-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove ReverseProxy authentication from the API (#22219) #22252
Conversation
Since we changed the /api/v1/ routes to disallow session authentication we also removed their reliance on CSRF. However, we left the ReverseProxy authentication here - but this means that POSTs to the API are no longer protected by CSRF. Now, ReverseProxy authentication is a kind of session authentication, and is therefore inconsistent with the removal of session from the API. This PR proposes that we simply remove the ReverseProxy authentication from the API and therefore users of the API must explicitly use tokens or basic authentication. Replace go-gitea#22077 Close go-gitea#22221 Close go-gitea#22077 Signed-off-by: Andrew Thornton <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we really backport that to 1.17?
I think this is too breaking to merge into 1.17.
Even if the session removal might have been already done in 1.17 (which I'm unsure of), I don't think it is a good idea to backport a breaking change into a minor
version increase.
With 1.18, we have the benefit that 1.18.0
hasn't been released yet, so it at least should not really affect many people, and people rather expect breaking changes between releases.
But as we want to be semver compatible, I strongly discourage backporting a breaking change for a released major version
|
I approved it as the security fix but it may be ok to only backport it to 1.18 because 1.17 should be obsolete in the next days. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar to @KN4CK3R I approve as a security fix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because of securityfix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, apparently the common opinion is to backport it.
Blocking it further is useless then…
backport #22219
Since we changed the /api/v1/ routes to disallow session authentication we also removed their reliance on CSRF. However, we left the ReverseProxy authentication here - but this means that POSTs to the API are no longer protected by CSRF.
Now, ReverseProxy authentication is a kind of session authentication, and is therefore inconsistent with the removal of session from the API.
This PR proposes that we simply remove the ReverseProxy authentication from the API and therefore users of the API must explicitly use tokens or basic authentication.
Replace #22077
Close #22221
Close #22077
Signed-off-by: Andrew Thornton [email protected]