diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-04-08 12:22:10 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-08 06:22:10 +0200 |
| commit | 3c3d49899f0f7206e190bdeecdc4da248cc7e686 (patch) | |
| tree | 7d1f57f7655142b47b5adeb197943c74c1e6f8c9 /routers/api/v1/api.go | |
| parent | 75f8534c3a8678f4b55e557960450230cf909b93 (diff) | |
| download | gitea-3c3d49899f0f7206e190bdeecdc4da248cc7e686.tar.gz gitea-3c3d49899f0f7206e190bdeecdc4da248cc7e686.zip | |
Remove dependent on session auth for api/v1 routers (#19321)
* Remove dependent on session auth for api/v1 routers
* Remove unnecessary session on API context
* remove missed header
* fix test
* fix missed api/v1
Diffstat (limited to 'routers/api/v1/api.go')
| -rw-r--r-- | routers/api/v1/api.go | 10 |
1 files changed, 3 insertions, 7 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 2c29263890..a430eb453a 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -216,7 +216,6 @@ func reqToken() func(ctx *context.APIContext) { return } if ctx.IsSigned { - ctx.RequireCSRF() return } ctx.Error(http.StatusUnauthorized, "reqToken", "token is required") @@ -584,8 +583,7 @@ func bind(obj interface{}) http.HandlerFunc { func buildAuthGroup() *auth.Group { group := auth.NewGroup( &auth.OAuth2{}, - &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API - auth.SharedSession, // FIXME: this should be removed once all UI don't reference API/v1, see https://github.com/go-gitea/gitea/pull/16052 + &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API ) if setting.Service.EnableReverseProxyAuth { group.Add(&auth.ReverseProxy{}) @@ -596,11 +594,9 @@ func buildAuthGroup() *auth.Group { } // Routes registers all v1 APIs routes to web application. -func Routes(sessioner func(http.Handler) http.Handler) *web.Route { +func Routes() *web.Route { m := web.NewRoute() - m.Use(sessioner) - m.Use(securityHeaders()) if setting.CORSConfig.Enabled { m.Use(cors.Handler(cors.Options{ @@ -609,7 +605,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, - AllowedHeaders: []string{"Authorization", "X-CSRFToken", "X-Gitea-OTP"}, + AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"}, MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) } |