.go b/tests/integration/api_repo_file_delete_test.go
index c6ab7a0e615be..7c93307e1981f 100644
--- a/tests/integration/api_repo_file_delete_test.go
+++ b/tests/integration/api_repo_file_delete_test.go
@@ -64,8 +64,8 @@ func TestAPIDeleteFile(t *testing.T) {
 			createFile(user2, repo1, treePath)
 			deleteFileOptions := getDeleteFileOptions()
 			deleteFileOptions.BranchName = branch
-			url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-			req := NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+			req := NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &deleteFileOptions).
+				AddTokenAuth(token2)
 			resp := MakeRequest(t, req, http.StatusOK)
 			var fileResponse api.FileResponse
 			DecodeJSON(t, resp, &fileResponse)
@@ -80,8 +80,8 @@ func TestAPIDeleteFile(t *testing.T) {
 		deleteFileOptions := getDeleteFileOptions()
 		deleteFileOptions.BranchName = repo1.DefaultBranch
 		deleteFileOptions.NewBranchName = "new_branch"
-		url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req := NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req := NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &deleteFileOptions).
+			AddTokenAuth(token2)
 		resp := MakeRequest(t, req, http.StatusOK)
 		var fileResponse api.FileResponse
 		DecodeJSON(t, resp, &fileResponse)
@@ -95,8 +95,8 @@ func TestAPIDeleteFile(t *testing.T) {
 		createFile(user2, repo1, treePath)
 		deleteFileOptions = getDeleteFileOptions()
 		deleteFileOptions.Message = ""
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &deleteFileOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &fileResponse)
 		expectedMessage := "Delete " + treePath + "\n"
@@ -108,8 +108,8 @@ func TestAPIDeleteFile(t *testing.T) {
 		createFile(user2, repo1, treePath)
 		deleteFileOptions = getDeleteFileOptions()
 		deleteFileOptions.SHA = "badsha"
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &deleteFileOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusBadRequest)
 
 		// Test creating a file in repo16 by user4 who does not have write access
@@ -117,8 +117,8 @@ func TestAPIDeleteFile(t *testing.T) {
 		treePath = fmt.Sprintf("delete/file%d.txt", fileID)
 		createFile(user2, repo16, treePath)
 		deleteFileOptions = getDeleteFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token4)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &deleteFileOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Tests a repo with no token given so will fail
@@ -126,8 +126,7 @@ func TestAPIDeleteFile(t *testing.T) {
 		treePath = fmt.Sprintf("delete/file%d.txt", fileID)
 		createFile(user2, repo16, treePath)
 		deleteFileOptions = getDeleteFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &deleteFileOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using access token for a private repo that the user of the token owns
@@ -135,8 +134,8 @@ func TestAPIDeleteFile(t *testing.T) {
 		treePath = fmt.Sprintf("delete/file%d.txt", fileID)
 		createFile(user2, repo16, treePath)
 		deleteFileOptions = getDeleteFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &deleteFileOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusOK)
 
 		// Test using org repo "org3/repo3" where user2 is a collaborator
@@ -144,8 +143,8 @@ func TestAPIDeleteFile(t *testing.T) {
 		treePath = fmt.Sprintf("delete/file%d.txt", fileID)
 		createFile(org3, repo3, treePath)
 		deleteFileOptions = getDeleteFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", org3.Name, repo3.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath), &deleteFileOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusOK)
 
 		// Test using org repo "org3/repo3" with no user token
@@ -153,8 +152,7 @@ func TestAPIDeleteFile(t *testing.T) {
 		treePath = fmt.Sprintf("delete/file%d.txt", fileID)
 		createFile(org3, repo3, treePath)
 		deleteFileOptions = getDeleteFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath), &deleteFileOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using repo "user2/repo1" where user4 is a NOT collaborator
@@ -162,8 +160,8 @@ func TestAPIDeleteFile(t *testing.T) {
 		treePath = fmt.Sprintf("delete/file%d.txt", fileID)
 		createFile(user2, repo1, treePath)
 		deleteFileOptions = getDeleteFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token4)
-		req = NewRequestWithJSON(t, "DELETE", url, &deleteFileOptions)
+		req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &deleteFileOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusForbidden)
 	})
 }
diff --git a/tests/integration/api_repo_file_update_test.go b/tests/integration/api_repo_file_update_test.go
index ecf24cdbf984d..7e88f6cd80360 100644
--- a/tests/integration/api_repo_file_update_test.go
+++ b/tests/integration/api_repo_file_update_test.go
@@ -132,8 +132,8 @@ func TestAPIUpdateFile(t *testing.T) {
 			createFile(user2, repo1, treePath)
 			updateFileOptions := getUpdateFileOptions()
 			updateFileOptions.BranchName = branch
-			url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-			req := NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+			req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &updateFileOptions).
+				AddTokenAuth(token2)
 			resp := MakeRequest(t, req, http.StatusOK)
 			gitRepo, _ := git.OpenRepository(stdCtx.Background(), repo1.RepoPath())
 			commitID, _ := gitRepo.GetBranchCommitID(updateFileOptions.NewBranchName)
@@ -156,8 +156,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		fileID++
 		treePath := fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(user2, repo1, treePath)
-		url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req := NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token2)
 		resp := MakeRequest(t, req, http.StatusOK)
 		var fileResponse api.FileResponse
 		DecodeJSON(t, resp, &fileResponse)
@@ -177,8 +177,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		createFile(user2, repo1, treePath)
 		updateFileOptions.FromPath = treePath
 		treePath = "rename/" + treePath
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &fileResponse)
 		expectedSHA = "08bd14b2e2852529157324de9c226b3364e76136"
@@ -195,8 +195,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		fileID++
 		treePath = fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(user2, repo1, treePath)
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &fileResponse)
 		expectedMessage := "Update " + treePath + "\n"
@@ -209,8 +209,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		updateFileOptions = getUpdateFileOptions()
 		correctSHA := updateFileOptions.SHA
 		updateFileOptions.SHA = "badsha"
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusUnprocessableEntity)
 		expectedAPIError := context.APIError{
 			Message: "sha does not match [given: " + updateFileOptions.SHA + ", expected: " + correctSHA + "]",
@@ -225,8 +225,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		treePath = fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(user2, repo16, treePath)
 		updateFileOptions = getUpdateFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token4)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Tests a repo with no token given so will fail
@@ -234,8 +234,7 @@ func TestAPIUpdateFile(t *testing.T) {
 		treePath = fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(user2, repo16, treePath)
 		updateFileOptions = getUpdateFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &updateFileOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using access token for a private repo that the user of the token owns
@@ -243,8 +242,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		treePath = fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(user2, repo16, treePath)
 		updateFileOptions = getUpdateFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusOK)
 
 		// Test using org repo "org3/repo3" where user2 is a collaborator
@@ -252,8 +251,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		treePath = fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(org3, repo3, treePath)
 		updateFileOptions = getUpdateFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", org3.Name, repo3.Name, treePath, token2)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusOK)
 
 		// Test using org repo "org3/repo3" with no user token
@@ -261,8 +260,7 @@ func TestAPIUpdateFile(t *testing.T) {
 		treePath = fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(org3, repo3, treePath)
 		updateFileOptions = getUpdateFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath), &updateFileOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using repo "user2/repo1" where user4 is a NOT collaborator
@@ -270,8 +268,8 @@ func TestAPIUpdateFile(t *testing.T) {
 		treePath = fmt.Sprintf("update/file%d.txt", fileID)
 		createFile(user2, repo1, treePath)
 		updateFileOptions = getUpdateFileOptions()
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo1.Name, treePath, token4)
-		req = NewRequestWithJSON(t, "PUT", url, &updateFileOptions)
+		req = NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", user2.Name, repo1.Name, treePath), &updateFileOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusForbidden)
 	})
 }
diff --git a/tests/integration/api_repo_files_change_test.go b/tests/integration/api_repo_files_change_test.go
index 1ab759497fb0e..d500d48b36091 100644
--- a/tests/integration/api_repo_files_change_test.go
+++ b/tests/integration/api_repo_files_change_test.go
@@ -93,8 +93,8 @@ func TestAPIChangeFiles(t *testing.T) {
 			changeFilesOptions.Files[0].Path = createTreePath
 			changeFilesOptions.Files[1].Path = updateTreePath
 			changeFilesOptions.Files[2].Path = deleteTreePath
-			url := fmt.Sprintf("/api/v1/repos/%s/%s/contents?token=%s", user2.Name, repo1.Name, token2)
-			req := NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+			req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents", user2.Name, repo1.Name), &changeFilesOptions).
+				AddTokenAuth(token2)
 			resp := MakeRequest(t, req, http.StatusCreated)
 			gitRepo, _ := git.OpenRepository(stdCtx.Background(), repo1.RepoPath())
 			commitID, _ := gitRepo.GetBranchCommitID(changeFilesOptions.NewBranchName)
@@ -138,8 +138,9 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[2].Path = deleteTreePath
 		createFile(user2, repo1, updateTreePath)
 		createFile(user2, repo1, deleteTreePath)
-		url := fmt.Sprintf("/api/v1/repos/%s/%s/contents?token=%s", user2.Name, repo1.Name, token2)
-		req := NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		url := fmt.Sprintf("/api/v1/repos/%s/%s/contents", user2.Name, repo1.Name)
+		req := NewRequestWithJSON(t, "POST", url, &changeFilesOptions).
+			AddTokenAuth(token2)
 		resp := MakeRequest(t, req, http.StatusCreated)
 		var filesResponse api.FilesResponse
 		DecodeJSON(t, resp, &filesResponse)
@@ -168,7 +169,8 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files = []*api.ChangeFileOperation{changeFilesOptions.Files[1]}
 		changeFilesOptions.Files[0].FromPath = updateTreePath
 		changeFilesOptions.Files[0].Path = "rename/" + updateTreePath
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusCreated)
 		DecodeJSON(t, resp, &filesResponse)
 		expectedUpdateSHA = "08bd14b2e2852529157324de9c226b3364e76136"
@@ -191,7 +193,8 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[2].Path = deleteTreePath
 		createFile(user2, repo1, updateTreePath)
 		createFile(user2, repo1, deleteTreePath)
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusCreated)
 		DecodeJSON(t, resp, &filesResponse)
 		expectedMessage := fmt.Sprintf("Add %v\nUpdate %v\nDelete %v\n", createTreePath, updateTreePath, deleteTreePath)
@@ -206,7 +209,8 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[0].Path = updateTreePath
 		correctSHA := changeFilesOptions.Files[0].SHA
 		changeFilesOptions.Files[0].SHA = "badsha"
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions).
+			AddTokenAuth(token2)
 		resp = MakeRequest(t, req, http.StatusUnprocessableEntity)
 		expectedAPIError := context.APIError{
 			Message: "sha does not match [given: " + changeFilesOptions.Files[0].SHA + ", expected: " + correctSHA + "]",
@@ -227,8 +231,8 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[0].Path = createTreePath
 		changeFilesOptions.Files[1].Path = updateTreePath
 		changeFilesOptions.Files[2].Path = deleteTreePath
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents?token=%s", user2.Name, repo16.Name, token4)
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents", user2.Name, repo16.Name), &changeFilesOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Tests a repo with no token given so will fail
@@ -242,8 +246,7 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[0].Path = createTreePath
 		changeFilesOptions.Files[1].Path = updateTreePath
 		changeFilesOptions.Files[2].Path = deleteTreePath
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents", user2.Name, repo16.Name)
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents", user2.Name, repo16.Name), &changeFilesOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using access token for a private repo that the user of the token owns
@@ -257,8 +260,8 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[0].Path = createTreePath
 		changeFilesOptions.Files[1].Path = updateTreePath
 		changeFilesOptions.Files[2].Path = deleteTreePath
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents?token=%s", user2.Name, repo16.Name, token2)
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents", user2.Name, repo16.Name), &changeFilesOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusCreated)
 
 		// Test using org repo "org3/repo3" where user2 is a collaborator
@@ -272,8 +275,8 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[0].Path = createTreePath
 		changeFilesOptions.Files[1].Path = updateTreePath
 		changeFilesOptions.Files[2].Path = deleteTreePath
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents?token=%s", org3.Name, repo3.Name, token2)
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents", org3.Name, repo3.Name), &changeFilesOptions).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusCreated)
 
 		// Test using org repo "org3/repo3" with no user token
@@ -287,8 +290,7 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[0].Path = createTreePath
 		changeFilesOptions.Files[1].Path = updateTreePath
 		changeFilesOptions.Files[2].Path = deleteTreePath
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents", org3.Name, repo3.Name)
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents", org3.Name, repo3.Name), &changeFilesOptions)
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// Test using repo "user2/repo1" where user4 is a NOT collaborator
@@ -302,8 +304,8 @@ func TestAPIChangeFiles(t *testing.T) {
 		changeFilesOptions.Files[0].Path = createTreePath
 		changeFilesOptions.Files[1].Path = updateTreePath
 		changeFilesOptions.Files[2].Path = deleteTreePath
-		url = fmt.Sprintf("/api/v1/repos/%s/%s/contents?token=%s", user2.Name, repo1.Name, token4)
-		req = NewRequestWithJSON(t, "POST", url, &changeFilesOptions)
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents", user2.Name, repo1.Name), &changeFilesOptions).
+			AddTokenAuth(token4)
 		MakeRequest(t, req, http.StatusForbidden)
 	})
 }
diff --git a/tests/integration/api_repo_get_contents_list_test.go b/tests/integration/api_repo_get_contents_list_test.go
index 7874eddfd4d19..86313f5e3b209 100644
--- a/tests/integration/api_repo_get_contents_list_test.go
+++ b/tests/integration/api_repo_get_contents_list_test.go
@@ -154,14 +154,17 @@ func testAPIGetContentsList(t *testing.T, u *url.URL) {
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Test accessing private ref with user token that does not have access - should fail
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token4)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath).
+		AddTokenAuth(token4)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Test access private ref of owner of token
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/readme.md?token=%s", user2.Name, repo16.Name, token2)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/readme.md", user2.Name, repo16.Name).
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Test access of org org3 private repo file by owner user2
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s?token=%s", org3.Name, repo3.Name, treePath, token2)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath).
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusOK)
 }
diff --git a/tests/integration/api_repo_get_contents_test.go b/tests/integration/api_repo_get_contents_test.go
index 1d708a4cdb438..ffbdfcb0fab81 100644
--- a/tests/integration/api_repo_get_contents_test.go
+++ b/tests/integration/api_repo_get_contents_test.go
@@ -151,15 +151,18 @@ func testAPIGetContents(t *testing.T, u *url.URL) {
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Test accessing private ref with user token that does not have access - should fail
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s?token=%s", user2.Name, repo16.Name, treePath, token4)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s", user2.Name, repo16.Name, treePath).
+		AddTokenAuth(token4)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Test access private ref of owner of token
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/readme.md?token=%s", user2.Name, repo16.Name, token2)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/readme.md", user2.Name, repo16.Name).
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Test access of org org3 private repo file by owner user2
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s?token=%s", org3.Name, repo3.Name, treePath, token2)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/contents/%s", org3.Name, repo3.Name, treePath).
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusOK)
 }
 
diff --git a/tests/integration/api_repo_git_blobs_test.go b/tests/integration/api_repo_git_blobs_test.go
index 866234d0a6cc9..184362e7e320f 100644
--- a/tests/integration/api_repo_git_blobs_test.go
+++ b/tests/integration/api_repo_git_blobs_test.go
@@ -48,7 +48,8 @@ func TestAPIReposGitBlobs(t *testing.T) {
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Test using access token for a private repo that the user of the token owns
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/blobs/%s?token=%s", user2.Name, repo16.Name, repo16ReadmeSHA, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/blobs/%s", user2.Name, repo16.Name, repo16ReadmeSHA).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Test using bad sha
@@ -56,11 +57,13 @@ func TestAPIReposGitBlobs(t *testing.T) {
 	MakeRequest(t, req, http.StatusBadRequest)
 
