summaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
authorLunny Xiao <xiaolunwen@gmail.com>2022-04-08 12:22:10 +0800
committerGitHub <noreply@github.com>2022-04-08 06:22:10 +0200
commit3c3d49899f0f7206e190bdeecdc4da248cc7e686 (patch)
tree7d1f57f7655142b47b5adeb197943c74c1e6f8c9 /modules
parent75f8534c3a8678f4b55e557960450230cf909b93 (diff)
downloadgitea-3c3d49899f0f7206e190bdeecdc4da248cc7e686.tar.gz
gitea-3c3d49899f0f7206e190bdeecdc4da248cc7e686.zip
Remove dependent on session auth for api/v1 routers (#19321)
* Remove dependent on session auth for api/v1 routers * Remove unnecessary session on API context * remove missed header * fix test * fix missed api/v1
Diffstat (limited to 'modules')
-rw-r--r--modules/context/api.go25
1 files changed, 3 insertions, 22 deletions
diff --git a/modules/context/api.go b/modules/context/api.go
index da08f990bb..e5c2eeda0a 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -8,7 +8,6 @@ package context
import (
"context"
"fmt"
- "html"
"net/http"
"net/url"
"strings"
@@ -20,8 +19,6 @@ import (
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
auth_service "code.gitea.io/gitea/services/auth"
-
- "gitea.com/go-chi/session"
)
// APIContext is a specific context for API service
@@ -191,17 +188,6 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
}
}
-// RequireCSRF requires a validated a CSRF token
-func (ctx *APIContext) RequireCSRF() {
- headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName())
- formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName())
- if len(headerToken) > 0 || len(formValueToken) > 0 {
- Validate(ctx.Context, ctx.csrf)
- } else {
- ctx.Context.Error(http.StatusUnauthorized, "Missing CSRF token.")
- }
-}
-
// CheckForOTP validates OTP
func (ctx *APIContext) CheckForOTP() {
if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
@@ -253,17 +239,14 @@ func APIAuth(authMethod auth_service.Method) func(*APIContext) {
// APIContexter returns apicontext as middleware
func APIContexter() func(http.Handler) http.Handler {
- csrfOpts := getCsrfOpts()
-
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
locale := middleware.Locale(w, req)
ctx := APIContext{
Context: &Context{
- Resp: NewResponse(w),
- Data: map[string]interface{}{},
- Locale: locale,
- Session: session.GetSession(req),
+ Resp: NewResponse(w),
+ Data: map[string]interface{}{},
+ Locale: locale,
Repo: &Repository{
PullRequest: &PullRequest{},
},
@@ -273,7 +256,6 @@ func APIContexter() func(http.Handler) http.Handler {
}
ctx.Req = WithAPIContext(WithContext(req, ctx.Context), &ctx)
- ctx.csrf = Csrfer(csrfOpts, ctx.Context)
// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
if ctx.Req.Method == "POST" && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
@@ -285,7 +267,6 @@ func APIContexter() func(http.Handler) http.Handler {
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
- ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
ctx.Data["Context"] = &ctx
next.ServeHTTP(ctx.Resp, ctx.Req)