Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ReverseProxy authentication from the API (#22219) #22252

Merged
merged 2 commits into from
Dec 30, 2022
Merged

Remove ReverseProxy authentication from the API (#22219) #22252

merged 2 commits into from
Dec 30, 2022

Commits on Dec 27, 2022

  1. Remove ReverseProxy authentication from the API (go-gitea#22219) 

    Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace go-gitea#22077
Close go-gitea#22221 
Close go-gitea#22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>
    @zeripath @lunny
    zeripath authored and lunny committed Dec 27, 2022
    Configuration menu
    Copy the full SHA
    dc5e4ef View commit details
    Browse the repository at this point in the history

Commits on Dec 29, 2022

  1. Merge branch 'release/v1.17' into lunny/replace_22077_2

    @zeripath
    zeripath committed Dec 29, 2022
    Configuration menu
    Copy the full SHA
    4f5a2de View commit details
    Browse the repository at this point in the history