 	// Test using org repo "org3/repo3" where user2 is a collaborator
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/blobs/%s?token=%s", org3.Name, repo3.Name, repo3ReadmeSHA, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/blobs/%s", org3.Name, repo3.Name, repo3ReadmeSHA).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Test using org repo "org3/repo3" where user2 is a collaborator
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/blobs/%s?token=%s", org3.Name, repo3.Name, repo3ReadmeSHA, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/blobs/%s", org3.Name, repo3.Name, repo3ReadmeSHA).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Test using org repo "org3/repo3" with no user token
diff --git a/tests/integration/api_repo_git_commits_test.go b/tests/integration/api_repo_git_commits_test.go
index 765055720d79d..365520620730e 100644
--- a/tests/integration/api_repo_git_commits_test.go
+++ b/tests/integration/api_repo_git_commits_test.go
@@ -32,13 +32,16 @@ func TestAPIReposGitCommits(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 	// check invalid requests
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/12345?token="+token, user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/12345", user.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/..?token="+token, user.Name)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/..", user.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/branch-not-exist?token="+token, user.Name)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/branch-not-exist", user.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	for _, ref := range [...]string{
@@ -47,7 +50,8 @@ func TestAPIReposGitCommits(t *testing.T) {
 		"65f1",   // short sha
 		"65f1bf27bc3bf70f64657658635e66094edbcb4d", // full sha
 	} {
-		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/%s?token="+token, user.Name, ref)
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/%s", user.Name, ref).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusOK)
 	}
 }
@@ -60,7 +64,8 @@ func TestAPIReposGitCommitList(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 	// Test getting commits (Page 1)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo20/commits?token="+token+"&not=master&sha=remove-files-a", user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo20/commits?not=master&sha=remove-files-a", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiData []api.Commit
@@ -83,7 +88,8 @@ func TestAPIReposGitCommitListNotMaster(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 	// Test getting commits (Page 1)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token, user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiData []api.Commit
@@ -108,7 +114,8 @@ func TestAPIReposGitCommitListPage2Empty(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 	// Test getting commits (Page=2)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token+"&page=2", user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?page=2", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiData []api.Commit
@@ -125,7 +132,8 @@ func TestAPIReposGitCommitListDifferentBranch(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 	// Test getting commits (Page=1, Branch=good-sign)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token+"&sha=good-sign", user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?sha=good-sign", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiData []api.Commit
@@ -144,7 +152,8 @@ func TestAPIReposGitCommitListWithoutSelectFields(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 	// Test getting commits without files, verification, and stats
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token+"&sha=good-sign&stat=false&files=false&verification=false", user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?sha=good-sign&stat=false&files=false&verification=false", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiData []api.Commit
@@ -165,14 +174,16 @@ func TestDownloadCommitDiffOrPatch(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 	// Test getting diff
-	reqDiff := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/git/commits/f27c2b2b03dcab38beaf89b0ab4ff61f6de63441.diff?token="+token, user.Name)
+	reqDiff := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/git/commits/f27c2b2b03dcab38beaf89b0ab4ff61f6de63441.diff", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, reqDiff, http.StatusOK)
 	assert.EqualValues(t,
 		"commit f27c2b2b03dcab38beaf89b0ab4ff61f6de63441\nAuthor: User2 <user2@example.com>\nDate:   Sun Aug 6 19:55:01 2017 +0200\n\n    good signed commit\n\ndiff --git a/readme.md b/readme.md\nnew file mode 100644\nindex 0000000..458121c\n--- /dev/null\n+++ b/readme.md\n@@ -0,0 +1 @@\n+good sign\n",
 		resp.Body.String())
 
 	// Test getting patch
-	reqPatch := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/git/commits/f27c2b2b03dcab38beaf89b0ab4ff61f6de63441.patch?token="+token, user.Name)
+	reqPatch := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/git/commits/f27c2b2b03dcab38beaf89b0ab4ff61f6de63441.patch", user.Name).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, reqPatch, http.StatusOK)
 	assert.EqualValues(t,
 		"From f27c2b2b03dcab38beaf89b0ab4ff61f6de63441 Mon Sep 17 00:00:00 2001\nFrom: User2 <user2@example.com>\nDate: Sun, 6 Aug 2017 19:55:01 +0200\nSubject: [PATCH] good signed commit\n\n---\n readme.md | 1 +\n 1 file changed, 1 insertion(+)\n create mode 100644 readme.md\n\ndiff --git a/readme.md b/readme.md\nnew file mode 100644\nindex 0000000..458121c\n--- /dev/null\n+++ b/readme.md\n@@ -0,0 +1 @@\n+good sign\n",
@@ -186,7 +197,8 @@ func TestGetFileHistory(t *testing.T) {
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?path=readme.md&token="+token+"&sha=good-sign", user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?path=readme.md&sha=good-sign", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiData []api.Commit
@@ -206,7 +218,8 @@ func TestGetFileHistoryNotOnMaster(t *testing.T) {
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo20/commits?path=test.csv&token="+token+"&sha=add-csv&not=master", user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo20/commits?path=test.csv&sha=add-csv&not=master", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiData []api.Commit
diff --git a/tests/integration/api_repo_git_hook_test.go b/tests/integration/api_repo_git_hook_test.go
index 9f3205ce60d9e..9917b41790d12 100644
--- a/tests/integration/api_repo_git_hook_test.go
+++ b/tests/integration/api_repo_git_hook_test.go
@@ -32,8 +32,8 @@ func TestAPIListGitHooks(t *testing.T) {
 	// user1 is an admin user
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
-		owner.Name, repo.Name, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiGitHooks []*api.GitHook
 	DecodeJSON(t, resp, &apiGitHooks)
@@ -58,8 +58,8 @@ func TestAPIListGitHooksNoHooks(t *testing.T) {
 	// user1 is an admin user
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
-		owner.Name, repo.Name, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiGitHooks []*api.GitHook
 	DecodeJSON(t, resp, &apiGitHooks)
@@ -78,8 +78,8 @@ func TestAPIListGitHooksNoAccess(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
-		owner.Name, repo.Name, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -92,8 +92,8 @@ func TestAPIGetGitHook(t *testing.T) {
 	// user1 is an admin user
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiGitHook *api.GitHook
 	DecodeJSON(t, resp, &apiGitHook)
@@ -109,8 +109,8 @@ func TestAPIGetGitHookNoAccess(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -124,19 +124,19 @@ func TestAPIEditGitHook(t *testing.T) {
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive",
+		owner.Name, repo.Name)
 	req := NewRequestWithJSON(t, "PATCH", urlStr, &api.EditGitHookOption{
 		Content: testHookContent,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiGitHook *api.GitHook
 	DecodeJSON(t, resp, &apiGitHook)
 	assert.True(t, apiGitHook.IsActive)
 	assert.Equal(t, testHookContent, apiGitHook.Content)
 
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var apiGitHook2 *api.GitHook
 	DecodeJSON(t, resp, &apiGitHook2)
@@ -152,11 +152,10 @@ func TestAPIEditGitHookNoAccess(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive", owner.Name, repo.Name)
 	req := NewRequestWithJSON(t, "PATCH", urlStr, &api.EditGitHookOption{
 		Content: testHookContent,
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -170,12 +169,12 @@ func TestAPIDeleteGitHook(t *testing.T) {
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiGitHook2 *api.GitHook
 	DecodeJSON(t, resp, &apiGitHook2)
@@ -191,7 +190,7 @@ func TestAPIDeleteGitHookNoAccess(t *testing.T) {
 
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
-		owner.Name, repo.Name, token)
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive", owner.Name, repo.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 }
diff --git a/tests/integration/api_repo_git_notes_test.go b/tests/integration/api_repo_git_notes_test.go
index a7327d932748f..9f3e927077e9b 100644
--- a/tests/integration/api_repo_git_notes_test.go
+++ b/tests/integration/api_repo_git_notes_test.go
@@ -24,14 +24,17 @@ func TestAPIReposGitNotes(t *testing.T) {
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 
 		// check invalid requests
-		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/notes/12345?token=%s", user.Name, token)
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/notes/12345", user.Name).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/notes/..?token=%s", user.Name, token)
+		req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/notes/..", user.Name).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 		// check valid request
-		req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/notes/65f1bf27bc3bf70f64657658635e66094edbcb4d?token=%s", user.Name, token)
+		req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/notes/65f1bf27bc3bf70f64657658635e66094edbcb4d", user.Name).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var apiData api.Note
diff --git a/tests/integration/api_repo_git_ref_test.go b/tests/integration/api_repo_git_ref_test.go
index 20900b3241944..875752ae3fd86 100644
--- a/tests/integration/api_repo_git_ref_test.go
+++ b/tests/integration/api_repo_git_ref_test.go
@@ -24,13 +24,16 @@ func TestAPIReposGitRefs(t *testing.T) {
 		"refs/heads/master", // Branch
 		"refs/tags/v1.1",    // Tag
 	} {
-		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/%s?token="+token, user.Name, ref)
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/%s", user.Name, ref).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusOK)
 	}
 	// Test getting all refs
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/refs?token="+token, user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/refs", user.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 	// Test getting non-existent refs
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/refs/heads/unknown?token="+token, user.Name)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/refs/heads/unknown", user.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 }
diff --git a/tests/integration/api_repo_git_tags_test.go b/tests/integration/api_repo_git_tags_test.go
index a9d47abf9378d..2e8510ab1b3ae 100644
--- a/tests/integration/api_repo_git_tags_test.go
+++ b/tests/integration/api_repo_git_tags_test.go
@@ -45,7 +45,8 @@ func TestAPIGitTags(t *testing.T) {
 	aTag, _ := gitRepo.GetTag(aTagName)
 
 	// SHOULD work for annotated tags
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/tags/%s?token=%s", user.Name, repo.Name, aTag.ID.String(), token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/tags/%s", user.Name, repo.Name, aTag.ID.String()).
+		AddTokenAuth(token)
 	res := MakeRequest(t, req, http.StatusOK)
 
 	var tag *api.AnnotatedTag
@@ -60,7 +61,8 @@ func TestAPIGitTags(t *testing.T) {
 	assert.Equal(t, util.URLJoin(repo.APIURL(), "git/tags", aTag.ID.String()), tag.URL)
 
 	// Should NOT work for lightweight tags
-	badReq := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/tags/%s?token=%s", user.Name, repo.Name, commit.ID.String(), token)
+	badReq := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/tags/%s", user.Name, repo.Name, commit.ID.String()).
+		AddTokenAuth(token)
 	MakeRequest(t, badReq, http.StatusBadRequest)
 }
 
@@ -72,17 +74,14 @@ func TestAPIDeleteTagByName(t *testing.T) {
 	session := loginUser(t, owner.LowerName)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/tags/delete-tag?token=%s",
-		owner.Name, repo.Name, token)
-
-	req := NewRequestf(t, http.MethodDelete, urlStr)
+	req := NewRequest(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/tags/delete-tag", owner.Name, repo.Name)).
+		AddTokenAuth(token)
 	_ = MakeRequest(t, req, http.StatusNoContent)
 
 	// Make sure that actual releases can't be deleted outright
 	createNewReleaseUsingAPI(t, session, token, owner, repo, "release-tag", "", "Release Tag", "test")
-	urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/tags/release-tag?token=%s",
-		owner.Name, repo.Name, token)
 
-	req = NewRequestf(t, http.MethodDelete, urlStr)
+	req = NewRequest(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/tags/release-tag", owner.Name, repo.Name)).
+		AddTokenAuth(token)
 	_ = MakeRequest(t, req, http.StatusConflict)
 }
diff --git a/tests/integration/api_repo_git_trees_test.go b/tests/integration/api_repo_git_trees_test.go
index aa732b9946cf0..8eec6d8d220d6 100644
--- a/tests/integration/api_repo_git_trees_test.go
+++ b/tests/integration/api_repo_git_trees_test.go
@@ -50,7 +50,8 @@ func TestAPIReposGitTrees(t *testing.T) {
 	}
 
 	// Test using access token for a private repo that the user of the token owns
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/trees/%s?token=%s", user2.Name, repo16.Name, repo16TreeSHA, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/trees/%s", user2.Name, repo16.Name, repo16TreeSHA).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Test using bad sha
@@ -58,7 +59,8 @@ func TestAPIReposGitTrees(t *testing.T) {
 	MakeRequest(t, req, http.StatusBadRequest)
 
 	// Test using org repo "org3/repo3" where user2 is a collaborator
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/trees/%s?token=%s", org3.Name, repo3.Name, repo3TreeSHA, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/trees/%s", org3.Name, repo3.Name, repo3TreeSHA).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 
 	// Test using org repo "org3/repo3" with no user token
diff --git a/tests/integration/api_repo_hook_test.go b/tests/integration/api_repo_hook_test.go
index 18b12597dbdb2..f27fcc00d6b3f 100644
--- a/tests/integration/api_repo_hook_test.go
+++ b/tests/integration/api_repo_hook_test.go
@@ -27,17 +27,14 @@ func TestAPICreateHook(t *testing.T) {
 	// user1 is an admin user
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	completeURL := func(lastSegment string) string {
-		return fmt.Sprintf("/api/v1/repos/%s/%s/%s?token=%s", owner.Name, repo.Name, lastSegment, token)
-	}
-	req := NewRequestWithJSON(t, "POST", completeURL("hooks"), api.CreateHookOption{
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/%s", owner.Name, repo.Name, "hooks"), api.CreateHookOption{
 		Type: "gitea",
 		Config: api.CreateHookOptionConfig{
 			"content_type": "json",
 			"url":          "http://example.com/",
 		},
 		AuthorizationHeader: "Bearer s3cr3t",
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var apiHook *api.Hook
diff --git a/tests/integration/api_repo_lfs_migrate_test.go b/tests/integration/api_repo_lfs_migrate_test.go
index 2cd7132b76ccf..8b4d79db022c1 100644
--- a/tests/integration/api_repo_lfs_migrate_test.go
+++ b/tests/integration/api_repo_lfs_migrate_test.go
@@ -33,12 +33,12 @@ func TestAPIRepoLFSMigrateLocal(t *testing.T) {
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOptions{
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOptions{
 		CloneAddr:   path.Join(setting.RepoRootPath, "migration/lfs-test.git"),
 		RepoOwnerID: user.ID,
 		RepoName:    "lfs-test-local",
 		LFS:         true,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, NoExpectedStatus)
 	assert.EqualValues(t, http.StatusCreated, resp.Code)
 
diff --git a/tests/integration/api_repo_lfs_test.go b/tests/integration/api_repo_lfs_test.go
index b0e9269bb86e2..211dcf76c1128 100644
--- a/tests/integration/api_repo_lfs_test.go
+++ b/tests/integration/api_repo_lfs_test.go
@@ -82,11 +82,10 @@ func TestAPILFSBatch(t *testing.T) {
 
 	session := loginUser(t, "user2")
 
-	newRequest := func(t testing.TB, br *lfs.BatchRequest) *http.Request {
-		req := NewRequestWithJSON(t, "POST", "/user2/lfs-batch-repo.git/info/lfs/objects/batch", br)
-		req.Header.Set("Accept", lfs.MediaType)
-		req.Header.Set("Content-Type", lfs.MediaType)
-		return req
+	newRequest := func(t testing.TB, br *lfs.BatchRequest) *RequestWrapper {
+		return NewRequestWithJSON(t, "POST", "/user2/lfs-batch-repo.git/info/lfs/objects/batch", br).
+			SetHeader("Accept", lfs.MediaType).
+			SetHeader("Content-Type", lfs.MediaType)
 	}
 	decodeResponse := func(t *testing.T, b *bytes.Buffer) *lfs.BatchResponse {
 		var br lfs.BatchResponse
@@ -342,9 +341,8 @@ func TestAPILFSUpload(t *testing.T) {
 
 	session := loginUser(t, "user2")
 
