diff options
author | Rémy Coutable <remy@gitlab.com> | 2016-09-19 16:04:04 +0300 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-09-19 16:50:49 +0300 |
commit | 8ddfeec8b29e0c053ee5e1c16e660382d7abe44f (patch) | |
tree | 7b269ba25e3b5714185d0515f260531efa784749 /doc | |
parent | d7ee1e7eee6f125a73527e675c0e0ab368e58b53 (diff) |
Merge branch '18302-use-rails-cookie-in-api' into 'master'
Allow the Rails cookie to be used for API authentication
Makes the Rails cookie into a valid authentication token for the Grape
API, and uses it instead of token authentication in frontend code that
uses the API.
Rendering the private token into client-side javascript is a security
risk; it may be stolen through XSS or other attacks. In general,
re-using API code in the frontend is more desirable than implementing
endless actions that return JSON.
Closes #18302
See merge request !1995
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/api/README.md | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/doc/api/README.md b/doc/api/README.md index d1e6c54c521..81d0e3e6451 100644 --- a/doc/api/README.md +++ b/doc/api/README.md @@ -47,11 +47,12 @@ The following documentation is for the [internal CI API](ci/README.md): ## Authentication -All API requests require authentication via a token. There are three types of tokens -available: private tokens, OAuth 2 tokens, and personal access tokens. +All API requests require authentication via a session cookie or token. There are +three types of tokens available: private tokens, OAuth 2 tokens, and personal +access tokens. -If a token is invalid or omitted, an error message will be returned with -status code `401`: +If authentication information is invalid or omitted, an error message will be +returned with status code `401`: ```json { @@ -90,6 +91,13 @@ that needs access to the GitLab API. Once you have your token, pass it to the API using either the `private_token` parameter or the `PRIVATE-TOKEN` header. + +### Session cookie + +When signing in to GitLab as an ordinary user, a `_gitlab_session` cookie is +set. The API will use this cookie for authentication if it is present, but using +the API to generate a new session cookie is currently not supported. + ## Basic Usage API requests should be prefixed with `api` and the API version. The API version |