Feature #17487

Allow sessions for API calls

Added by Tomáš Strachota over 1 year ago. Updated over 1 year ago.

Status:Closed
Priority:Normal
Assigned To:Tomáš Strachota
Category:API
Target version:Team Marek Iteration 7
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4045
Story points-
Velocity based estimate-
Release1.14.0Release relationshipAuto

Description

Authenticated API calls should allow creating sessions to avoid sending credentials with every request.

Related issues

Related to Hammer CLI - Feature #8016: Ability to use tokenized authentication to hammer in lieu... Closed 10/21/2014

Associated revisions

Revision 9a4ed000
Added by Tomas Strachota over 1 year ago

Fixes #17487 - support sessions for api calls

- authenticated api calls save user to session and set
flag api_authenticated_session
- sessions with such flag allow posting requests without CSRF token
- api sessions exipre the same way as UI sessions
- api sessions don't store any additional data to keep the requests
stateless

This way the standard UI requests as well as API requests authenticated
with session created from UI remain protected against CSRF. At the same
time applications using API (such as hammer) can benefit from using
session authentication and avoid the need of storing two tokens
(CSRF and _session_id).

Revision c4889226
Added by Tomas Strachota over 1 year ago

Fixes #17487 - support sessions for api calls

- authenticated api calls save user to session and set
flag api_authenticated_session
- sessions with such flag allow posting requests without CSRF token
- api sessions exipre the same way as UI sessions
- api sessions don't store any additional data to keep the requests
stateless

This way the standard UI requests as well as API requests authenticated
with session created from UI remain protected against CSRF. At the same
time applications using API (such as hammer) can benefit from using
session authentication and avoid the need of storing two tokens
(CSRF and _session_id).

(cherry picked from commit 9a4ed000ff126d4a7cafa9737c1649a9a3535cd7)

History

#1 Updated by Tomáš Strachota over 1 year ago

  • Related to Feature #8016: Ability to use tokenized authentication to hammer in lieu of username/password in configuration file. added

#2 Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4045 added

#3 Updated by Marek Hulán over 1 year ago

  • Target version changed from Team Marek Iteration 6 to Team Marek Iteration 7

#4 Updated by Anonymous over 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Dominic Cleal over 1 year ago

  • Release set to 1.14.0

Also available in: Atom PDF