Skip to content

Add reverseproxy auth for API back with default disabled #26703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 7, 2023
Merged

Add reverseproxy auth for API back with default disabled #26703

merged 9 commits into from
Sep 7, 2023

Conversation

lunny
Copy link
Member

@lunny lunny commented Aug 24, 2023
edited
Loading

This feature was removed by #22219 to avoid possible CSRF attack.

This PR takes reverseproxy auth for API back but with default disabled.

To prevent possbile CSRF attack, the responsibility will be the reverseproxy but not Gitea itself.

For those want to enable this ENABLE_REVERSE_PROXY_AUTHENTICATION_API, they should know what they are doing.

@lunny lunny added the type/enhancement An improvement of existing functionality label Aug 24, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Aug 24, 2023
@techknowlogick
Copy link
Member

cc: @pboguslawski as this is likely relevant to your interests

@lunny lunny added this to the 1.21.0 milestone Aug 24, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Aug 25, 2023
wolfogre
wolfogre approved these changes Sep 4, 2023
View reviewed changes
Copy link
Member

@wolfogre wolfogre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. But I would like the author and reviewers of #22219 (@zeripath @jolheiser @delvh) to take a look.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Sep 4, 2023
@wolfogre wolfogre added the status/blocked This PR cannot be merged yet, i.e. because it depends on another unmerged PR label Sep 4, 2023
jolheiser
jolheiser approved these changes Sep 4, 2023
View reviewed changes
Copy link
Member

@jolheiser jolheiser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love it, but I'll concede that some users relied on it and there may not be an ideal alternative yet.

@lunny
Copy link
Member Author

lunny commented Sep 7, 2023

I think we can continue since @zeripath has no response for 3 days.

@lunny lunny added reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. and removed status/blocked This PR cannot be merged yet, i.e. because it depends on another unmerged PR labels Sep 7, 2023
@silverwind silverwind enabled auto-merge (squash) September 7, 2023 08:09
@silverwind silverwind merged commit e97e883 into go-gitea:main Sep 7, 2023
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Sep 7, 2023
@lunny lunny deleted the lunny/reverseproxy_auth branch September 7, 2023 08:33
zjjhot added a commit to zjjhot/gitea that referenced this pull request Sep 8, 2023
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
820ff43 
* giteaofficial/main:
  Add `yamllint` (go-gitea#26965)
  Fix yaml quoting (go-gitea#26964)
  [skip ci] Updated translations via Crowdin
  Add `actions/labeler` (go-gitea#26962)
  Team invite url fix when registration disabled (go-gitea#26950)
  Refactor dashboard/feed.tmpl (go-gitea#26956)
  Improve hint when uploading a too large avatar (go-gitea#26935)
  Replace `util.SliceXxx`  with `slices.Xxx`  (go-gitea#26958)
  Add reverseproxy auth for API back with default disabled (go-gitea#26703)
  Add "dir=auto" for input/textarea elements by default (go-gitea#26735)
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Dec 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@silverwind silverwind silverwind approved these changes

@wolfogre wolfogre wolfogre approved these changes

@jolheiser jolheiser jolheiser approved these changes

@delvh delvh delvh approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.21.0
Development

Successfully merging this pull request may close these issues.
7 participants
@lunny @techknowlogick @silverwind @wolfogre @jolheiser @delvh @GiteaBot