gitea/routers
Lunny Xiao 9b4da56963
Remove ReverseProxy authentication from the API (#22219) (#22251)
backport from #22219

Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace #22077
Close #22221 
Close #22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
2022-12-27 20:24:43 +01:00
..
api Remove ReverseProxy authentication from the API (#22219) (#22251) 2022-12-27 20:24:43 +01:00
common Add support for HEAD requests in Maven registry (#21834) (#21929) 2022-11-25 13:46:28 +02:00
install Fix token generation when using INTERNAL_TOKEN_URI (#21669) (#21670) 2022-11-03 20:54:25 +00:00
private Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
utils refactor webhook *NewPost (#20729) 2022-08-11 17:48:23 +02:00
web Ensure that plain files are rendered correctly even when containing ambiguous characters (#22017) (#22160) 2022-12-19 23:51:21 +08:00
init.go Sync git hooks when config file path changed (#21619) (#21626) 2022-10-30 11:17:11 +08:00