-	newRequest := func(t testing.TB, p lfs.Pointer, content string) *http.Request {
-		req := NewRequestWithBody(t, "PUT", path.Join("/user2/lfs-upload-repo.git/info/lfs/objects/", p.Oid, strconv.FormatInt(p.Size, 10)), strings.NewReader(content))
-		return req
+	newRequest := func(t testing.TB, p lfs.Pointer, content string) *RequestWrapper {
+		return NewRequestWithBody(t, "PUT", path.Join("/user2/lfs-upload-repo.git/info/lfs/objects/", p.Oid, strconv.FormatInt(p.Size, 10)), strings.NewReader(content))
 	}
 
 	t.Run("InvalidPointer", func(t *testing.T) {
@@ -447,11 +445,10 @@ func TestAPILFSVerify(t *testing.T) {
 
 	session := loginUser(t, "user2")
 
-	newRequest := func(t testing.TB, p *lfs.Pointer) *http.Request {
-		req := NewRequestWithJSON(t, "POST", "/user2/lfs-verify-repo.git/info/lfs/verify", p)
-		req.Header.Set("Accept", lfs.MediaType)
-		req.Header.Set("Content-Type", lfs.MediaType)
-		return req
+	newRequest := func(t testing.TB, p *lfs.Pointer) *RequestWrapper {
+		return NewRequestWithJSON(t, "POST", "/user2/lfs-verify-repo.git/info/lfs/verify", p).
+			SetHeader("Accept", lfs.MediaType).
+			SetHeader("Content-Type", lfs.MediaType)
 	}
 
 	t.Run("InvalidJsonRequest", func(t *testing.T) {
diff --git a/tests/integration/api_repo_raw_test.go b/tests/integration/api_repo_raw_test.go
index ccb20a939ee62..e5f83d1c80c09 100644
--- a/tests/integration/api_repo_raw_test.go
+++ b/tests/integration/api_repo_raw_test.go
@@ -27,12 +27,14 @@ func TestAPIReposRaw(t *testing.T) {
 		"v1.1",   // Tag
 		"65f1bf27bc3bf70f64657658635e66094edbcb4d", // Commit
 	} {
-		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/raw/%s/README.md?token="+token, user.Name, ref)
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/raw/%s/README.md", user.Name, ref).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 		assert.EqualValues(t, "file", resp.Header().Get("x-gitea-object-type"))
 	}
 	// Test default branch
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/raw/README.md?token="+token, user.Name)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/raw/README.md", user.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	assert.EqualValues(t, "file", resp.Header().Get("x-gitea-object-type"))
 }
diff --git a/tests/integration/api_repo_secrets_test.go b/tests/integration/api_repo_secrets_test.go
index 263ad1608cda1..feb9bae2b22c7 100644
--- a/tests/integration/api_repo_secrets_test.go
+++ b/tests/integration/api_repo_secrets_test.go
@@ -60,44 +60,47 @@ func TestAPIRepoSecrets(t *testing.T) {
 		}
 
 		for _, c := range cases {
-			req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/actions/secrets/%s?token=%s", repo.FullName(), c.Name, token), api.CreateOrUpdateSecretOption{
+			req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/actions/secrets/%s", repo.FullName(), c.Name), api.CreateOrUpdateSecretOption{
 				Data: "data",
-			})
+			}).AddTokenAuth(token)
 			MakeRequest(t, req, c.ExpectedStatus)
 		}
 	})
 
 	t.Run("Update", func(t *testing.T) {
 		name := "update_secret"
-		url := fmt.Sprintf("/api/v1/repos/%s/actions/secrets/%s?token=%s", repo.FullName(), name, token)
+		url := fmt.Sprintf("/api/v1/repos/%s/actions/secrets/%s", repo.FullName(), name)
 
 		req := NewRequestWithJSON(t, "PUT", url, api.CreateOrUpdateSecretOption{
 			Data: "initial",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
 		req = NewRequestWithJSON(t, "PUT", url, api.CreateOrUpdateSecretOption{
 			Data: "changed",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 
 	t.Run("Delete", func(t *testing.T) {
 		name := "delete_secret"
-		url := fmt.Sprintf("/api/v1/repos/%s/actions/secrets/%s?token=%s", repo.FullName(), name, token)
+		url := fmt.Sprintf("/api/v1/repos/%s/actions/secrets/%s", repo.FullName(), name)
 
 		req := NewRequestWithJSON(t, "PUT", url, api.CreateOrUpdateSecretOption{
 			Data: "initial",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
-		req = NewRequest(t, "DELETE", url)
+		req = NewRequest(t, "DELETE", url).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNoContent)
 
-		req = NewRequest(t, "DELETE", url)
+		req = NewRequest(t, "DELETE", url).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/actions/secrets/000?token=%s", repo.FullName(), token))
+		req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/actions/secrets/000", repo.FullName())).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusBadRequest)
 	})
 }
diff --git a/tests/integration/api_repo_tags_test.go b/tests/integration/api_repo_tags_test.go
index c4282f99284df..c6eeb404c02c4 100644
--- a/tests/integration/api_repo_tags_test.go
+++ b/tests/integration/api_repo_tags_test.go
@@ -27,7 +27,8 @@ func TestAPIRepoTags(t *testing.T) {
 
 	repoName := "repo1"
 
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/tags?token=%s", user.Name, repoName, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/tags", user.Name, repoName).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var tags []*api.Tag
@@ -55,14 +56,16 @@ func TestAPIRepoTags(t *testing.T) {
 	}
 
 	// get created tag
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/tags/%s?token=%s", user.Name, repoName, newTag.Name, token)
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/tags/%s", user.Name, repoName, newTag.Name).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	var tag *api.Tag
 	DecodeJSON(t, resp, &tag)
 	assert.EqualValues(t, newTag, tag)
 
 	// delete tag
-	delReq := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/tags/%s?token=%s", user.Name, repoName, newTag.Name, token)
+	delReq := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/tags/%s", user.Name, repoName, newTag.Name).
+		AddTokenAuth(token)
 	MakeRequest(t, delReq, http.StatusNoContent)
 
 	// check if it's gone
@@ -70,12 +73,12 @@ func TestAPIRepoTags(t *testing.T) {
 }
 
 func createNewTagUsingAPI(t *testing.T, session *TestSession, token, ownerName, repoName, name, target, msg string) *api.Tag {
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/tags?token=%s", ownerName, repoName, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/tags", ownerName, repoName)
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateTagOption{
 		TagName: name,
 		Message: msg,
 		Target:  target,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var respObj api.Tag
diff --git a/tests/integration/api_repo_teams_test.go b/tests/integration/api_repo_teams_test.go
index 23cf8a25672fc..558bac8150146 100644
--- a/tests/integration/api_repo_teams_test.go
+++ b/tests/integration/api_repo_teams_test.go
@@ -31,8 +31,8 @@ func TestAPIRepoTeams(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
 	// ListTeams
-	url := fmt.Sprintf("/api/v1/repos/%s/teams?token=%s", publicOrgRepo.FullName(), token)
-	req := NewRequest(t, "GET", url)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/teams", publicOrgRepo.FullName())).
+		AddTokenAuth(token)
 	res := MakeRequest(t, req, http.StatusOK)
 	var teams []*api.Team
 	DecodeJSON(t, res, &teams)
@@ -49,34 +49,34 @@ func TestAPIRepoTeams(t *testing.T) {
 	}
 
 	// IsTeam
-	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "Test_Team", token)
-	req = NewRequest(t, "GET", url)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/teams/%s", publicOrgRepo.FullName(), "Test_Team")).
+		AddTokenAuth(token)
 	res = MakeRequest(t, req, http.StatusOK)
 	var team *api.Team
 	DecodeJSON(t, res, &team)
 	assert.EqualValues(t, teams[1], team)
 
-	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "NonExistingTeam", token)
-	req = NewRequest(t, "GET", url)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/teams/%s", publicOrgRepo.FullName(), "NonExistingTeam")).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// AddTeam with user4
-	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
-	req = NewRequest(t, "PUT", url)
+	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/teams/%s", publicOrgRepo.FullName(), "team1")).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// AddTeam with user2
 	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 	session = loginUser(t, user.Name)
 	token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
-	req = NewRequest(t, "PUT", url)
+	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/teams/%s", publicOrgRepo.FullName(), "team1")).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
 
 	// DeleteTeam
-	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
-	req = NewRequest(t, "DELETE", url)
+	req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/teams/%s", publicOrgRepo.FullName(), "team1")).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
 }
diff --git a/tests/integration/api_repo_test.go b/tests/integration/api_repo_test.go
index fa159c6c5b9c6..90f84c794e123 100644
--- a/tests/integration/api_repo_test.go
+++ b/tests/integration/api_repo_test.go
@@ -45,8 +45,8 @@ func TestAPIUserReposWithWrongToken(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 	wrongToken := fmt.Sprintf("Bearer %s", "wrong_token")
-	req := NewRequestf(t, "GET", "/api/v1/users/%s/repos", user.Name)
-	req = addTokenAuthHeader(req, wrongToken)
+	req := NewRequestf(t, "GET", "/api/v1/users/%s/repos", user.Name).
+		AddTokenAuth(wrongToken)
 	resp := MakeRequest(t, req, http.StatusUnauthorized)
 
 	assert.Contains(t, resp.Body.String(), "user does not exist")
@@ -208,7 +208,8 @@ func TestAPISearchRepo(t *testing.T) {
 				}
 
 				t.Run(testName, func(t *testing.T) {
-					request := NewRequest(t, "GET", testCase.requestURL+"&token="+token)
+					request := NewRequest(t, "GET", testCase.requestURL).
+						AddTokenAuth(token)
 					response := MakeRequest(t, request, http.StatusOK)
 
 					var body api.SearchResults
@@ -309,7 +310,8 @@ func TestAPIOrgRepos(t *testing.T) {
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
 
 		t.Run(testName, func(t *testing.T) {
-			req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name)
+			req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", sourceOrg.Name).
+				AddTokenAuth(token)
 			resp := MakeRequest(t, req, http.StatusOK)
 
 			var apiRepos []*api.Repository
@@ -329,7 +331,8 @@ func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
-	req := NewRequestf(t, "GET", "/api/v1/repositories/2?token="+token)
+	req := NewRequest(t, "GET", "/api/v1/repositories/2").
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 }
 
@@ -353,11 +356,11 @@ func TestAPIRepoMigrate(t *testing.T) {
 		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
 		session := loginUser(t, user.Name)
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOptions{
+		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOptions{
 			CloneAddr:   testCase.cloneURL,
 			RepoOwnerID: testCase.userID,
 			RepoName:    testCase.repoName,
-		})
+		}).AddTokenAuth(token)
 		resp := MakeRequest(t, req, NoExpectedStatus)
 		if resp.Code == http.StatusUnprocessableEntity {
 			respJSON := map[string]string{}
@@ -398,12 +401,13 @@ func testAPIRepoMigrateConflict(t *testing.T, u *url.URL) {
 
 		cloneURL := "https://github.com/go-gitea/test_repo.git"
 
-		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+httpContext.Token,
+		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate",
 			&api.MigrateRepoOptions{
 				CloneAddr:   cloneURL,
 				RepoOwnerID: userID,
 				RepoName:    httpContext.Reponame,
-			})
+			}).
+			AddTokenAuth(httpContext.Token)
 		resp := httpContext.Session.MakeRequest(t, req, http.StatusConflict)
 		respJSON := map[string]string{}
 		DecodeJSON(t, resp, &respJSON)
@@ -425,7 +429,8 @@ func TestAPIMirrorSyncNonMirrorRepo(t *testing.T) {
 	DecodeJSON(t, resp, &repo)
 	assert.False(t, repo.Mirror)
 
-	req = NewRequestf(t, "POST", "/api/v1/repos/user2/repo1/mirror-sync?token=%s", token)
+	req = NewRequestf(t, "POST", "/api/v1/repos/user2/repo1/mirror-sync").
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusBadRequest)
 	errRespJSON := map[string]string{}
 	DecodeJSON(t, resp, &errRespJSON)
@@ -450,9 +455,9 @@ func TestAPIOrgRepoCreate(t *testing.T) {
 		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
 		session := loginUser(t, user.Name)
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization, auth_model.AccessTokenScopeWriteRepository)
-		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos?token="+token, testCase.orgName), &api.CreateRepoOption{
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos", testCase.orgName), &api.CreateRepoOption{
 			Name: testCase.repoName,
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, testCase.expectedStatus)
 	}
 }
@@ -473,10 +478,11 @@ func testAPIRepoCreateConflict(t *testing.T, u *url.URL) {
 		httpContext.Reponame = "repo-tmp-17"
 		t.Run("CreateRepo", doAPICreateRepository(httpContext, false))
 
-		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+httpContext.Token,
+		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos",
 			&api.CreateRepoOption{
 				Name: httpContext.Reponame,
-			})
+			}).
+			AddTokenAuth(httpContext.Token)
 		resp := httpContext.Session.MakeRequest(t, req, http.StatusConflict)
 		respJSON := map[string]string{}
 		DecodeJSON(t, resp, &respJSON)
@@ -516,13 +522,13 @@ func TestAPIRepoTransfer(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
 	repoName := "moveME"
 	apiRepo := new(api.Repository)
-	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/user/repos?token=%s", token), &api.CreateRepoOption{
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos", &api.CreateRepoOption{
 		Name:        repoName,
 		Description: "repo move around",
 		Private:     false,
 		Readme:      "Default",
 		AutoInit:    true,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, apiRepo)
 
@@ -532,10 +538,10 @@ func TestAPIRepoTransfer(t *testing.T) {
 		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiRepo.ID})
 		session = loginUser(t, user.Name)
 		token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer?token=%s", repo.OwnerName, repo.Name, token), &api.TransferRepoOption{
+		req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer", repo.OwnerName, repo.Name), &api.TransferRepoOption{
 			NewOwner: testCase.newOwner,
 			TeamIDs:  testCase.teams,
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, testCase.expectedStatus)
 	}
 
@@ -551,21 +557,21 @@ func transfer(t *testing.T) *repo_model.Repository {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
 	repoName := "moveME"
 	apiRepo := new(api.Repository)
-	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/user/repos?token=%s", token), &api.CreateRepoOption{
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos", &api.CreateRepoOption{
 		Name:        repoName,
 		Description: "repo move around",
 		Private:     false,
 		Readme:      "Default",
 		AutoInit:    true,
-	})
+	}).AddTokenAuth(token)
 
 	resp := MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, apiRepo)
 
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiRepo.ID})
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer?token=%s", repo.OwnerName, repo.Name, token), &api.TransferRepoOption{
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer", repo.OwnerName, repo.Name), &api.TransferRepoOption{
 		NewOwner: "user4",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusCreated)
 
 	return repo
@@ -579,18 +585,21 @@ func TestAPIAcceptTransfer(t *testing.T) {
 	// try to accept with not authorized user
 	session := loginUser(t, "user2")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
-	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
+	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject", repo.OwnerName, repo.Name)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// try to accept repo that's not marked as transferred
-	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/accept?token=%s", "user2", "repo1", token))
+	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/accept", "user2", "repo1")).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// accept transfer
 	session = loginUser(t, "user4")
 	token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
 
-	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/accept?token=%s", repo.OwnerName, repo.Name, token))
+	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/accept", repo.OwnerName, repo.Name)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusAccepted)
 	apiRepo := new(api.Repository)
 	DecodeJSON(t, resp, apiRepo)
@@ -605,18 +614,21 @@ func TestAPIRejectTransfer(t *testing.T) {
 	// try to reject with not authorized user
 	session := loginUser(t, "user2")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
+	req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject", repo.OwnerName, repo.Name)).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusForbidden)
 
 	// try to reject repo that's not marked as transferred
-	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", "user2", "repo1", token))
+	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject", "user2", "repo1")).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// reject transfer
 	session = loginUser(t, "user4")
 	token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
+	req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject", repo.OwnerName, repo.Name)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	apiRepo := new(api.Repository)
 	DecodeJSON(t, resp, apiRepo)
@@ -634,26 +646,26 @@ func TestAPIGenerateRepo(t *testing.T) {
 
