Remove ReverseProxy authentication from the API (#22219) (#22251) - gitea.git - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea

diff options

author	Lunny Xiao <xiaolunwen@gmail.com>	2022-12-28 03:24:43 +0800
committer	GitHub <noreply@github.com>	2022-12-27 20:24:43 +0100
commit	9b4da56963692819d236b07504e565d4b4fb4021 (patch)
tree	ff2843eaa7eedc88aabff659f00617285a2ea4b3 /models
parent	5583eaa90430edfa553c93f61e4fc2cc3a10d8b8 (diff)
download	gitea-9b4da56963692819d236b07504e565d4b4fb4021.tar.gz gitea-9b4da56963692819d236b07504e565d4b4fb4021.zip

Remove ReverseProxy authentication from the API (#22219) (#22251)

backport from #22219 Since we changed the /api/v1/ routes to disallow session authentication we also removed their reliance on CSRF. However, we left the ReverseProxy authentication here - but this means that POSTs to the API are no longer protected by CSRF. Now, ReverseProxy authentication is a kind of session authentication, and is therefore inconsistent with the removal of session from the API. This PR proposes that we simply remove the ReverseProxy authentication from the API and therefore users of the API must explicitly use tokens or basic authentication. Replace #22077 Close #22221 Close #22077 Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>

Diffstat (limited to 'models')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: