mirror of
1
Fork 0
forgejo/routers
zeripath 83640c449e
Remove ReverseProxy authentication from the API (#22219)
Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace #22077
Close #22221 
Close #22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-12-27 08:34:05 +08:00
..
api Remove ReverseProxy authentication from the API (#22219) 2022-12-27 08:34:05 +08:00
common Support disabling database auto migration (#22053) 2022-12-07 09:58:31 -06:00
install Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
private refactor bind functions based on generics (#22055) 2022-12-12 16:09:26 +08:00
utils Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
web Add Feed for Releases and Tags (#21696) 2022-12-21 15:06:26 -06:00
init.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00