Project

General

Profile

Feature #17487

Allow sessions for API calls

Added by Tomáš Strachota over 2 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Category:
API
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Authenticated API calls should allow creating sessions to avoid sending credentials with every request.


Related issues

Related to Hammer CLI - Feature #8016: Ability to use tokenized authentication to hammer in lieu of username/password in configuration file.Closed2014-10-21

Associated revisions

Revision 9a4ed000 (diff)
Added by Tomáš Strachota over 2 years ago

Fixes #17487 - support sessions for api calls

- authenticated api calls save user to session and set
flag api_authenticated_session
- sessions with such flag allow posting requests without CSRF token
- api sessions exipre the same way as UI sessions
- api sessions don't store any additional data to keep the requests
stateless

This way the standard UI requests as well as API requests authenticated
with session created from UI remain protected against CSRF. At the same
time applications using API (such as hammer) can benefit from using
session authentication and avoid the need of storing two tokens
(CSRF and _session_id).

Revision c4889226 (diff)
Added by Tomáš Strachota over 2 years ago

Fixes #17487 - support sessions for api calls

- authenticated api calls save user to session and set
flag api_authenticated_session
- sessions with such flag allow posting requests without CSRF token
- api sessions exipre the same way as UI sessions
- api sessions don't store any additional data to keep the requests
stateless

This way the standard UI requests as well as API requests authenticated
with session created from UI remain protected against CSRF. At the same
time applications using API (such as hammer) can benefit from using
session authentication and avoid the need of storing two tokens
(CSRF and _session_id).

(cherry picked from commit 9a4ed000ff126d4a7cafa9737c1649a9a3535cd7)

History

#1 Updated by Tomáš Strachota over 2 years ago

  • Related to Feature #8016: Ability to use tokenized authentication to hammer in lieu of username/password in configuration file. added

#2 Updated by The Foreman Bot over 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4045 added

#3 Updated by Marek Hulán over 2 years ago

  • Target version changed from 1.4.4 to 1.10.1

#4 Updated by Anonymous over 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Dominic Cleal over 2 years ago

  • Legacy Backlogs Release (now unused) set to 189

Also available in: Atom PDF