From fcd78567785076c4cfc048585529265110626a01 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 22 Dec 2022 15:51:08 +0000 Subject: [PATCH] Remove ReverseProxy authentication from the API Since we changed the /api/v1/ routes to disallow session authentication we also removed their reliance on CSRF. However, we left the ReverseProxy authentication here - but this means that POSTs to the API are no longer protected by CSRF. Now, ReverseProxy authentication is a kind of session authentication, and is therefore inconsistent with the removal of session from the API. This PR proposes that we simply remove the ReverseProxy authentication from the API and therefore users of the API must explicitly use tokens or basic authentication. Replace #22077 Signed-off-by: Andrew Thornton --- routers/api/v1/api.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 82ff7ae0befcc..30375b2e58f21 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -232,9 +232,6 @@ func reqExploreSignIn() func(ctx *context.APIContext) { func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { return func(ctx *context.APIContext) { - if ctx.IsSigned && setting.Service.EnableReverseProxyAuth && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName { - return - } if !ctx.Context.IsBasicAuth { ctx.Error(http.StatusUnauthorized, "reqBasicOrRevProxyAuth", "auth required") return @@ -598,9 +595,6 @@ func buildAuthGroup() *auth.Group { &auth.HTTPSign{}, &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API ) - if setting.Service.EnableReverseProxyAuth { - group.Add(&auth.ReverseProxy{}) - } specialAdd(group) return group