Closed
Description
The Authorization:
header doesn't seem to be working as of 2e05ffd. I haven't yet figured out what's causing this behavior, or if it's something I'm doing wrong. Seeing some possible similarities with some of the symptoms of #3842, particularly the 401 response described there when using Authorization:
.
How to duplicate:
- Using the /api/swagger web UI, hit the 'Authorize' button and put your token into the AuthorizationHeaderToken value field. Ensure you are logged out of all other authorization methods. Ensure you are logged out of the gitea web UI (no cookies stored in your browser).
- Create a new issue using the swagger web UI; this will fail with a
401 Unauthorized
error. - Now copy and execute the
curl
command given by the swagger web UI. It also fails. Adding a-i
flag to curl shows that it is returning a401 Unauthorized
:
curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" -H "accept: application/json" -H "Authorization: 65eaa9c8ef52460d22a93307fe0aee76289dc675" -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 17\"}" -i HTTP/1.1 401 Unauthorized Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 Set-Cookie: i_like_gitea=7e17b9f254cd0cc4; Path=/; HttpOnly Set-Cookie: _csrf=vW3ET5wQ62_IHnj5j08A9KUfXQM6MTUyODkwODc5OTkyOTI5OTUxNw%3D%3D; Path=/; Expires=Thu, 14 Jun 2018 16:53:19 GMT X-Frame-Options: SAMEORIGIN Date: Wed, 13 Jun 2018 16:53:19 GMT Content-Length: 0
- Go back and hit the
Authorize
button again, log out of AuthorizationHeaderToken, and instead paste your token in theToken
value field. - Try creating a new issue using the swagger web UI again; this will succeed.
Activity
[-]Authorization: header not working consistently[/-][+]API Authorization: header not working consistently[/+][-]API Authorization: header not working consistently[/-][+]API Authorization: header not working [/+]stevegt commentedon Jun 14, 2018
Closing for now because I'm probably an idiot -- the
Authorization:
header probably isn't supposed to work with the same token type that works in the query string, and I should probably know better.stevegt commentedon Jun 14, 2018
Okay, for anyone landing here from google -- the way to get the
Authorization:
header to work from gitea API clients is to use your normal API key token, the same one you would use in thetoken=
string in a GET request, but with the wordtoken
prepended. Like this:In a
curl
command, for instance, this would look like:The code that parses this is at
gitea/modules/auth/auth.go
Line 47 in 6efdcae
Some related points:
X-API-Key
header described in https://swagger.io/docs/specification/authentication/api-keys/ -- this might mean we're non-compliant with the openapi standard.Authorization: token ...
just because github does.flesh out API usage docs
Create api-usage doc page (#4306)