 	// user
 	repo := new(api.Repository)
-	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/generate?token=%s", templateRepo.OwnerName, templateRepo.Name, token), &api.GenerateRepoOption{
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/generate", templateRepo.OwnerName, templateRepo.Name), &api.GenerateRepoOption{
 		Owner:       user.Name,
 		Name:        "new-repo",
 		Description: "test generate repo",
 		Private:     false,
 		GitContent:  true,
-	})
+	}).AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, repo)
 
 	assert.Equal(t, "new-repo", repo.Name)
 
 	// org
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/generate?token=%s", templateRepo.OwnerName, templateRepo.Name, token), &api.GenerateRepoOption{
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/generate", templateRepo.OwnerName, templateRepo.Name), &api.GenerateRepoOption{
 		Owner:       "org3",
 		Name:        "new-repo",
 		Description: "test generate repo",
 		Private:     false,
 		GitContent:  true,
-	})
+	}).AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, repo)
 
@@ -667,7 +679,8 @@ func TestAPIRepoGetReviewers(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/reviewers?token=%s", user.Name, repo.Name, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/reviewers", user.Name, repo.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var reviewers []*api.User
 	DecodeJSON(t, resp, &reviewers)
@@ -681,7 +694,8 @@ func TestAPIRepoGetAssignees(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/assignees?token=%s", user.Name, repo.Name, token)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/assignees", user.Name, repo.Name).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var assignees []*api.User
 	DecodeJSON(t, resp, &assignees)
diff --git a/tests/integration/api_repo_topic_test.go b/tests/integration/api_repo_topic_test.go
index e7c9b95543b31..c41bc4abb638f 100644
--- a/tests/integration/api_repo_topic_test.go
+++ b/tests/integration/api_repo_topic_test.go
@@ -63,30 +63,33 @@ func TestAPIRepoTopic(t *testing.T) {
 	token2 := getUserToken(t, user2.Name, auth_model.AccessTokenScopeWriteRepository)
 
 	// Test read topics using login
-	url := fmt.Sprintf("/api/v1/repos/%s/%s/topics", user2.Name, repo2.Name)
-	req := NewRequest(t, "GET", url+"?token="+token2)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/topics", user2.Name, repo2.Name)).
+		AddTokenAuth(token2)
 	res := MakeRequest(t, req, http.StatusOK)
 	var topics *api.TopicName
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"topicname1", "topicname2"}, topics.TopicNames)
 
-	// Log out user2
-	url = fmt.Sprintf("/api/v1/repos/%s/%s/topics?token=%s", user2.Name, repo2.Name, token2)
-
 	// Test delete a topic
-	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "Topicname1", token2)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/topics/%s", user2.Name, repo2.Name, "Topicname1").
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test add an existing topic
-	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "Golang", token2)
+	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s", user2.Name, repo2.Name, "Golang").
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test add a topic
-	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "topicName3", token2)
+	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s", user2.Name, repo2.Name, "topicName3").
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusNoContent)
 
+	url := fmt.Sprintf("/api/v1/repos/%s/%s/topics", user2.Name, repo2.Name)
+
 	// Test read topics using token
-	req = NewRequest(t, "GET", url)
+	req = NewRequest(t, "GET", url).
+		AddTokenAuth(token2)
 	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"topicname2", "golang", "topicname3"}, topics.TopicNames)
@@ -95,9 +98,10 @@ func TestAPIRepoTopic(t *testing.T) {
 	newTopics := []string{"   windows ", "   ", "MAC  "}
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
-	})
+	}).AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusNoContent)
-	req = NewRequest(t, "GET", url)
+	req = NewRequest(t, "GET", url).
+		AddTokenAuth(token2)
 	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"windows", "mac"}, topics.TopicNames)
@@ -106,9 +110,10 @@ func TestAPIRepoTopic(t *testing.T) {
 	newTopics = []string{"topicname1", "topicname2", "topicname!"}
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
-	})
+	}).AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
-	req = NewRequest(t, "GET", url)
+	req = NewRequest(t, "GET", url).
+		AddTokenAuth(token2)
 	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"windows", "mac"}, topics.TopicNames)
@@ -117,9 +122,10 @@ func TestAPIRepoTopic(t *testing.T) {
 	newTopics = []string{"t1", "t2", "t1", "t3", "t4", "t5", "t6", "t7", "t8", "t9", "t10", "t11", "t12", "t13", "t14", "t15", "t16", "17", "t18", "t19", "t20", "t21", "t22", "t23", "t24", "t25"}
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
-	})
+	}).AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusNoContent)
-	req = NewRequest(t, "GET", url)
+	req = NewRequest(t, "GET", url).
+		AddTokenAuth(token2)
 	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.Len(t, topics.TopicNames, 25)
@@ -128,28 +134,31 @@ func TestAPIRepoTopic(t *testing.T) {
 	newTopics = append(newTopics, "t26")
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
-	})
+	}).AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// Test add a topic when there is already maximum
-	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "t26", token2)
+	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s", user2.Name, repo2.Name, "t26").
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// Test delete a topic that repo doesn't have
-	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "Topicname1", token2)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/topics/%s", user2.Name, repo2.Name, "Topicname1").
+		AddTokenAuth(token2)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	// Get user4's token
 	token4 := getUserToken(t, user4.Name, auth_model.AccessTokenScopeWriteRepository)
 
 	// Test read topics with write access
-	url = fmt.Sprintf("/api/v1/repos/%s/%s/topics?token=%s", org3.Name, repo3.Name, token4)
-	req = NewRequest(t, "GET", url)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/topics", org3.Name, repo3.Name)).
+		AddTokenAuth(token4)
 	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.Empty(t, topics.TopicNames)
 
 	// Test add a topic to repo with write access (requires repo admin access)
-	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", org3.Name, repo3.Name, "topicName", token4)
+	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s", org3.Name, repo3.Name, "topicName").
+		AddTokenAuth(token4)
 	MakeRequest(t, req, http.StatusForbidden)
 }
diff --git a/tests/integration/api_team_test.go b/tests/integration/api_team_test.go
index a9ae890717473..4df545284e97f 100644
--- a/tests/integration/api_team_test.go
+++ b/tests/integration/api_team_test.go
@@ -34,7 +34,8 @@ func TestAPITeam(t *testing.T) {
 
 	session := loginUser(t, user.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
-	req := NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
+	req := NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiTeam api.Team
@@ -49,7 +50,8 @@ func TestAPITeam(t *testing.T) {
 
 	session = loginUser(t, user2.Name)
 	token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
-	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID).
+		AddTokenAuth(token)
 	_ = MakeRequest(t, req, http.StatusForbidden)
 
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID)
@@ -70,7 +72,8 @@ func TestAPITeam(t *testing.T) {
 		Permission:              "write",
 		Units:                   []string{"repo.code", "repo.issues"},
 	}
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams", org.Name), teamToCreate).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusCreated)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -91,7 +94,8 @@ func TestAPITeam(t *testing.T) {
 		Units:                   []string{"repo.code", "repo.pulls", "repo.releases"},
 	}
 
-	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d", teamID), teamToEdit).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -103,7 +107,8 @@ func TestAPITeam(t *testing.T) {
 	// Edit team Description only
 	editDescription = "first team"
 	teamToEditDesc := api.EditTeamOption{Description: &editDescription}
-	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d", teamID), teamToEditDesc).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -115,7 +120,8 @@ func TestAPITeam(t *testing.T) {
 	// Read team.
 	teamRead := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: teamID})
 	assert.NoError(t, teamRead.LoadUnits(db.DefaultContext))
-	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamID).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -123,7 +129,8 @@ func TestAPITeam(t *testing.T) {
 		teamRead.AccessMode.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
-	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
+	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d", teamID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	unittest.AssertNotExistsBean(t, &organization.Team{ID: teamID})
 
@@ -136,7 +143,8 @@ func TestAPITeam(t *testing.T) {
 		Permission:              "write",
 		UnitsMap:                map[string]string{"repo.code": "read", "repo.issues": "write", "repo.wiki": "none"},
 	}
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams", org.Name), teamToCreate).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusCreated)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -157,7 +165,8 @@ func TestAPITeam(t *testing.T) {
 		UnitsMap:                map[string]string{"repo.code": "read", "repo.pulls": "read", "repo.releases": "write"},
 	}
 
-	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d", teamID), teamToEdit).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -169,7 +178,8 @@ func TestAPITeam(t *testing.T) {
 	// Edit team Description only
 	editDescription = "second team"
 	teamToEditDesc = api.EditTeamOption{Description: &editDescription}
-	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d", teamID), teamToEditDesc).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -180,7 +190,8 @@ func TestAPITeam(t *testing.T) {
 
 	// Read team.
 	teamRead = unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: teamID})
-	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamID).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -189,7 +200,8 @@ func TestAPITeam(t *testing.T) {
 		teamRead.AccessMode.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
-	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
+	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d", teamID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	unittest.AssertNotExistsBean(t, &organization.Team{ID: teamID})
 
@@ -200,7 +212,8 @@ func TestAPITeam(t *testing.T) {
 		IncludesAllRepositories: true,
 		Permission:              "admin",
 	}
-	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams", org.Name), teamToCreate).
+		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusCreated)
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
@@ -219,7 +232,8 @@ func TestAPITeam(t *testing.T) {
 	teamID = apiTeam.ID
 
 	// Delete team.
-	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
+	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d", teamID).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 	unittest.AssertNotExistsBean(t, &organization.Team{ID: teamID})
 }
@@ -263,7 +277,8 @@ func TestAPITeamSearch(t *testing.T) {
 	var results TeamSearchResults
 
 	token := getUserToken(t, user.Name, auth_model.AccessTokenScopeReadOrganization)
-	req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s&token=%s", org.Name, "_team", token)
+	req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "_team").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &results)
 	assert.NotEmpty(t, results.Data)
@@ -274,7 +289,8 @@ func TestAPITeamSearch(t *testing.T) {
 	user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
 	token5 := getUserToken(t, user5.Name, auth_model.AccessTokenScopeReadOrganization)
 
-	req = NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s&token=%s", org.Name, "team", token5)
+	req = NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "team").
+		AddTokenAuth(token5)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -288,7 +304,8 @@ func TestAPIGetTeamRepo(t *testing.T) {
 	var results api.Repository
 
 	token := getUserToken(t, user.Name, auth_model.AccessTokenScopeReadOrganization)
-	req := NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token)
+	req := NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/", team.ID, teamRepo.FullName()).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &results)
 	assert.Equal(t, "big_test_private_4", teamRepo.Name)
@@ -297,6 +314,7 @@ func TestAPIGetTeamRepo(t *testing.T) {
 	user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
 	token5 := getUserToken(t, user5.Name, auth_model.AccessTokenScopeReadOrganization)
 
-	req = NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token5)
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/", team.ID, teamRepo.FullName()).
+		AddTokenAuth(token5)
 	MakeRequest(t, req, http.StatusNotFound)
 }
diff --git a/tests/integration/api_team_user_test.go b/tests/integration/api_team_user_test.go
index aa33c690413b9..6c80bc9f80b09 100644
--- a/tests/integration/api_team_user_test.go
+++ b/tests/integration/api_team_user_test.go
@@ -25,10 +25,12 @@ func TestAPITeamUser(t *testing.T) {
 	normalUsername := "user2"
 	session := loginUser(t, normalUsername)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
-	req := NewRequest(t, "GET", "/api/v1/teams/1/members/user1?token="+token)
+	req := NewRequest(t, "GET", "/api/v1/teams/1/members/user1").
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
-	req = NewRequest(t, "GET", "/api/v1/teams/1/members/user2?token="+token)
+	req = NewRequest(t, "GET", "/api/v1/teams/1/members/user2").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var user2 *api.User
 	DecodeJSON(t, resp, &user2)
diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go
index e28d9a372f3f0..9c7bf37330d03 100644
--- a/tests/integration/api_token_test.go
+++ b/tests/integration/api_token_test.go
@@ -35,8 +35,8 @@ func TestAPIDeleteMissingToken(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 
-	req := NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", unittest.NonexistentID)
-	req = AddBasicAuthHeader(req, user.Name)
+	req := NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", unittest.NonexistentID).
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusNotFound)
 }
 
@@ -46,20 +46,20 @@ func TestAPIGetTokensPermission(t *testing.T) {
 
 	// admin can get tokens for other users
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
-	req := NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
-	req = AddBasicAuthHeader(req, user.Name)
+	req := NewRequest(t, "GET", "/api/v1/users/user2/tokens").
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusOK)
 
 	// non-admin can get tokens for himself
 	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
-	req = AddBasicAuthHeader(req, user.Name)
+	req = NewRequest(t, "GET", "/api/v1/users/user2/tokens").
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusOK)
 
 	// non-admin can't get tokens for other users
 	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
-	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
-	req = AddBasicAuthHeader(req, user.Name)
+	req = NewRequest(t, "GET", "/api/v1/users/user2/tokens").
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -73,20 +73,20 @@ func TestAPIDeleteTokensPermission(t *testing.T) {
 
 	// admin can delete tokens for other users
 	createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user2, nil)
-	req := NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-1")
-	req = AddBasicAuthHeader(req, admin.Name)
+	req := NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-1").
+		AddBasicAuth(admin.Name)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// non-admin can delete tokens for himself
 	createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user2, nil)
-	req = NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-2")
-	req = AddBasicAuthHeader(req, user2.Name)
+	req = NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-2").
+		AddBasicAuth(user2.Name)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	// non-admin can't delete tokens for other users
 	createAPIAccessTokenWithoutCleanUp(t, "test-key-3", user2, nil)
-	req = NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-3")
-	req = AddBasicAuthHeader(req, user4.Name)
+	req = NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-3").
+		AddBasicAuth(user4.Name)
 	MakeRequest(t, req, http.StatusForbidden)
 }
 
@@ -117,9 +117,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 	// from other endpoints and not updated.
 	//
 	// Test cases are in alphabetical order by URL.
-	//
-	// Note: query parameters are not currently supported since the token is
-	// appended with `?=token=<token>`.
 	testCases := []requiredScopeTestCase{
 		{
 			"/api/v1/admin/emails",
@@ -526,11 +523,9 @@ func runTestCase(t *testing.T, testCase *requiredScopeTestCase, user *user_model
 		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-token", user, &unauthorizedScopes)
 		defer deleteAPIAccessToken(t, accessToken, user)
 
-		// Add API access token to the URL.
-		url := fmt.Sprintf("%s?token=%s", testCase.url, accessToken.Token)
-
 		// Request the endpoint.  Verify that permission is denied.
-		req := NewRequestf(t, testCase.method, url)
+		req := NewRequest(t, testCase.method, testCase.url).
+			AddTokenAuth(accessToken.Token)
 		MakeRequest(t, req, http.StatusForbidden)
 	})
 }
@@ -552,9 +547,8 @@ func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *us
 		}
 	}
 	log.Debug("Requesting creation of token with scopes: %v", scopes)
-	req := NewRequestWithJSON(t, "POST", "/api/v1/users/"+user.LoginName+"/tokens", payload)
-
-	req = AddBasicAuthHeader(req, user.Name)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/users/"+user.LoginName+"/tokens", payload).
+		AddBasicAuth(user.Name)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var newAccessToken api.AccessToken
@@ -572,8 +566,8 @@ func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *us
 // createAPIAccessTokenWithoutCleanUp Delete an API access token and assert that
 // deletion succeeded.
 func deleteAPIAccessToken(t *testing.T, accessToken api.AccessToken, user *user_model.User) {
-	req := NewRequestf(t, "DELETE", "/api/v1/users/"+user.LoginName+"/tokens/%d", accessToken.ID)
-	req = AddBasicAuthHeader(req, user.Name)
+	req := NewRequestf(t, "DELETE", "/api/v1/users/"+user.LoginName+"/tokens/%d", accessToken.ID).
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: accessToken.ID})
diff --git a/tests/integration/api_twofa_test.go b/tests/integration/api_twofa_test.go
index 1e5e26b8ccb0b..aad806b6dc4ff 100644
--- a/tests/integration/api_twofa_test.go
+++ b/tests/integration/api_twofa_test.go
@@ -23,8 +23,8 @@ func TestAPITwoFactor(t *testing.T) {
 
