Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove ReverseProxy authentication from the API
Since we changed the /api/v1/ routes to disallow session authentication we also removed their reliance on CSRF. However, we left the ReverseProxy authentication here - but this means that POSTs to the API are no longer protected by CSRF. Now, ReverseProxy authentication is a kind of session authentication, and is therefore inconsistent with the removal of session from the API. This PR proposes that we simply remove the ReverseProxy authentication from the API and therefore users of the API must explicitly use tokens or basic authentication. Replace go-gitea#22077 Signed-off-by: Andrew Thornton <art27@cantab.net>
- Loading branch information