github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-25 07:56:03 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

API Authorization: header not working #1931

New Issue
Closed
opened 2025-11-02 04:18:07 -06:00 by GiteaMirror · 2 comments
GiteaMirror commented 2025-11-02 04:18:07 -06:00
Owner
Copy Link

Originally created by @stevegt on GitHub (Jun 13, 2018).

The Authorization: header doesn't seem to be working as of 2e05ffd6b6. I haven't yet figured out what's causing this behavior, or if it's something I'm doing wrong. Seeing some possible similarities with some of the symptoms of #3842, particularly the 401 response described there when using Authorization:.

How to duplicate:

  • Using the /api/swagger web UI, hit the 'Authorize' button and put your token into the AuthorizationHeaderToken value field. Ensure you are logged out of all other authorization methods. Ensure you are logged out of the gitea web UI (no cookies stored in your browser).
  • Create a new issue using the swagger web UI; this will fail with a 401 Unauthorized error.
  • Now copy and execute the curl command given by the swagger web UI. It also fails. Adding a -i flag to curl shows that it is returning a 401 Unauthorized:
curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" -H "accept: application/json" -H "Authorization: 65eaa9c8ef52460d22a93307fe0aee76289dc675" -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 17\"}" -i
HTTP/1.1 401 Unauthorized
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
Set-Cookie: i_like_gitea=7e17b9f254cd0cc4; Path=/; HttpOnly
Set-Cookie: _csrf=vW3ET5wQ62_IHnj5j08A9KUfXQM6MTUyODkwODc5OTkyOTI5OTUxNw%3D%3D; Path=/; Expires=Thu, 14 Jun 2018 16:53:19 GMT
X-Frame-Options: SAMEORIGIN
Date: Wed, 13 Jun 2018 16:53:19 GMT
Content-Length: 0
  • Go back and hit the Authorize button again, log out of AuthorizationHeaderToken, and instead paste your token in the Token value field.
  • Try creating a new issue using the swagger web UI again; this will succeed.
Originally created by @stevegt on GitHub (Jun 13, 2018). The `Authorization:` header doesn't seem to be working as of 2e05ffd6b6f264483ced3ad2bec62f8c0d6c9bdd. I haven't yet figured out what's causing this behavior, or if it's something I'm doing wrong. Seeing some possible similarities with some of the symptoms of #3842, particularly the 401 response described there when using `Authorization:`. How to duplicate: - Using the /api/swagger web UI, hit the 'Authorize' button and put your token into the AuthorizationHeaderToken value field. Ensure you are logged out of all other authorization methods. Ensure you are logged out of the gitea web UI (no cookies stored in your browser). - Create a new issue using the swagger web UI; this will fail with a `401 Unauthorized` error. - Now copy and execute the `curl` command given by the swagger web UI. It also fails. Adding a `-i` flag to curl shows that it is returning a `401 Unauthorized`: <pre> curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" -H "accept: application/json" -H "Authorization: 65eaa9c8ef52460d22a93307fe0aee76289dc675" -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 17\"}" -i HTTP/1.1 401 Unauthorized Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 Set-Cookie: i_like_gitea=7e17b9f254cd0cc4; Path=/; HttpOnly Set-Cookie: _csrf=vW3ET5wQ62_IHnj5j08A9KUfXQM6MTUyODkwODc5OTkyOTI5OTUxNw%3D%3D; Path=/; Expires=Thu, 14 Jun 2018 16:53:19 GMT X-Frame-Options: SAMEORIGIN Date: Wed, 13 Jun 2018 16:53:19 GMT Content-Length: 0 </pre> - Go back and hit the `Authorize` button again, log out of AuthorizationHeaderToken, and instead paste your token in the `Token` value field. - Try creating a new issue using the swagger web UI again; this will succeed.
GiteaMirror commented 2025-11-02 04:18:08 -06:00
Author
Owner
Copy Link

@stevegt commented on GitHub (Jun 14, 2018):

Closing for now because I'm probably an idiot -- the Authorization: header probably isn't supposed to work with the same token type that works in the query string, and I should probably know better.

@stevegt commented on GitHub (Jun 14, 2018): Closing for now because I'm probably an idiot -- the `Authorization:` header probably isn't supposed to work with the same token type that works in the query string, and I should probably know better.
GiteaMirror commented 2025-11-02 04:18:08 -06:00
Author
Owner
Copy Link

@stevegt commented on GitHub (Jun 14, 2018):

Okay, for anyone landing here from google -- the way to get the Authorization: header to work from gitea API clients is to use your normal API key token, the same one you would use in the token= string in a GET request, but with the word token prepended. Like this:

Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675

In a curl command, for instance, this would look like:

curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" -H "accept: application/json" -H "Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675" -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 20\"}" -i

The code that parses this is at 6efdcaed86/modules/auth/auth.go (L47)

Some related points:

  • Gitea doesn't support the X-API-Key header described in https://swagger.io/docs/specification/authentication/api-keys/ -- this might mean we're non-compliant with the openapi standard.
  • I think we use Authorization: token ... just because github does.
  • I do know this issue cost me a day of confusion. After I knew what to look for, finding #3673 as a dup of #4243 was trivial. As #3673 says, we need some sort of client API docs or guide.
@stevegt commented on GitHub (Jun 14, 2018): Okay, for anyone landing here from google -- the way to get the `Authorization:` header to work from gitea API clients is to use your normal API key token, the same one you would use in the `token=` string in a GET request, but with the word `token` prepended. Like this: <pre> Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675 </pre> In a `curl` command, for instance, this would look like: <pre> curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" -H "accept: application/json" -H "Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675" -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 20\"}" -i </pre> The code that parses this is at https://github.com/go-gitea/gitea/blob/6efdcaed86565c91a3dc77631372a9cc45a58e89/modules/auth/auth.go#L47 Some related points: - Gitea doesn't support the `X-API-Key` header described in https://swagger.io/docs/specification/authentication/api-keys/ -- this might mean we're non-compliant with the openapi standard. - I think we use `Authorization: token ...` just because github does. - I do know this issue cost me a day of confusion. After I knew what to look for, finding #3673 as a dup of #4243 was trivial. As #3673 says, we need some sort of client API docs or guide.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#1931
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?