Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #17487 - support sessions for api calls #4045

Merged
merged 1 commit into from
Nov 30, 2016
Merged

Fixes #17487 - support sessions for api calls #4045

merged 1 commit into from
Nov 30, 2016

Conversation

tstrachota
Copy link
Member

  • authenticated api calls save user to session and set flag api_authenticated_session
  • sessions with such flag allow posting requests without CSRF token
  • api sessions exipre the same way as UI sessions
  • api sessions don't store any additional data to keep the requests stateless

This way the standard UI requests as well as API requests authenticated with session created from UI remain protected against CSRF. At the same time applications using API (such as hammer) can benefit from using session authentication and avoid the need of storing two tokens (CSRF and _session_id).

@mention-bot
Copy link

@tstrachota, thanks for your PR! By analyzing the history of the files in this pull request, we identified @bbuckingham, @domcleal and @dLobatog to be potential reviewers.

@theforeman-bot
Copy link
Member

@tstrachota, the Redmine ticket used is for a different project than the one associated with this GitHub repository. Please either:

  • Move ticket #8016 from Hammer CLI to the Foreman project.
  • File a new ticket in the Foreman project, update the PR title and the commit message (using git commit --amend).

This message was auto-generated by Foreman's prprocessor

@theforeman-bot
Copy link
Member

There were the following issues with the commit message:

  • commit message for 21c42f6 is not wrapped at 72nd column
  • commit message for 21c42f6 is not wrapped at 72nd column
  • commit message for 21c42f6 is not wrapped at 72nd column
  • commit message for 21c42f6 is not wrapped at 72nd column
  • commit message for 21c42f6 is not wrapped at 72nd column

If you don't have a ticket number, please create an issue in Redmine.

More guidelines are available in Coding Standards or on the Foreman wiki.

This message was auto-generated by Foreman's prprocessor

houndci-bot
houndci-bot reviewed Nov 24, 2016
View reviewed changes
test/controllers/api/v2/base_controller_subclass_test.rb
assert_equal users(:admin).id, session[:user]
end
end

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extra empty line detected at class body end.

@theforeman-bot
Copy link
Member

@tstrachota, the Redmine ticket used is for a different project than the one associated with this GitHub repository. Please either:

  • Move ticket #8016 from Hammer CLI to the Foreman project.
  • File a new ticket in the Foreman project, update the PR title and the commit message (using git commit --amend).

This message was auto-generated by Foreman's prprocessor

@tstrachota tstrachota mentioned this pull request Nov 24, 2016
Merged
3 tasks
@tstrachota tstrachota changed the title Fixes #8016 - support sessions for api calls Fixes #17487 - support sessions for api calls Nov 25, 2016
domcleal
domcleal suggested changes Nov 25, 2016
View reviewed changes
Copy link
Contributor

@domcleal domcleal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, that works nicely when retaining the session ID cookie. Could you please rebase to ensure the test suite is passing?

@tstrachota
Copy link
Member Author

Rebased

@domcleal
Copy link
Contributor

Sorry, please rebase again to ensure ee7d140 is included - the test suite isn't fully running currently.

Fixes #17487 - support sessions for api calls
bd42c48 
- authenticated api calls save user to session and set
  flag api_authenticated_session
- sessions with such flag allow posting requests without CSRF token
- api sessions exipre the same way as UI sessions
- api sessions don't store any additional data to keep the requests
  stateless

This way the standard UI requests as well as API requests authenticated
with session created from UI remain protected against CSRF. At the same
time applications using API (such as hammer) can benefit from using
session authentication and avoid the need of storing two tokens
(CSRF and _session_id).
@tstrachota
Copy link
Member Author

Rebased

@domcleal domcleal merged commit 9a4ed00 into theforeman:develop Nov 30, 2016
@domcleal
Copy link
Contributor

Merged, thank you for the nice addition @tstrachota.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@houndci-bot houndci-bot houndci-bot left review comments

@domcleal domcleal domcleal approved these changes

Assignees
No one assigned
Labels
Needs re-review Needs testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tstrachota @mention-bot @theforeman-bot @domcleal @houndci-bot