Description
#4840 introduced some significant changes to the way the authentication for the api works. It broke some things where the web ui called the api, namely:
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L1459
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L1486
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2087
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2507
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2594
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2630
We have two possibilities to solve this:
- Either call the routes using an api token
- Accept using a cookie, but if using a cookie, some kind of crf token to validate the request
IMHO the first solution would be cleaner because if an attacker has a cookie he/she could easily use that to get a new api request token via the web ui, rendering the whole double-check useless. So we could save the hassle to implement the double check with cookie/crf token and use the mechanism which is already there.