Skip to content

Commit

Permalink
Remove ReverseProxy authentication from the API
Browse files Browse the repository at this point in the history
Since we changed the /api/v1/ routes to disallow session authentication we also
removed their reliance on CSRF. However, we left the ReverseProxy authentication
here - but this means that POSTs to the API are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication, and is
therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication from the
API and therefore users of the API must explicitly use tokens or basic authentication.

Replace go-gitea#22077

Signed-off-by: Andrew Thornton <art27@cantab.net>
  • Loading branch information
zeripath committed Dec 22, 2022
1 parent 7bf7c13 commit fcd7856
Showing 1 changed file with 0 additions and 6 deletions.
6 changes: 0 additions & 6 deletions routers/api/v1/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -232,9 +232,6 @@ func reqExploreSignIn() func(ctx *context.APIContext) {

func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) {
if ctx.IsSigned && setting.Service.EnableReverseProxyAuth && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName {
return
}
if !ctx.Context.IsBasicAuth {
ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required")
return
Expand Down Expand Up @@ -598,9 +595,6 @@ func buildAuthGroup() *auth.Group {
&auth.HTTPSign{},
&auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API
)
if setting.Service.EnableReverseProxyAuth {
group.Add(&auth.ReverseProxy{})
}
specialAdd(group)

return group
Expand Down

0 comments on commit fcd7856

Please sign in to comment.