Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[Security] CSRF Vulnerability on API #4357
The way the WordPress API works is that if cookie auth is used (vs token auth), then a nonce has to be sent as well, the nonce is injected into the html template for JS to use and pass to the API and act as a second factor. (I've seen this approach in other implementations, it is just that WP is most well known)
Even if we did different routes for UI/API the UI ajax routes would still be affected.
More and more functionality is being built that uses the API (issue date, etc..) via the UI, and so we should work towards resolving the issue above.
[Security] API endpoint doesn't enforce an authorization
[Security] CSRF Vulnerability on API
changed the title from
Jul 8, 2018
Anyone looking at this https://github.com/go-gitea/gitea/blob/master/routers/api/v1/api.go#L133