Remove dependent on session auth for api/v1 routers (#19321)

* Remove dependent on session auth for api/v1 routers * Remove unnecessary session on API context * remove missed header * fix test * fix missed api/v1
2022-04-08 12:22:10 +08:00 · 2022-04-08 12:22:10 +08:00 · 3c3d49899f
commit 3c3d49899f
parent 75f8534c3a
22 changed files with 219 additions and 161 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -216,7 +216,6 @@ func reqToken() func(ctx *context.APIContext) {
 			return
 		}
 		if ctx.IsSigned {
-			ctx.RequireCSRF()
 			return
 		}
 		ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")
@ -584,8 +583,7 @@ func bind(obj interface{}) http.HandlerFunc {
 func buildAuthGroup() *auth.Group {
 	group := auth.NewGroup(
 		&auth.OAuth2{},
-		&auth.Basic{},      // FIXME: this should be removed once we don't allow basic auth in API
-		auth.SharedSession, // FIXME: this should be removed once all UI don't reference API/v1, see https://github.com/go-gitea/gitea/pull/16052
+		&auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API
 	)
 	if setting.Service.EnableReverseProxyAuth {
 		group.Add(&auth.ReverseProxy{})
@ -596,11 +594,9 @@ func buildAuthGroup() *auth.Group {
 }

 // Routes registers all v1 APIs routes to web application.
-func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
+func Routes() *web.Route {
 	m := web.NewRoute()

-	m.Use(sessioner)
-
 	m.Use(securityHeaders())
 	if setting.CORSConfig.Enabled {
 		m.Use(cors.Handler(cors.Options{
@ -609,7 +605,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
 			AllowedMethods:   setting.CORSConfig.Methods,
 			AllowCredentials: setting.CORSConfig.AllowCredentials,
-			AllowedHeaders:   []string{"Authorization", "X-CSRFToken", "X-Gitea-OTP"},
+			AllowedHeaders:   []string{"Authorization", "X-Gitea-OTP"},
 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
 		}))
 	}
--- a/routers/api/v1/misc/swagger.go
+++ b/routers/api/v1/misc/swagger.go
@ -1,21 +0,0 @@
-// Copyright 2017 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package misc
-
-import (
-	"net/http"
-
-	"code.gitea.io/gitea/modules/base"
-	"code.gitea.io/gitea/modules/context"
-)
-
-// tplSwagger swagger page template
-const tplSwagger base.TplName = "swagger/ui"
-
-// Swagger render swagger-ui page with v1 json
-func Swagger(ctx *context.Context) {
-	ctx.Data["APIJSONVersion"] = "v1"
-	ctx.HTML(http.StatusOK, tplSwagger)
-}