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 16})
 
-	req := NewRequestf(t, "GET", "/api/v1/user")
-	req = AddBasicAuthHeader(req, user.Name)
+	req := NewRequest(t, "GET", "/api/v1/user").
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusOK)
 
 	otpKey, err := totp.Generate(totp.GenerateOpts{
@@ -41,15 +41,15 @@ func TestAPITwoFactor(t *testing.T) {
 
 	assert.NoError(t, auth_model.NewTwoFactor(db.DefaultContext, tfa))
 
-	req = NewRequestf(t, "GET", "/api/v1/user")
-	req = AddBasicAuthHeader(req, user.Name)
+	req = NewRequest(t, "GET", "/api/v1/user").
+		AddBasicAuth(user.Name)
 	MakeRequest(t, req, http.StatusUnauthorized)
 
 	passcode, err := totp.GenerateCode(otpKey.Secret(), time.Now())
 	assert.NoError(t, err)
 
-	req = NewRequestf(t, "GET", "/api/v1/user")
-	req = AddBasicAuthHeader(req, user.Name)
+	req = NewRequest(t, "GET", "/api/v1/user").
+		AddBasicAuth(user.Name)
 	req.Header.Set("X-Gitea-OTP", passcode)
 	MakeRequest(t, req, http.StatusOK)
 }
diff --git a/tests/integration/api_user_avatar_test.go b/tests/integration/api_user_avatar_test.go
index 807c119e2c99c..5b4546f1504a2 100644
--- a/tests/integration/api_user_avatar_test.go
+++ b/tests/integration/api_user_avatar_test.go
@@ -35,14 +35,16 @@ func TestAPIUpdateUserAvatar(t *testing.T) {
 		Image: base64.StdEncoding.EncodeToString(avatar),
 	}
 
-	req := NewRequestWithJSON(t, "POST", "/api/v1/user/avatar?token="+token, &opts)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/avatar", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
 	opts = api.UpdateUserAvatarOption{
 		Image: "Invalid",
 	}
 
-	req = NewRequestWithJSON(t, "POST", "/api/v1/user/avatar?token="+token, &opts)
+	req = NewRequestWithJSON(t, "POST", "/api/v1/user/avatar", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusBadRequest)
 
 	// Test what happens if you use a file that is not an image
@@ -56,7 +58,8 @@ func TestAPIUpdateUserAvatar(t *testing.T) {
 		Image: base64.StdEncoding.EncodeToString(text),
 	}
 
-	req = NewRequestWithJSON(t, "POST", "/api/v1/user/avatar?token="+token, &opts)
+	req = NewRequestWithJSON(t, "POST", "/api/v1/user/avatar", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusInternalServerError)
 }
 
@@ -67,6 +70,7 @@ func TestAPIDeleteUserAvatar(t *testing.T) {
 	session := loginUser(t, normalUsername)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
 
-	req := NewRequest(t, "DELETE", "/api/v1/user/avatar?token="+token)
+	req := NewRequest(t, "DELETE", "/api/v1/user/avatar").
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 }
diff --git a/tests/integration/api_user_email_test.go b/tests/integration/api_user_email_test.go
index 9fff42af42253..6eeb547444550 100644
--- a/tests/integration/api_user_email_test.go
+++ b/tests/integration/api_user_email_test.go
@@ -21,7 +21,8 @@ func TestAPIListEmails(t *testing.T) {
 	session := loginUser(t, normalUsername)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
 
-	req := NewRequest(t, "GET", "/api/v1/user/emails?token="+token)
+	req := NewRequest(t, "GET", "/api/v1/user/emails").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var emails []*api.Email
@@ -52,13 +53,15 @@ func TestAPIAddEmail(t *testing.T) {
 		Emails: []string{"user101@example.com"},
 	}
 
-	req := NewRequestWithJSON(t, "POST", "/api/v1/user/emails?token="+token, &opts)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/user/emails", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	opts = api.CreateEmailOption{
 		Emails: []string{"user2-3@example.com"},
 	}
-	req = NewRequestWithJSON(t, "POST", "/api/v1/user/emails?token="+token, &opts)
+	req = NewRequestWithJSON(t, "POST", "/api/v1/user/emails", &opts).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var emails []*api.Email
@@ -74,7 +77,8 @@ func TestAPIAddEmail(t *testing.T) {
 	opts = api.CreateEmailOption{
 		Emails: []string{"notAEmail"},
 	}
-	req = NewRequestWithJSON(t, "POST", "/api/v1/user/emails?token="+token, &opts)
+	req = NewRequestWithJSON(t, "POST", "/api/v1/user/emails", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusUnprocessableEntity)
 }
 
@@ -88,16 +92,19 @@ func TestAPIDeleteEmail(t *testing.T) {
 	opts := api.DeleteEmailOption{
 		Emails: []string{"user2-3@example.com"},
 	}
-	req := NewRequestWithJSON(t, "DELETE", "/api/v1/user/emails?token="+token, &opts)
+	req := NewRequestWithJSON(t, "DELETE", "/api/v1/user/emails", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNotFound)
 
 	opts = api.DeleteEmailOption{
 		Emails: []string{"user2-2@example.com"},
 	}
-	req = NewRequestWithJSON(t, "DELETE", "/api/v1/user/emails?token="+token, &opts)
+	req = NewRequestWithJSON(t, "DELETE", "/api/v1/user/emails", &opts).
+		AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusNoContent)
 
-	req = NewRequest(t, "GET", "/api/v1/user/emails?token="+token)
+	req = NewRequest(t, "GET", "/api/v1/user/emails").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var emails []*api.Email
diff --git a/tests/integration/api_user_follow_test.go b/tests/integration/api_user_follow_test.go
index 62717af90e2ae..1762732c10e6d 100644
--- a/tests/integration/api_user_follow_test.go
+++ b/tests/integration/api_user_follow_test.go
@@ -30,14 +30,16 @@ func TestAPIFollow(t *testing.T) {
 	t.Run("Follow", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/following/%s?token=%s", user1, token2))
+		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/following/%s", user1)).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 
 	t.Run("ListFollowing", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/following?token=%s", user2, token2))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/following", user2)).
+			AddTokenAuth(token2)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var users []api.User
@@ -49,7 +51,8 @@ func TestAPIFollow(t *testing.T) {
 	t.Run("ListMyFollowing", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/following?token=%s", token2))
+		req := NewRequest(t, "GET", "/api/v1/user/following").
+			AddTokenAuth(token2)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var users []api.User
@@ -61,7 +64,8 @@ func TestAPIFollow(t *testing.T) {
 	t.Run("ListFollowers", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/followers?token=%s", user1, token1))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/followers", user1)).
+			AddTokenAuth(token1)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var users []api.User
@@ -73,7 +77,8 @@ func TestAPIFollow(t *testing.T) {
 	t.Run("ListMyFollowers", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/followers?token=%s", token1))
+		req := NewRequest(t, "GET", "/api/v1/user/followers").
+			AddTokenAuth(token1)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var users []api.User
@@ -85,27 +90,32 @@ func TestAPIFollow(t *testing.T) {
 	t.Run("CheckFollowing", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/following/%s?token=%s", user2, user1, token2))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/following/%s", user2, user1)).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusNoContent)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/following/%s?token=%s", user1, user2, token2))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/following/%s", user1, user2)).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	t.Run("CheckMyFollowing", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/following/%s?token=%s", user1, token2))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/following/%s", user1)).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusNoContent)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/following/%s?token=%s", user2, token1))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/following/%s", user2)).
+			AddTokenAuth(token1)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	t.Run("Unfollow", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/following/%s?token=%s", user1, token2))
+		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/following/%s", user1)).
+			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 }
diff --git a/tests/integration/api_user_heatmap_test.go b/tests/integration/api_user_heatmap_test.go
index 5a7e58a02d601..a49bdd0c25222 100644
--- a/tests/integration/api_user_heatmap_test.go
+++ b/tests/integration/api_user_heatmap_test.go
@@ -27,8 +27,8 @@ func TestUserHeatmap(t *testing.T) {
 	timeutil.Set(fakeNow)
 	defer timeutil.Unset()
 
-	urlStr := fmt.Sprintf("/api/v1/users/%s/heatmap?token=%s", normalUsername, token)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/heatmap", normalUsername)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var heatmap []*activities_model.UserHeatmapData
 	DecodeJSON(t, resp, &heatmap)
diff --git a/tests/integration/api_user_info_test.go b/tests/integration/api_user_info_test.go
index cf42b50a4d58c..89f726685977e 100644
--- a/tests/integration/api_user_info_test.go
+++ b/tests/integration/api_user_info_test.go
@@ -31,7 +31,8 @@ func TestAPIUserInfo(t *testing.T) {
 	t.Run("GetInfo", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s?token=%s", user2, token))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s", user2)).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var u api.User
@@ -48,7 +49,8 @@ func TestAPIUserInfo(t *testing.T) {
 		assert.Equal(t, org3.GetPlaceholderEmail(), u.Email)
 
 		// Test if the correct Mail is returned if a User is logged in
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s?token=%s", org3.Name, token))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s", org3.Name)).
+			AddTokenAuth(token)
 		resp = MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &u)
 		assert.Equal(t, org3.GetEmail(), u.Email)
@@ -57,7 +59,8 @@ func TestAPIUserInfo(t *testing.T) {
 	t.Run("GetAuthenticatedUser", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user?token=%s", token))
+		req := NewRequest(t, "GET", "/api/v1/user").
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		var u api.User
diff --git a/tests/integration/api_user_org_perm_test.go b/tests/integration/api_user_org_perm_test.go
index c61004fab4494..85bb1db1709df 100644
--- a/tests/integration/api_user_org_perm_test.go
+++ b/tests/integration/api_user_org_perm_test.go
@@ -35,7 +35,8 @@ func sampleTest(t *testing.T, auoptc apiUserOrgPermTestCase) {
 	session := loginUser(t, auoptc.LoginUser)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization, auth_model.AccessTokenScopeReadUser)
 
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs/%s/permissions?token=%s", auoptc.User, auoptc.Organization, token))
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs/%s/permissions", auoptc.User, auoptc.Organization)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiOP api.OrganizationPermissions
@@ -128,7 +129,8 @@ func TestUnknowUser(t *testing.T) {
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopeReadOrganization)
 
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/unknow/orgs/org25/permissions?token=%s", token))
+	req := NewRequest(t, "GET", "/api/v1/users/unknow/orgs/org25/permissions").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusNotFound)
 
 	var apiError api.APIError
@@ -142,7 +144,8 @@ func TestUnknowOrganization(t *testing.T) {
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopeReadOrganization)
 
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/user1/orgs/unknow/permissions?token=%s", token))
+	req := NewRequest(t, "GET", "/api/v1/users/user1/orgs/unknow/permissions").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusNotFound)
 	var apiError api.APIError
 	DecodeJSON(t, resp, &apiError)
diff --git a/tests/integration/api_user_orgs_test.go b/tests/integration/api_user_orgs_test.go
index 51830961aca48..b6b4b6f2b2d2e 100644
--- a/tests/integration/api_user_orgs_test.go
+++ b/tests/integration/api_user_orgs_test.go
@@ -74,8 +74,8 @@ func getUserOrgs(t *testing.T, userDoer, userCheck string) (orgs []*api.Organiza
 	if len(userDoer) != 0 {
 		token = getUserToken(t, userDoer, auth_model.AccessTokenScopeReadOrganization, auth_model.AccessTokenScopeReadUser)
 	}
-	urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", userCheck, token)
-	req := NewRequest(t, "GET", urlStr)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs", userCheck)).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &orgs)
 	return orgs
@@ -95,7 +95,8 @@ func TestMyOrgs(t *testing.T) {
 
 	normalUsername := "user2"
 	token := getUserToken(t, normalUsername, auth_model.AccessTokenScopeReadOrganization, auth_model.AccessTokenScopeReadUser)
-	req = NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
+	req = NewRequest(t, "GET", "/api/v1/user/orgs").
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 	var orgs []*api.Organization
 	DecodeJSON(t, resp, &orgs)
diff --git a/tests/integration/api_user_search_test.go b/tests/integration/api_user_search_test.go
index ddfeb25234b4d..f776b35325768 100644
--- a/tests/integration/api_user_search_test.go
+++ b/tests/integration/api_user_search_test.go
@@ -27,7 +27,8 @@ func TestAPIUserSearchLoggedIn(t *testing.T) {
 	session := loginUser(t, adminUsername)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
 	query := "user2"
-	req := NewRequestf(t, "GET", "/api/v1/users/search?token=%s&q=%s", token, query)
+	req := NewRequestf(t, "GET", "/api/v1/users/search?q=%s", query).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var results SearchResults
@@ -84,8 +85,8 @@ func TestAPIUserSearchAdminLoggedInUserHidden(t *testing.T) {
 	session := loginUser(t, adminUsername)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
 	query := "user31"
-	req := NewRequestf(t, "GET", "/api/v1/users/search?token=%s&q=%s", token, query)
-	req.SetBasicAuth(token, "x-oauth-basic")
+	req := NewRequestf(t, "GET", "/api/v1/users/search?q=%s", query).
+		AddTokenAuth(token)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var results SearchResults
diff --git a/tests/integration/api_user_secrets_test.go b/tests/integration/api_user_secrets_test.go
index 5909f4b831541..56bf30e804412 100644
--- a/tests/integration/api_user_secrets_test.go
+++ b/tests/integration/api_user_secrets_test.go
@@ -55,44 +55,47 @@ func TestAPIUserSecrets(t *testing.T) {
 		}
 
 		for _, c := range cases {
-			req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/user/actions/secrets/%s?token=%s", c.Name, token), api.CreateOrUpdateSecretOption{
+			req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/user/actions/secrets/%s", c.Name), api.CreateOrUpdateSecretOption{
 				Data: "data",
-			})
+			}).AddTokenAuth(token)
 			MakeRequest(t, req, c.ExpectedStatus)
 		}
 	})
 
 	t.Run("Update", func(t *testing.T) {
 		name := "update_secret"
-		url := fmt.Sprintf("/api/v1/user/actions/secrets/%s?token=%s", name, token)
+		url := fmt.Sprintf("/api/v1/user/actions/secrets/%s", name)
 
 		req := NewRequestWithJSON(t, "PUT", url, api.CreateOrUpdateSecretOption{
 			Data: "initial",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
 		req = NewRequestWithJSON(t, "PUT", url, api.CreateOrUpdateSecretOption{
 			Data: "changed",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 
 	t.Run("Delete", func(t *testing.T) {
 		name := "delete_secret"
-		url := fmt.Sprintf("/api/v1/user/actions/secrets/%s?token=%s", name, token)
+		url := fmt.Sprintf("/api/v1/user/actions/secrets/%s", name)
 
 		req := NewRequestWithJSON(t, "PUT", url, api.CreateOrUpdateSecretOption{
 			Data: "initial",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 
-		req = NewRequest(t, "DELETE", url)
+		req = NewRequest(t, "DELETE", url).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNoContent)
 
