Remove dependent on session auth for api/v1 routers (#19321)

* Remove dependent on session auth for api/v1 routers * Remove unnecessary session on API context * remove missed header * fix test * fix missed api/v1
2025-10-26 12:27:06 +00:00 · 2022-04-08 12:22:10 +08:00
parent 75f8534c3a
commit 3c3d49899f
22 changed files with 219 additions and 161 deletions
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -8,7 +8,6 @@ package context
 import (
 	"context"
 	"fmt"
-	"html"
 	"net/http"
 	"net/url"
 	"strings"
@@ -20,8 +19,6 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 	auth_service "code.gitea.io/gitea/services/auth"
-
-	"gitea.com/go-chi/session"
 )

 // APIContext is a specific context for API service
@@ -191,17 +188,6 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }

-// RequireCSRF requires a validated a CSRF token
-func (ctx *APIContext) RequireCSRF() {
-	headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName())
-	formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName())
-	if len(headerToken) > 0 || len(formValueToken) > 0 {
-		Validate(ctx.Context, ctx.csrf)
-	} else {
-		ctx.Context.Error(http.StatusUnauthorized, "Missing CSRF token.")
-	}
-}
-
 // CheckForOTP validates OTP
 func (ctx *APIContext) CheckForOTP() {
 	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
@@ -253,17 +239,14 @@ func APIAuth(authMethod auth_service.Method) func(*APIContext) {

 // APIContexter returns apicontext as middleware
 func APIContexter() func(http.Handler) http.Handler {
-	csrfOpts := getCsrfOpts()
-
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			locale := middleware.Locale(w, req)
 			ctx := APIContext{
 				Context: &Context{
-					Resp:    NewResponse(w),
-					Data:    map[string]interface{}{},
-					Locale:  locale,
-					Session: session.GetSession(req),
+					Resp:   NewResponse(w),
+					Data:   map[string]interface{}{},
+					Locale: locale,
 					Repo: &Repository{
 						PullRequest: &PullRequest{},
 					},
@@ -273,7 +256,6 @@ func APIContexter() func(http.Handler) http.Handler {
 			}

 			ctx.Req = WithAPIContext(WithContext(req, ctx.Context), &ctx)
-			ctx.csrf = Csrfer(csrfOpts, ctx.Context)

 			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
 			if ctx.Req.Method == "POST" && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
@@ -285,7 +267,6 @@ func APIContexter() func(http.Handler) http.Handler {

 			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)

-			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
 			ctx.Data["Context"] = &ctx

 			next.ServeHTTP(ctx.Resp, ctx.Req)