From 3c3d49899f0f7206e190bdeecdc4da248cc7e686 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Fri, 8 Apr 2022 12:22:10 +0800 Subject: Remove dependent on session auth for api/v1 routers (#19321) * Remove dependent on session auth for api/v1 routers * Remove unnecessary session on API context * remove missed header * fix test * fix missed api/v1 --- routers/api/v1/api.go | 10 +++------- routers/api/v1/misc/swagger.go | 21 --------------------- 2 files changed, 3 insertions(+), 28 deletions(-) delete mode 100644 routers/api/v1/misc/swagger.go (limited to 'routers/api') diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 2c29263890..a430eb453a 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -216,7 +216,6 @@ func reqToken() func(ctx *context.APIContext) { return } if ctx.IsSigned { - ctx.RequireCSRF() return } ctx.Error(http.StatusUnauthorized, "reqToken", "token is required") @@ -584,8 +583,7 @@ func bind(obj interface{}) http.HandlerFunc { func buildAuthGroup() *auth.Group { group := auth.NewGroup( &auth.OAuth2{}, - &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API - auth.SharedSession, // FIXME: this should be removed once all UI don't reference API/v1, see https://github.com/go-gitea/gitea/pull/16052 + &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API ) if setting.Service.EnableReverseProxyAuth { group.Add(&auth.ReverseProxy{}) @@ -596,11 +594,9 @@ func buildAuthGroup() *auth.Group { } // Routes registers all v1 APIs routes to web application. -func Routes(sessioner func(http.Handler) http.Handler) *web.Route { +func Routes() *web.Route { m := web.NewRoute() - m.Use(sessioner) - m.Use(securityHeaders()) if setting.CORSConfig.Enabled { m.Use(cors.Handler(cors.Options{ @@ -609,7 +605,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route { // setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option AllowedMethods: setting.CORSConfig.Methods, AllowCredentials: setting.CORSConfig.AllowCredentials, - AllowedHeaders: []string{"Authorization", "X-CSRFToken", "X-Gitea-OTP"}, + AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"}, MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), })) } diff --git a/routers/api/v1/misc/swagger.go b/routers/api/v1/misc/swagger.go deleted file mode 100644 index e46d4194b4..0000000000 --- a/routers/api/v1/misc/swagger.go +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2017 The Gitea Authors. All rights reserved. -// Use of this source code is governed by a MIT-style -// license that can be found in the LICENSE file. - -package misc - -import ( - "net/http" - - "code.gitea.io/gitea/modules/base" - "code.gitea.io/gitea/modules/context" -) - -// tplSwagger swagger page template -const tplSwagger base.TplName = "swagger/ui" - -// Swagger render swagger-ui page with v1 json -func Swagger(ctx *context.Context) { - ctx.Data["APIJSONVersion"] = "v1" - ctx.HTML(http.StatusOK, tplSwagger) -} -- cgit v1.2.3