-		req = NewRequest(t, "DELETE", url)
+		req = NewRequest(t, "DELETE", url).
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/actions/secrets/000?token=%s", token))
+		req = NewRequest(t, "DELETE", "/api/v1/user/actions/secrets/000").
+			AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusBadRequest)
 	})
 }
diff --git a/tests/integration/api_user_star_test.go b/tests/integration/api_user_star_test.go
index 15a555d17d550..50423c80e7a2b 100644
--- a/tests/integration/api_user_star_test.go
+++ b/tests/integration/api_user_star_test.go
@@ -28,14 +28,16 @@ func TestAPIStar(t *testing.T) {
 	t.Run("Star", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithUserScope))
+		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/starred/%s", repo)).
+			AddTokenAuth(tokenWithUserScope)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 
 	t.Run("GetStarredRepos", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/starred?token=%s", user, token))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/starred", user)).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "1", resp.Header().Get("X-Total-Count"))
@@ -49,7 +51,8 @@ func TestAPIStar(t *testing.T) {
 	t.Run("GetMyStarredRepos", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred?token=%s", tokenWithUserScope))
+		req := NewRequest(t, "GET", "/api/v1/user/starred").
+			AddTokenAuth(tokenWithUserScope)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "1", resp.Header().Get("X-Total-Count"))
@@ -63,17 +66,20 @@ func TestAPIStar(t *testing.T) {
 	t.Run("IsStarring", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithUserScope))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s", repo)).
+			AddTokenAuth(tokenWithUserScope)
 		MakeRequest(t, req, http.StatusNoContent)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo+"notexisting", tokenWithUserScope))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s", repo+"notexisting")).
+			AddTokenAuth(tokenWithUserScope)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	t.Run("Unstar", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithUserScope))
+		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/starred/%s", repo)).
+			AddTokenAuth(tokenWithUserScope)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 }
diff --git a/tests/integration/api_user_watch_test.go b/tests/integration/api_user_watch_test.go
index c07fd288d109c..20528959e8c52 100644
--- a/tests/integration/api_user_watch_test.go
+++ b/tests/integration/api_user_watch_test.go
@@ -28,14 +28,16 @@ func TestAPIWatch(t *testing.T) {
 	t.Run("Watch", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/subscription?token=%s", repo, tokenWithRepoScope))
+		req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/subscription", repo)).
+			AddTokenAuth(tokenWithRepoScope)
 		MakeRequest(t, req, http.StatusOK)
 	})
 
 	t.Run("GetWatchedRepos", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/subscriptions?token=%s", user, token))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/subscriptions", user)).
+			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "1", resp.Header().Get("X-Total-Count"))
@@ -49,7 +51,8 @@ func TestAPIWatch(t *testing.T) {
 	t.Run("GetMyWatchedRepos", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/subscriptions?token=%s", tokenWithRepoScope))
+		req := NewRequest(t, "GET", "/api/v1/user/subscriptions").
+			AddTokenAuth(tokenWithRepoScope)
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		assert.Equal(t, "1", resp.Header().Get("X-Total-Count"))
@@ -63,17 +66,20 @@ func TestAPIWatch(t *testing.T) {
 	t.Run("IsWatching", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/subscription?token=%s", repo, tokenWithRepoScope))
+		req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/subscription", repo)).
+			AddTokenAuth(tokenWithRepoScope)
 		MakeRequest(t, req, http.StatusOK)
 
-		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/subscription?token=%s", repo+"notexisting", tokenWithRepoScope))
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/subscription", repo+"notexisting")).
+			AddTokenAuth(tokenWithRepoScope)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 
 	t.Run("Unwatch", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/subscription?token=%s", repo, tokenWithRepoScope))
+		req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/subscription", repo)).
+			AddTokenAuth(tokenWithRepoScope)
 		MakeRequest(t, req, http.StatusNoContent)
 	})
 }
diff --git a/tests/integration/api_wiki_test.go b/tests/integration/api_wiki_test.go
index f598982555b3a..05d90fc4e371d 100644
--- a/tests/integration/api_wiki_test.go
+++ b/tests/integration/api_wiki_test.go
@@ -182,13 +182,13 @@ func TestAPINewWikiPage(t *testing.T) {
 		session := loginUser(t, username)
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/new?token=%s", username, "repo1", token)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/new", username, "repo1")
 
 		req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateWikiPageOptions{
 			Title:         title,
 			ContentBase64: base64.StdEncoding.EncodeToString([]byte("Wiki page content for API unit tests")),
 			Message:       "",
-		})
+		}).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusCreated)
 	}
 }
@@ -199,13 +199,13 @@ func TestAPIEditWikiPage(t *testing.T) {
 	session := loginUser(t, username)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Page-With-Spaced-Name?token=%s", username, "repo1", token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Page-With-Spaced-Name", username, "repo1")
 
 	req := NewRequestWithJSON(t, "PATCH", urlStr, &api.CreateWikiPageOptions{
 		Title:         "edited title",
 		ContentBase64: base64.StdEncoding.EncodeToString([]byte("Edited wiki page content for API unit tests")),
 		Message:       "",
-	})
+	}).AddTokenAuth(token)
 	MakeRequest(t, req, http.StatusOK)
 }
 
diff --git a/tests/integration/cors_test.go b/tests/integration/cors_test.go
index e4151d1c32e75..83d200402c86b 100644
--- a/tests/integration/cors_test.go
+++ b/tests/integration/cors_test.go
@@ -14,7 +14,7 @@ import (
 
 func TestCORSNotSet(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
-	req := NewRequestf(t, "GET", "/api/v1/version")
+	req := NewRequest(t, "GET", "/api/v1/version")
 	session := loginUser(t, "user2")
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	assert.Equal(t, resp.Code, http.StatusOK)
diff --git a/tests/integration/empty_repo_test.go b/tests/integration/empty_repo_test.go
index 78453f28a585b..8842de5f6f557 100644
--- a/tests/integration/empty_repo_test.go
+++ b/tests/integration/empty_repo_test.go
@@ -6,7 +6,6 @@ package integration
 import (
 	"bytes"
 	"encoding/base64"
-	"fmt"
 	"io"
 	"mime/multipart"
 	"net/http"
@@ -119,14 +118,13 @@ func TestEmptyRepoAddFileByAPI(t *testing.T) {
 	session := loginUser(t, "user30")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	url := fmt.Sprintf("/api/v1/repos/user30/empty/contents/new-file.txt?token=%s", token)
-	req := NewRequestWithJSON(t, "POST", url, &api.CreateFileOptions{
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user30/empty/contents/new-file.txt", &api.CreateFileOptions{
 		FileOptions: api.FileOptions{
 			NewBranchName: "new_branch",
 			Message:       "init",
 		},
 		ContentBase64: base64.StdEncoding.EncodeToString([]byte("newly-added-api-file")),
-	})
+	}).AddTokenAuth(token)
 
 	resp := MakeRequest(t, req, http.StatusCreated)
 	var fileResponse api.FileResponse
@@ -138,7 +136,8 @@ func TestEmptyRepoAddFileByAPI(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	assert.Contains(t, resp.Body.String(), "newly-added-api-file")
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/user30/empty?token=%s", token))
+	req = NewRequest(t, "GET", "/api/v1/repos/user30/empty").
+		AddTokenAuth(token)
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	var apiRepo api.Repository
 	DecodeJSON(t, resp, &apiRepo)
diff --git a/tests/integration/eventsource_test.go b/tests/integration/eventsource_test.go
index 734f4a6a0a347..2ef4218977509 100644
--- a/tests/integration/eventsource_test.go
+++ b/tests/integration/eventsource_test.go
@@ -65,17 +65,20 @@ func TestEventSourceManagerRun(t *testing.T) {
 	var apiNL []api.NotificationThread
 
 	// -- mark notifications as read --
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
+	req := NewRequest(t, "GET", "/api/v1/notifications?status-types=unread").
+		AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 2)
 
 	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 <- only Notification 4 is in this filter ...
-	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s&token=%s", user2.Name, repo1.Name, lastReadAt, token))
+	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s", user2.Name, repo1.Name, lastReadAt)).
+		AddTokenAuth(token)
 	session.MakeRequest(t, req, http.StatusResetContent)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?token=%s&status-types=unread", token))
+	req = NewRequest(t, "GET", "/api/v1/notifications?status-types=unread").
+		AddTokenAuth(token)
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 1)
diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index 8534b0393b9da..1127de1afcdd4 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -163,14 +163,15 @@ func (s *TestSession) GetCookie(name string) *http.Cookie {
 	return nil
 }
 
-func (s *TestSession) MakeRequest(t testing.TB, req *http.Request, expectedStatus int) *httptest.ResponseRecorder {
+func (s *TestSession) MakeRequest(t testing.TB, rw *RequestWrapper, expectedStatus int) *httptest.ResponseRecorder {
 	t.Helper()
+	req := rw.Request
 	baseURL, err := url.Parse(setting.AppURL)
 	assert.NoError(t, err)
 	for _, c := range s.jar.Cookies(baseURL) {
 		req.AddCookie(c)
 	}
-	resp := MakeRequest(t, req, expectedStatus)
+	resp := MakeRequest(t, rw, expectedStatus)
 
 	ch := http.Header{}
 	ch.Add("Cookie", strings.Join(resp.Header()["Set-Cookie"], ";"))
@@ -180,14 +181,15 @@ func (s *TestSession) MakeRequest(t testing.TB, req *http.Request, expectedStatu
 	return resp
 }
 
-func (s *TestSession) MakeRequestNilResponseRecorder(t testing.TB, req *http.Request, expectedStatus int) *NilResponseRecorder {
+func (s *TestSession) MakeRequestNilResponseRecorder(t testing.TB, rw *RequestWrapper, expectedStatus int) *NilResponseRecorder {
 	t.Helper()
+	req := rw.Request
 	baseURL, err := url.Parse(setting.AppURL)
 	assert.NoError(t, err)
 	for _, c := range s.jar.Cookies(baseURL) {
 		req.AddCookie(c)
 	}
-	resp := MakeRequestNilResponseRecorder(t, req, expectedStatus)
+	resp := MakeRequestNilResponseRecorder(t, rw, expectedStatus)
 
 	ch := http.Header{}
 	ch.Add("Cookie", strings.Join(resp.Header()["Set-Cookie"], ";"))
@@ -197,14 +199,15 @@ func (s *TestSession) MakeRequestNilResponseRecorder(t testing.TB, req *http.Req
 	return resp
 }
 
-func (s *TestSession) MakeRequestNilResponseHashSumRecorder(t testing.TB, req *http.Request, expectedStatus int) *NilResponseHashSumRecorder {
+func (s *TestSession) MakeRequestNilResponseHashSumRecorder(t testing.TB, rw *RequestWrapper, expectedStatus int) *NilResponseHashSumRecorder {
 	t.Helper()
+	req := rw.Request
 	baseURL, err := url.Parse(setting.AppURL)
 	assert.NoError(t, err)
 	for _, c := range s.jar.Cookies(baseURL) {
 		req.AddCookie(c)
 	}
-	resp := MakeRequestNilResponseHashSumRecorder(t, req, expectedStatus)
+	resp := MakeRequestNilResponseHashSumRecorder(t, rw, expectedStatus)
 
 	ch := http.Header{}
 	ch.Add("Cookie", strings.Join(resp.Header()["Set-Cookie"], ";"))
@@ -314,17 +317,42 @@ func getTokenForLoggedInUser(t testing.TB, session *TestSession, scopes ...auth.
 	return token
 }
 
-func NewRequest(t testing.TB, method, urlStr string) *http.Request {
+type RequestWrapper struct {
+	*http.Request
+}
+
+func (req *RequestWrapper) AddBasicAuth(username string) *RequestWrapper {
+	req.Request.SetBasicAuth(username, userPassword)
+	return req
+}
+
+func (req *RequestWrapper) AddTokenAuth(token string) *RequestWrapper {
+	if token == "" {
+		return req
+	}
+	if !strings.HasPrefix(token, "Bearer ") {
+		token = "Bearer " + token
+	}
+	req.Request.Header.Set("Authorization", token)
+	return req
+}
+
+func (req *RequestWrapper) SetHeader(name, value string) *RequestWrapper {
+	req.Request.Header.Set(name, value)
+	return req
+}
+
+func NewRequest(t testing.TB, method, urlStr string) *RequestWrapper {
 	t.Helper()
 	return NewRequestWithBody(t, method, urlStr, nil)
 }
 
-func NewRequestf(t testing.TB, method, urlFormat string, args ...any) *http.Request {
+func NewRequestf(t testing.TB, method, urlFormat string, args ...any) *RequestWrapper {
 	t.Helper()
 	return NewRequest(t, method, fmt.Sprintf(urlFormat, args...))
 }
 
-func NewRequestWithValues(t testing.TB, method, urlStr string, values map[string]string) *http.Request {
+func NewRequestWithValues(t testing.TB, method, urlStr string, values map[string]string) *RequestWrapper {
 	t.Helper()
 	urlValues := url.Values{}
 	for key, value := range values {
@@ -333,43 +361,38 @@ func NewRequestWithValues(t testing.TB, method, urlStr string, values map[string
 	return NewRequestWithURLValues(t, method, urlStr, urlValues)
 }
 
-func NewRequestWithURLValues(t testing.TB, method, urlStr string, urlValues url.Values) *http.Request {
+func NewRequestWithURLValues(t testing.TB, method, urlStr string, urlValues url.Values) *RequestWrapper {
 	t.Helper()
-	req := NewRequestWithBody(t, method, urlStr, bytes.NewBufferString(urlValues.Encode()))
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-	return req
+	return NewRequestWithBody(t, method, urlStr, bytes.NewBufferString(urlValues.Encode())).
+		SetHeader("Content-Type", "application/x-www-form-urlencoded")
 }
 
-func NewRequestWithJSON(t testing.TB, method, urlStr string, v any) *http.Request {
+func NewRequestWithJSON(t testing.TB, method, urlStr string, v any) *RequestWrapper {
 	t.Helper()
 
 	jsonBytes, err := json.Marshal(v)
 	assert.NoError(t, err)
-	req := NewRequestWithBody(t, method, urlStr, bytes.NewBuffer(jsonBytes))
-	req.Header.Add("Content-Type", "application/json")
-	return req
+	return NewRequestWithBody(t, method, urlStr, bytes.NewBuffer(jsonBytes)).
+		SetHeader("Content-Type", "application/json")
 }
 
-func NewRequestWithBody(t testing.TB, method, urlStr string, body io.Reader) *http.Request {
+func NewRequestWithBody(t testing.TB, method, urlStr string, body io.Reader) *RequestWrapper {
 	t.Helper()
 	if !strings.HasPrefix(urlStr, "http") && !strings.HasPrefix(urlStr, "/") {
 		urlStr = "/" + urlStr
 	}
-	request, err := http.NewRequest(method, urlStr, body)
+	req, err := http.NewRequest(method, urlStr, body)
 	assert.NoError(t, err)
-	request.RequestURI = urlStr
-	return request
-}
+	req.RequestURI = urlStr
 
-func AddBasicAuthHeader(request *http.Request, username string) *http.Request {
-	request.SetBasicAuth(username, userPassword)
-	return request
+	return &RequestWrapper{req}
 }
 
 const NoExpectedStatus = -1
 
-func MakeRequest(t testing.TB, req *http.Request, expectedStatus int) *httptest.ResponseRecorder {
+func MakeRequest(t testing.TB, rw *RequestWrapper, expectedStatus int) *httptest.ResponseRecorder {
 	t.Helper()
+	req := rw.Request
 	recorder := httptest.NewRecorder()
 	if req.RemoteAddr == "" {
 		req.RemoteAddr = "test-mock:12345"
@@ -383,8 +406,9 @@ func MakeRequest(t testing.TB, req *http.Request, expectedStatus int) *httptest.
 	return recorder
 }
 
-func MakeRequestNilResponseRecorder(t testing.TB, req *http.Request, expectedStatus int) *NilResponseRecorder {
+func MakeRequestNilResponseRecorder(t testing.TB, rw *RequestWrapper, expectedStatus int) *NilResponseRecorder {
 	t.Helper()
+	req := rw.Request
 	recorder := NewNilResponseRecorder()
 	testWebRoutes.ServeHTTP(recorder, req)
 	if expectedStatus != NoExpectedStatus {
@@ -396,8 +420,9 @@ func MakeRequestNilResponseRecorder(t testing.TB, req *http.Request, expectedSta
 	return recorder
 }
 
