diff options
author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-04-08 12:22:10 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-08 06:22:10 +0200 |
commit | 3c3d49899f0f7206e190bdeecdc4da248cc7e686 (patch) | |
tree | 7d1f57f7655142b47b5adeb197943c74c1e6f8c9 /modules | |
parent | 75f8534c3a8678f4b55e557960450230cf909b93 (diff) | |
download | gitea-3c3d49899f0f7206e190bdeecdc4da248cc7e686.tar.gz gitea-3c3d49899f0f7206e190bdeecdc4da248cc7e686.zip |
Remove dependent on session auth for api/v1 routers (#19321)
* Remove dependent on session auth for api/v1 routers
* Remove unnecessary session on API context
* remove missed header
* fix test
* fix missed api/v1
Diffstat (limited to 'modules')
-rw-r--r-- | modules/context/api.go | 25 |
1 files changed, 3 insertions, 22 deletions
diff --git a/modules/context/api.go b/modules/context/api.go index da08f990bb..e5c2eeda0a 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -8,7 +8,6 @@ package context import ( "context" "fmt" - "html" "net/http" "net/url" "strings" @@ -20,8 +19,6 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/web/middleware" auth_service "code.gitea.io/gitea/services/auth" - - "gitea.com/go-chi/session" ) // APIContext is a specific context for API service @@ -191,17 +188,6 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) { } } -// RequireCSRF requires a validated a CSRF token -func (ctx *APIContext) RequireCSRF() { - headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName()) - formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName()) - if len(headerToken) > 0 || len(formValueToken) > 0 { - Validate(ctx.Context, ctx.csrf) - } else { - ctx.Context.Error(http.StatusUnauthorized, "Missing CSRF token.") - } -} - // CheckForOTP validates OTP func (ctx *APIContext) CheckForOTP() { if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) { @@ -253,17 +239,14 @@ func APIAuth(authMethod auth_service.Method) func(*APIContext) { // APIContexter returns apicontext as middleware func APIContexter() func(http.Handler) http.Handler { - csrfOpts := getCsrfOpts() - return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { locale := middleware.Locale(w, req) ctx := APIContext{ Context: &Context{ - Resp: NewResponse(w), - Data: map[string]interface{}{}, - Locale: locale, - Session: session.GetSession(req), + Resp: NewResponse(w), + Data: map[string]interface{}{}, + Locale: locale, Repo: &Repository{ PullRequest: &PullRequest{}, }, @@ -273,7 +256,6 @@ func APIContexter() func(http.Handler) http.Handler { } ctx.Req = WithAPIContext(WithContext(req, ctx.Context), &ctx) - ctx.csrf = Csrfer(csrfOpts, ctx.Context) // If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid. if ctx.Req.Method == "POST" && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") { @@ -285,7 +267,6 @@ func APIContexter() func(http.Handler) http.Handler { ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) - ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) ctx.Data["Context"] = &ctx next.ServeHTTP(ctx.Resp, ctx.Req) |