Allow sessions for API calls
|Assigned To:||Tomáš Strachota|
|Target version:||Team Marek Iteration 7|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/4045|
|Velocity based estimate||-|
Authenticated API calls should allow creating sessions to avoid sending credentials with every request.
Fixes #17487 - support sessions for api calls
- authenticated api calls save user to session and set
- sessions with such flag allow posting requests without CSRF token
- api sessions exipre the same way as UI sessions
- api sessions don't store any additional data to keep the requests
This way the standard UI requests as well as API requests authenticated
with session created from UI remain protected against CSRF. At the same
time applications using API (such as hammer) can benefit from using
session authentication and avoid the need of storing two tokens
(CSRF and _session_id).