-func MakeRequestNilResponseHashSumRecorder(t testing.TB, req *http.Request, expectedStatus int) *NilResponseHashSumRecorder {
+func MakeRequestNilResponseHashSumRecorder(t testing.TB, rw *RequestWrapper, expectedStatus int) *NilResponseHashSumRecorder {
 	t.Helper()
+	req := rw.Request
 	recorder := NewNilResponseHashSumRecorder()
 	testWebRoutes.ServeHTTP(recorder, req)
 	if expectedStatus != NoExpectedStatus {
diff --git a/tests/integration/org_test.go b/tests/integration/org_test.go
index aa01678ea9474..94c4e197271c5 100644
--- a/tests/integration/org_test.go
+++ b/tests/integration/org_test.go
@@ -169,8 +169,8 @@ func TestOrgRestrictedUser(t *testing.T) {
 		Units:                   []string{"repo.code"},
 	}
 
-	req = NewRequestWithJSON(t, "POST",
-		fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", orgName, token), teamToCreate)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams", orgName), teamToCreate).
+		AddTokenAuth(token)
 
 	var apiTeam api.Team
 
@@ -183,8 +183,8 @@ func TestOrgRestrictedUser(t *testing.T) {
 	// teamID := apiTeam.ID
 
 	// Now we need to add the restricted user to the team
-	req = NewRequest(t, "PUT",
-		fmt.Sprintf("/api/v1/teams/%d/members/%s?token=%s", apiTeam.ID, restrictedUser, token))
+	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/teams/%d/members/%s", apiTeam.ID, restrictedUser)).
+		AddTokenAuth(token)
 	_ = adminSession.MakeRequest(t, req, http.StatusNoContent)
 
 	// Now we need to check if the restrictedUser can access the repo
diff --git a/tests/integration/privateactivity_test.go b/tests/integration/privateactivity_test.go
index 2b9b814106c18..5362462f7df9f 100644
--- a/tests/integration/privateactivity_test.go
+++ b/tests/integration/privateactivity_test.go
@@ -35,11 +35,11 @@ func testPrivateActivityDoSomethingForActionEntries(t *testing.T) {
 
 	session := loginUser(t, privateActivityTestUser)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all", owner.Name, repoBefore.Name)
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
 		Body:  "test",
 		Title: "test",
-	})
+	}).AddTokenAuth(token)
 	session.MakeRequest(t, req, http.StatusCreated)
 }
 
@@ -127,7 +127,8 @@ func testPrivateActivityHelperHasHeatmapContentFromPublic(t *testing.T) bool {
 func testPrivateActivityHelperHasHeatmapContentFromSession(t *testing.T, session *TestSession) bool {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
 
-	req := NewRequestf(t, "GET", "/api/v1/users/%s/heatmap?token=%s", privateActivityTestUser, token)
+	req := NewRequestf(t, "GET", "/api/v1/users/%s/heatmap", privateActivityTestUser).
+		AddTokenAuth(token)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	var items []*activities_model.UserHeatmapData
diff --git a/tests/integration/pull_merge_test.go b/tests/integration/pull_merge_test.go
index a4cc3e76fe94a..d17bf4afda114 100644
--- a/tests/integration/pull_merge_test.go
+++ b/tests/integration/pull_merge_test.go
@@ -218,11 +218,11 @@ func TestCantMergeConflict(t *testing.T) {
 
 		// Use API to create a conflicting pr
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
+		req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls", "user1", "repo1"), &api.CreatePullRequestOption{
 			Head:  "conflict",
 			Base:  "base",
 			Title: "create a conflicting pr",
-		})
+		}).AddTokenAuth(token)
 		session.MakeRequest(t, req, http.StatusCreated)
 
 		// Now this PR will be marked conflict - or at least a race will do - so drop down to pure code at this point...
@@ -326,11 +326,11 @@ func TestCantMergeUnrelated(t *testing.T) {
 
 		// Use API to create a conflicting pr
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
+		req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls", "user1", "repo1"), &api.CreatePullRequestOption{
 			Head:  "unrelated",
 			Base:  "base",
 			Title: "create an unrelated pr",
-		})
+		}).AddTokenAuth(token)
 		session.MakeRequest(t, req, http.StatusCreated)
 
 		// Now this PR could be marked conflict - or at least a race may occur - so drop down to pure code at this point...
diff --git a/tests/integration/pull_status_test.go b/tests/integration/pull_status_test.go
index 01cb40d2cf5cb..26c99e6445974 100644
--- a/tests/integration/pull_status_test.go
+++ b/tests/integration/pull_status_test.go
@@ -77,7 +77,7 @@ func TestPullCreate_CommitStatus(t *testing.T) {
 				Context:     "testci",
 			}))
 
-			req = NewRequestf(t, "GET", "/user1/repo1/pulls/1/commits")
+			req = NewRequest(t, "GET", "/user1/repo1/pulls/1/commits")
 			resp = session.MakeRequest(t, req, http.StatusOK)
 			doc = NewHTMLParser(t, resp.Body)
 
@@ -98,9 +98,9 @@ func doAPICreateCommitStatus(ctx APITestContext, commitID string, data api.Creat
 		req := NewRequestWithJSON(
 			t,
 			http.MethodPost,
-			fmt.Sprintf("/api/v1/repos/%s/%s/statuses/%s?token=%s", ctx.Username, ctx.Reponame, commitID, ctx.Token),
+			fmt.Sprintf("/api/v1/repos/%s/%s/statuses/%s", ctx.Username, ctx.Reponame, commitID),
 			data,
-		)
+		).AddTokenAuth(ctx.Token)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
diff --git a/tests/integration/pull_update_test.go b/tests/integration/pull_update_test.go
index e4b2ae65bd61f..078253ffb0cb8 100644
--- a/tests/integration/pull_update_test.go
+++ b/tests/integration/pull_update_test.go
@@ -40,7 +40,8 @@ func TestAPIPullUpdate(t *testing.T) {
 
 		session := loginUser(t, "user2")
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update?token="+token, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index)
+		req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update", pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index).
+			AddTokenAuth(token)
 		session.MakeRequest(t, req, http.StatusOK)
 
 		// Test GetDiverging after update
@@ -68,7 +69,8 @@ func TestAPIPullUpdateByRebase(t *testing.T) {
 
 		session := loginUser(t, "user2")
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update?style=rebase&token="+token, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index)
+		req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update?style=rebase", pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index).
+			AddTokenAuth(token)
 		session.MakeRequest(t, req, http.StatusOK)
 
 		// Test GetDiverging after update
diff --git a/tests/integration/repo_search_test.go b/tests/integration/repo_search_test.go
index d113d1e57d03a..cf199e98c2895 100644
--- a/tests/integration/repo_search_test.go
+++ b/tests/integration/repo_search_test.go
@@ -51,7 +51,7 @@ func TestSearchRepo(t *testing.T) {
 }
 
 func testSearch(t *testing.T, url string, expected []string) {
-	req := NewRequestf(t, "GET", url)
+	req := NewRequest(t, "GET", url)
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	filenames := resultFilenames(t, NewHTMLParser(t, resp.Body))
diff --git a/tests/integration/user_test.go b/tests/integration/user_test.go
index ddde415960747..d8e4c64e85443 100644
--- a/tests/integration/user_test.go
+++ b/tests/integration/user_test.go
@@ -262,7 +262,7 @@ func TestListStopWatches(t *testing.T) {
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
 	session := loginUser(t, owner.Name)
-	req := NewRequestf(t, "GET", "/user/stopwatches")
+	req := NewRequest(t, "GET", "/user/stopwatches")
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	var apiWatches []*api.StopWatch
 	DecodeJSON(t, resp, &apiWatches)

From 1b26247feff7c88a021993dc11caf15355355774 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Fri, 22 Dec 2023 14:20:59 +0800
Subject: [PATCH 69/84] Add more ways to try (#28581)

---
 README.md    | 7 ++++++-
 README_ZH.md | 6 +++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index dc396465a7e3c..5ab5ab858643e 100644
--- a/README.md
+++ b/README.md
@@ -62,11 +62,16 @@ painless way of setting up a self-hosted Git service.
 As Gitea is written in Go, it works across **all** the platforms and
 architectures that are supported by Go, including Linux, macOS, and
 Windows on x86, amd64, ARM and PowerPC architectures.
-You can try it out using [the online demo](https://try.gitea.io/).
 This project has been
 [forked](https://blog.gitea.com/welcome-to-gitea/) from
 [Gogs](https://gogs.io) since November of 2016, but a lot has changed.
 
+For online demonstrations, you can visit [try.gitea.io](https://try.gitea.io).
+
+For accessing free Gitea service (with a limited number of repositories), you can visit [gitea.com](https://gitea.com/user/login).
+
+To quickly deploy your own dedicated Gitea instance on Gitea Cloud, you can start a free trial at [cloud.gitea.com](https://cloud.gitea.com).
+
 ## Building
 
 From the root of the source tree, run:
diff --git a/README_ZH.md b/README_ZH.md
index dd77c05de8f02..b9384a9825b86 100644
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -58,7 +58,11 @@
 
 Gitea 的首要目标是创建一个极易安装，运行非常快速，安装和使用体验良好的自建 Git 服务。我们采用 Go 作为后端语言，这使我们只要生成一个可执行程序即可。并且他还支持跨平台，支持 Linux, macOS 和 Windows 以及各种架构，除了 x86，amd64，还包括 ARM 和 PowerPC。
 
-如果您想试用一下，请访问 [在线Demo](https://try.gitea.io/)！
+如果你想试用在线演示，请访问 [try.gitea.io](https://try.gitea.io/)。
+
+如果你想使用免费的 Gitea 服务（有仓库数量限制），请访问 [gitea.com](https://gitea.com/user/login)。
+
+如果你想在 Gitea Cloud 上快速部署你自己独享的 Gitea 实例，请访问 [cloud.gitea.com](https://cloud.gitea.com) 开始免费试用。
 
 ## 提示
 

From 896456ab3b001166398a26446dea16e1caecd313 Mon Sep 17 00:00:00 2001
From: morphelinho <morphelinho@users.noreply.github.com>
Date: Fri, 22 Dec 2023 13:23:24 +0100
Subject: [PATCH 70/84] Fix 405 method not allowed CORS / OIDC (#28583)

Follow #28184
Follow #28515

Fix problem with 405 method not allowed for CORS wrt OIDC
---
 routers/web/web.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/routers/web/web.go b/routers/web/web.go
index 78b70e4392692..ca7b56e195998 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -532,9 +532,11 @@ func registerRoutes(m *web.Route) {
 		// TODO manage redirection
 		m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
 	}, ignSignInAndCsrf, reqSignIn)
+	m.Options("/login/oauth/userinfo", CorsHandler(), misc.DummyBadRequest)
 	m.Get("/login/oauth/userinfo", ignSignInAndCsrf, auth.InfoOAuth)
 	m.Options("/login/oauth/access_token", CorsHandler(), misc.DummyBadRequest)
 	m.Post("/login/oauth/access_token", CorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
+	m.Options("/login/oauth/keys", CorsHandler(), misc.DummyBadRequest)
 	m.Get("/login/oauth/keys", ignSignInAndCsrf, auth.OIDCKeys)
 	m.Options("/login/oauth/introspect", CorsHandler(), misc.DummyBadRequest)
 	m.Post("/login/oauth/introspect", CorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)

From e1502fbdaf66462cd7834bf0f3134511b8b99512 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Fri, 22 Dec 2023 21:29:50 +0800
Subject: [PATCH 71/84] Fix `status_check_contexts` matching bug (#28582)

Fix #28570
Follow #24633

---
Copied from
https://github.com/go-gitea/gitea/issues/28570#issuecomment-1867327999

The feature introduced in #24633 should be compatible with
`status_check_contexts`. However, if one or more of
`status_check_contexts` is not a legal glob expressions, `glob.Compile`
will fail and the contexts cannot match.


https://github.com/go-gitea/gitea/blob/21229ed2c8ed00f57100adf9ebc5f4a08da9a66e/routers/web/repo/pull.go#L653-L663
---
 routers/web/repo/pull.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index ec109ed665c4e..39f9cefa5c669 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -653,7 +653,15 @@ func PrepareViewPullInfo(ctx *context.Context, issue *issues_model.Issue) *git.C
 	if pb != nil && pb.EnableStatusCheck {
 		ctx.Data["is_context_required"] = func(context string) bool {
 			for _, c := range pb.StatusCheckContexts {
-				if gp, err := glob.Compile(c); err == nil && gp.Match(context) {
+				if c == context {
+					return true
+				}
+				if gp, err := glob.Compile(c); err != nil {
+					// All newly created status_check_contexts are checked to ensure they are valid glob expressions before being stored in the database.
+					// But some old status_check_context created before glob was introduced may be invalid glob expressions.
+					// So log the error here for debugging.
+					log.Error("compile glob %q: %v", c, err)
+				} else if gp.Match(context) {
 					return true
 				}
 			}

From 9cee7e4aa4eb3e24aa783e48ae37e6453620b67f Mon Sep 17 00:00:00 2001
From: Yarden Shoham <git@yardenshoham.com>
Date: Fri, 22 Dec 2023 18:53:12 +0200
Subject: [PATCH 72/84] Fix wrong due date rendering in issue list page
 (#28588)

It included the hours, minutes, and seconds. By removing these, the date
renders correctly.

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
---
 templates/shared/issuelist.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/shared/issuelist.tmpl b/templates/shared/issuelist.tmpl
index 7fd1f4e0f8d07..4fea93be3c627 100644
--- a/templates/shared/issuelist.tmpl
+++ b/templates/shared/issuelist.tmpl
@@ -114,7 +114,7 @@
 						<span class="due-date flex-text-inline" data-tooltip-content="{{ctx.Locale.Tr "repo.issues.due_date"}}">
 							<span{{if .IsOverdue}} class="text red"{{end}}>
 								{{svg "octicon-calendar" 14}}
-								{{DateTime "short" .DeadlineUnix}}
+								{{DateTime "short" (.DeadlineUnix.Format "2006-01-02")}}
 							</span>
 						</span>
 					{{end}}

From db269679a14433ff13ba2b72be4e8f5fa113bc7d Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 22 Dec 2023 12:51:17 -0500
Subject: [PATCH 73/84] fix integration test

---
 tests/integration/saml_test.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index 41b135ac664a1..a926609d98efb 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -85,7 +85,7 @@ func TestSAMLRegistration(t *testing.T) {
 		Jar:     jar,
 	}
 
-	req, err = http.NewRequest("GET", test.RedirectURL(resp), nil)
+	httpReq, err := http.NewRequest("GET", test.RedirectURL(resp), nil)
 	assert.NoError(t, err)
 
 	var formRedirectURL *url.URL
@@ -95,7 +95,7 @@ func TestSAMLRegistration(t *testing.T) {
 		return nil
 	}
 
-	res, err := client.Do(req)
+	res, err := client.Do(httpReq)
 	client.CheckRedirect = nil
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusOK, res.StatusCode)
@@ -106,11 +106,11 @@ func TestSAMLRegistration(t *testing.T) {
 		"password": {"user1pass"},
 	}
 
-	req, err = http.NewRequest("POST", formRedirectURL.String(), strings.NewReader(form.Encode()))
+	httpReq, err = http.NewRequest("POST", formRedirectURL.String(), strings.NewReader(form.Encode()))
 	assert.NoError(t, err)
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 
-	res, err = client.Do(req)
+	res, err = client.Do(httpReq)
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusOK, res.StatusCode)
 

From 2d890d283432f7299d74554b43f0d37dd1600a01 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Fri, 22 Dec 2023 15:11:48 -0500
Subject: [PATCH 74/84] add header

---
 tests/integration/saml_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration/saml_test.go b/tests/integration/saml_test.go
index a926609d98efb..585fd35c5f42a 100644
--- a/tests/integration/saml_test.go
+++ b/tests/integration/saml_test.go
@@ -108,7 +108,7 @@ func TestSAMLRegistration(t *testing.T) {
 
 	httpReq, err = http.NewRequest("POST", formRedirectURL.String(), strings.NewReader(form.Encode()))
 	assert.NoError(t, err)
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	httpReq.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 
 	res, err = client.Do(httpReq)
 	assert.NoError(t, err)

From 1e6fde26422eeb347da08344a0f0d93a06595873 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.com>
Date: Mon, 22 Jan 2024 15:50:43 -0500
Subject: [PATCH 75/84] Apply suggestions from code review

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
---
 services/auth/source/saml/name_id_format.go |  2 +-
 services/auth/source/saml/source.go         |  7 -------
 services/auth/source/saml/source_callout.go | 11 +++--------
 3 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/services/auth/source/saml/name_id_format.go b/services/auth/source/saml/name_id_format.go
index 0f718b5bbf276..1ddf0477297bd 100644
--- a/services/auth/source/saml/name_id_format.go
+++ b/services/auth/source/saml/name_id_format.go
@@ -6,7 +6,7 @@ package saml
 type NameIDFormat int
 
 const (
-	SAML11Email NameIDFormat = iota
+	SAML11Email NameIDFormat = iota + 1
 	SAML11Persistent
 	SAML11Unspecified
 	SAML20Email
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 1e9c2b0012d24..9058a225a3874 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -28,13 +28,6 @@ import (
 	dsig "github.com/russellhaering/goxmldsig"
 )
 
-//  _________   _____      _____  .____
-// /   _____/  /  _  \    /     \ |    |
-// \_____  \  /  /_\  \  /  \ /  \|    |
-// /        \/    |    \/    Y    \    |___
-///_______  /\____|__  /\____|__  /_______ \
-//        \/         \/         \/        \/
-
 // Source holds configuration for the SAML login source.
 type Source struct {
 	// IdentityProviderMetadata description: The SAML Identity Provider metadata XML contents (for static configuration of the SAML Service Provider). The value of this field should be an XML document whose root element is `<EntityDescriptor>` or `<EntityDescriptors>`. To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index eb5d106be9c89..f51e0da16d85a 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -57,15 +57,10 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		return user, fmt.Errorf("SAML response contains invalid time warning")
 	}
 
-	samlMap := make(map[string]string) // Global.
+	samlMap := make(map[string]string)
 	for key, value := range assertions.Values {
-		var (
-			keyParsed   string
-			valueParsed string
-		)
-
-		keyParsed = strings.ToLower(key[strings.LastIndex(key, "/")+1:]) // Uses the trailing slug as the key name.
-		valueParsed = value.Values[0].Value
+		keyParsed := strings.ToLower(key[strings.LastIndex(key, "/")+1:]) // Uses the trailing slug as the key name.
+		valueParsed := value.Values[0].Value
 		samlMap[keyParsed] = valueParsed
 
 	}

From 7ff1ca789a31d25a0a4832b4074a8bd74c9a3bcb Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 23 Jan 2024 10:39:11 -0500
Subject: [PATCH 76/84] clean up TODOs, update docs with missing features

---
 docs/content/usage/authentication.en-us.md  | 6 ++++++
 services/auth/source/saml/source_callout.go | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/content/usage/authentication.en-us.md b/docs/content/usage/authentication.en-us.md
index cfd21a865a027..1838cfcc77601 100644
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@@ -358,6 +358,12 @@ Notice: Reverse Proxy Auth doesn't support the API. You still need an access tok
 - Click the `Add Authentication Source` button.
 - Select `SAML` as the authentication type.
 
+#### Features Not Yet Supported
+
+Currently, auto-registration is not supported for SAML. During the external account linking process the user will be prompted to set a username and email address or link to an existing account.
+
+SAML group mapping is not supported.
+
 #### Settings
 
 - `Authentication Name` **(required)**
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index f51e0da16d85a..5366f8a527171 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -83,7 +83,7 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		user.Name = samlMap[source.UsernameAssertionKey]
 	}
 
-	// TODO: utilize groups later on
+	// TODO: utilize groups once mapping is supported
 
 	return user, nil
 }

From 0d72f3524bb68c1893cca795c88321298b9793b8 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 23 Jan 2024 10:42:17 -0500
Subject: [PATCH 77/84] cleanup

---
 routers/web/admin/auths.go      | 2 +-
 routers/web/auth/linkaccount.go | 2 +-
 routers/web/auth/saml.go        | 5 ++---
 routers/web/web.go              | 4 ++--
 4 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 089822fd8119e..2542cb500e257 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -1,5 +1,5 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package admin
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index 869cf9bf4d13f..c62ae84083133 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -304,7 +304,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
 			return
 		}
 	}
-	// TODO groups for SAML?
+	// TODO we will support some form of group mapping for SAML
 
 	handleSignIn(ctx, u, false)
 }
diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 551beef6cfa67..737ac710ae7bf 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -57,8 +57,7 @@ func SignInSAMLCallback(ctx *context.Context) {
 
 	u, gothUser, err := samlUserLoginCallback(*ctx, loginSource, ctx.Req, ctx.Resp)
 	if err != nil {
-		// TODO: improve error display
-		ctx.ServerError("SignIn", err)
+		ctx.ServerError("SignInSAMLCallback", err)
 		return
 	}
 
@@ -67,7 +66,7 @@ func SignInSAMLCallback(ctx *context.Context) {
 			// attach user to already logged in user
 			err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser, auth.SAML)
 			if err != nil {
-				ctx.ServerError("UserLinkAccount", err)
+				ctx.ServerError("LinkAccountToUser", err)
 				return
 			}
 
diff --git a/routers/web/web.go b/routers/web/web.go
index f640bf84fe98f..52dff6db1e466 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -667,8 +667,8 @@ func registerRoutes(m *web.Route) {
 			m.Get("/{provider}/callback", auth.SignInOAuthCallback)
 		})
 		m.Group("/saml", func() {
-			m.Get("/{provider}", auth.SignInSAML)              // redir to SAML IDP
-			m.Post("/{provider}/acs", auth.SignInSAMLCallback) // TODO: Confirm if POST/GET
+			m.Get("/{provider}", auth.SignInSAML) // redir to SAML IDP
+			m.Post("/{provider}/acs", auth.SignInSAMLCallback)
 			m.Get("/{provider}/metadata", auth.SAMLMetadata)
 		})
 	})

From e95e5ca53e1f345e637659dfc7f7aeb846427a2f Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 23 Jan 2024 10:45:26 -0500
Subject: [PATCH 78/84] apply review feedback

---
 models/auth/oauth2.go                        | 28 ++------------------
 models/auth/source.go                        | 24 +++++++++++++++++
 services/auth/source/saml/source.go          |  2 +-
 services/auth/source/saml/source_metadata.go |  2 +-
 4 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 4a1b91a72afb6..35ce0db9d58c2 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -368,7 +368,7 @@ func DeleteOAuth2Application(ctx context.Context, id, userid int64) error {
 	return committer.Commit()
 }
 
-//////////////////////////////////////////////////////
+// ////////////////////////////////////////////////////
 
 // OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.
 type OAuth2AuthorizationCode struct {
@@ -443,7 +443,7 @@ func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth
 	return auth, nil
 }
 
-//////////////////////////////////////////////////////
+// ////////////////////////////////////////////////////
 
 // OAuth2Grant represents the permission of an user for a specific application to access resources
 type OAuth2Grant struct {
@@ -608,30 +608,6 @@ func (err ErrOAuthApplicationNotFound) Unwrap() error {
 	return util.ErrNotExist
 }
 
-// GetActiveAuthProviderSources returns all actived LoginOAuth2 sources
-func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source, error) {
-	sources := make([]*Source, 0, 1)
-	if err := db.GetEngine(ctx).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
-		return nil, err
-	}
-	return sources, nil
-}
-
-// GetActiveAuthSourceByName returns a OAuth2 AuthSource based on the given name
-func GetActiveAuthSourceByName(ctx context.Context, name string, authType Type) (*Source, error) {
-	authSource := new(Source)
-	has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, authType, true).Get(authSource)
-	if err != nil {
-		return nil, err
-	}
-
-	if !has {
-		return nil, fmt.Errorf("auth source not found, name: %q", name)
-	}
-
-	return authSource, nil
-}
-
 func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error {
 	deleteCond := builder.Select("id").From("oauth2_grant").Where(builder.Eq{"oauth2_grant.user_id": userID})
 
diff --git a/models/auth/source.go b/models/auth/source.go
index 89a58882c09e3..f119e67b109b1 100644
--- a/models/auth/source.go
+++ b/models/auth/source.go
@@ -406,3 +406,27 @@ func IsErrSourceInUse(err error) bool {
 func (err ErrSourceInUse) Error() string {
 	return fmt.Sprintf("login source is still used by some users [id: %d]", err.ID)
 }
+
+// GetActiveAuthProviderSources returns all actived LoginOAuth2 sources
+func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source, error) {
+	sources := make([]*Source, 0, 1)
+	if err := db.GetEngine(ctx).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
+		return nil, err
+	}
+	return sources, nil
+}
+
+// GetActiveAuthSourceByName returns a OAuth2 AuthSource based on the given name
+func GetActiveAuthSourceByName(ctx context.Context, name string, authType Type) (*Source, error) {
+	authSource := new(Source)
+	has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, authType, true).Get(authSource)
+	if err != nil {
+		return nil, err
+	}
+
+	if !has {
+		return nil, fmt.Errorf("auth source not found, name: %q", name)
+	}
+
+	return authSource, nil
+}
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 9058a225a3874..52388646b5981 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -62,7 +62,7 @@ type Source struct {
 }
 
 func GenerateSAMLSPKeypair() (string, string, error) {
-	key, err := rsa.GenerateKey(rand.Reader, 1024)
+	key, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return "", "", err
 	}
diff --git a/services/auth/source/saml/source_metadata.go b/services/auth/source/saml/source_metadata.go
index c7e27c908bf9b..9fb8c758e35bb 100644
--- a/services/auth/source/saml/source_metadata.go
+++ b/services/auth/source/saml/source_metadata.go
@@ -21,7 +21,7 @@ func (source *Source) Metadata(request *http.Request, response http.ResponseWrit
 	if err != nil {
 		return err
 	}
-	buf, err := xml.MarshalIndent(metadata, "", "  ")
+	buf, err := xml.Marshal(metadata)
 	if err != nil {
 		return err
 	}

From ee031227988aab56898d248c6875f772359e2ab5 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 23 Jan 2024 10:52:08 -0500
Subject: [PATCH 79/84] whitespace fix

---
 models/auth/oauth2.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 35ce0db9d58c2..9ff24338a430d 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -368,7 +368,7 @@ func DeleteOAuth2Application(ctx context.Context, id, userid int64) error {
 	return committer.Commit()
 }
 
-// ////////////////////////////////////////////////////
+//////////////////////////////////////////////////////
 
 // OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.
 type OAuth2AuthorizationCode struct {
@@ -443,7 +443,7 @@ func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth
 	return auth, nil
 }
 
-// ////////////////////////////////////////////////////
+//////////////////////////////////////////////////////
 
 // OAuth2Grant represents the permission of an user for a specific application to access resources
 type OAuth2Grant struct {

From 7053bdde4f15e44ca1026a6afb3426426632753c Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Tue, 23 Jan 2024 10:53:45 -0500
Subject: [PATCH 80/84] fix comment

---
 models/auth/source.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/models/auth/source.go b/models/auth/source.go
index f119e67b109b1..bc564d35baf9c 100644
--- a/models/auth/source.go
+++ b/models/auth/source.go
@@ -407,7 +407,7 @@ func (err ErrSourceInUse) Error() string {
 	return fmt.Sprintf("login source is still used by some users [id: %d]", err.ID)
 }
 
-// GetActiveAuthProviderSources returns all actived LoginOAuth2 sources
+// GetActiveAuthProviderSources returns all activated sources
 func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source, error) {
 	sources := make([]*Source, 0, 1)
 	if err := db.GetEngine(ctx).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
@@ -416,7 +416,7 @@ func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source
 	return sources, nil
 }
 
-// GetActiveAuthSourceByName returns a OAuth2 AuthSource based on the given name
+// GetActiveAuthSourceByName returns an AuthSource based on the given name and type
 func GetActiveAuthSourceByName(ctx context.Context, name string, authType Type) (*Source, error) {
 	authSource := new(Source)
 	has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, authType, true).Get(authSource)

From 35248c8a826527d4b13b5cad2072a813c4f20be8 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.com>
Date: Thu, 25 Jan 2024 13:02:21 -0500
Subject: [PATCH 81/84] make fmt

---
 go.sum | 2 --
 1 file changed, 2 deletions(-)

diff --git a/go.sum b/go.sum
index a77f8c51972cc..cdc6e151c610f 100644
--- a/go.sum
+++ b/go.sum
@@ -639,8 +639,6 @@ github.com/markbates/going v1.0.3 h1:mY45T5TvW+Xz5A6jY7lf4+NLg9D8+iuStIHyR7M8qsE
 github.com/markbates/going v1.0.3/go.mod h1:fQiT6v6yQar9UD6bd/D4Z5Afbk9J6BBVBtLiyY4gp2o=
 github.com/markbates/goth v1.78.0 h1:7VEIFDycJp9deyVv3YraGBPdD0ZYQW93Y3Aw1eVP3BY=
 github.com/markbates/goth v1.78.0/go.mod h1:X6xdNgpapSENS0O35iTBBcMHoJDQDfI9bJl+APCkYMc=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
-github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=

From 96b17bb564483416cd24c846303b1186ac39ecec Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Fri, 26 Jan 2024 00:31:12 +0100
Subject: [PATCH 82/84] rm "this is a comment" ...

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
---
 routers/web/auth/saml.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
index 737ac710ae7bf..29d689d2e912c 100644
--- a/routers/web/auth/saml.go
+++ b/routers/web/auth/saml.go
@@ -1,4 +1,4 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package auth
@@ -22,7 +22,6 @@ import (
 	"github.com/markbates/goth"
 )
 
-// SignInSAML
 func SignInSAML(ctx *context.Context) {
 	provider := ctx.Params(":provider")
 
@@ -41,7 +40,6 @@ func SignInSAML(ctx *context.Context) {
 	}
 }
 
-// SignInSAMLCallback
 func SignInSAMLCallback(ctx *context.Context) {
 	provider := ctx.Params(":provider")
 	loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)
@@ -161,7 +159,6 @@ func samlUserLoginCallback(ctx context.Context, authSource *auth.Source, request
 	return nil, gothUser, nil
 }
 
-// SAMLMetadata
 func SAMLMetadata(ctx *context.Context) {
 	provider := ctx.Params(":provider")
 	loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)

From d6ad03349a3a6f11ff67e4e0f5c0bfbce4eb2708 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Thu, 22 Feb 2024 20:18:27 +0100
Subject: [PATCH 83/84] document

---
 models/auth/oauth2.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 9ff24338a430d..a252458d4ee62 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -82,6 +82,8 @@ func Init(ctx context.Context) error {
 		builtinAllClientIDs = append(builtinAllClientIDs, clientID)
 	}
 
+	// This is needed in order to encode and store the struct in the goth/gothic session
+	// during the process of linking the external user.
 	gob.Register(LinkAccountUser{})
 
 	var registeredApps []*OAuth2Application

From e36a88e790733871210815129f9951790d6c430a Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Thu, 22 Feb 2024 20:26:46 +0100
Subject: [PATCH 84/84] adjust to current codebase

---
 routers/web/admin/auths.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 7d7e05a927849..187b569d39dba 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -250,13 +250,13 @@ func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*sspi
 
 func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml.Source, error) {
 	if util.IsEmptyString(form.IdentityProviderMetadata) && util.IsEmptyString(form.IdentityProviderMetadataURL) {
-		return nil, errors.New(ctx.Tr("form.SAMLMetadata") + ctx.Tr("form.require_error"))
+		return nil, fmt.Errorf("%s %s", ctx.Tr("form.SAMLMetadata"), ctx.Tr("form.require_error"))
 	}
 
 	if !util.IsEmptyString(form.IdentityProviderMetadataURL) {
 		_, err := url.Parse(form.IdentityProviderMetadataURL)
 		if err != nil {
-			return nil, errors.New(ctx.Tr("form.SAMLMetadataURL"))
+			return nil, fmt.Errorf("%s", ctx.Tr("form.SAMLMetadataURL"))
 		}
 	}