forgejo/routers/api/v1
Lunny Xiao 9b4da56963
Remove ReverseProxy authentication from the API (#22219) (#22251)
backport from #22219

Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace #22077
Close #22221 
Close #22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
2022-12-27 20:24:43 +01:00
..
activitypub Replace all instances of fmt.Errorf(%v) with fmt.Errorf(%w) (#21551) 2022-10-24 20:29:17 +01:00
admin Move some files into models' sub packages (#20262) 2022-08-25 10:31:57 +08:00
misc Replace all instances of fmt.Errorf(%v) with fmt.Errorf(%w) (#21551) 2022-10-24 20:29:17 +01:00
notify Move some files into models' sub packages (#20262) 2022-08-25 10:31:57 +08:00
org [API] teamSearch show teams with no members if user is admin (#21204) 2022-09-19 20:02:29 +08:00
packages Add support for Vagrant packages (#20930) 2022-08-29 15:04:45 +08:00
repo Allow empty assignees on pull request edit (#22150) (#22214) 2022-12-22 13:40:07 +01:00
settings Make mirror feature more configurable (#16957) 2021-09-07 17:49:36 +02:00
swagger Add API endpoint to get changed files of a PR (#21177) 2022-09-29 04:27:20 +02:00
user Record OAuth client type at registration (#21316) 2022-10-24 15:59:24 +08:00
utils Webhook for Wiki changes (#20219) 2022-09-04 20:54:23 +01:00
api.go Remove ReverseProxy authentication from the API (#22219) (#22251) 2022-12-27 20:24:43 +01:00
auth.go Remove legacy +build: constraint (#19582) 2022-05-02 23:22:45 +08:00
auth_windows.go Let web and API routes have different auth methods group (#19168) 2022-03-28 12:46:28 +08:00