Creating Token via API with Token authentication is not possible #9577

Closed
opened 2025-11-02 08:43:27 -06:00 by GiteaMirror · 13 comments
Owner

Originally created by @davidhiendl on GitHub (Sep 16, 2022).

Description

In trying to write a Drone Secrets Extension to allow Drone pipelines to obtain a per-pipeline Gitea API Token automatically I ran into 2 problems:

  1. Trying to create a token for a user does not work when using a token for authorization:
curl -X 'POST' \
  'https://gitea.test/api/v1/users/test123/tokens' \
  -H 'accept: application/json' \
  -H 'Authorization: token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "drone_123123_2022-09-16-14-00"
}'

Response: {"message":"auth required","url":"https://gitea.test/api/swagger"}
Note: The token was created for an admin user account.

Edit: Forgot to mention the same problem seems to be present for listing and deleting tokens as well.

  1. Trying to create API tokens for different users via the API is not possible. In the following example I'm trying to create a token for the user "test123" (the user has been created already). However the token is created for my primary user (the one specified via basic auth credentials). This requires the sudo get param, the URL is however confusing because it also contains a username path param.
curl -X 'POST' \
  'https://gitea.test/api/v1/users/test123/tokens' \
  -H 'accept: application/json' \
  -u "admin:xxxxxxxx" \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "drone_123123_2022-09-16-14-00"
}'

The reason appears to be that the controller uses the request context user instead of the one specified in the path parameter:
548387b2be/routers/api/v1/user/app.go (L101)

Gitea Version

1.17.2

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

  • official docker image
  • deployed via helm chart

Database

PostgreSQL

Originally created by @davidhiendl on GitHub (Sep 16, 2022). ### Description In trying to write a Drone Secrets Extension to allow Drone pipelines to obtain a per-pipeline Gitea API Token automatically I ran into 2 problems: 1. Trying to create a token for a user does not work when using a token for authorization: ```bash curl -X 'POST' \ 'https://gitea.test/api/v1/users/test123/tokens' \ -H 'accept: application/json' \ -H 'Authorization: token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'Content-Type: application/json' \ -d '{ "name": "drone_123123_2022-09-16-14-00" }' ``` Response: `{"message":"auth required","url":"https://gitea.test/api/swagger"}` Note: The token was created for an admin user account. **Edit**: Forgot to mention the same problem seems to be present for listing and deleting tokens as well. 2. ~~Trying to create API tokens for different users via the API is not possible. In the following example I'm trying to create a token for the user "test123" (the user has been created already). However the token is created for my primary user (the one specified via basic auth credentials).~~ This requires the `sudo` get param, the URL is however confusing because it also contains a `username` path param. ```bash curl -X 'POST' \ 'https://gitea.test/api/v1/users/test123/tokens' \ -H 'accept: application/json' \ -u "admin:xxxxxxxx" \ -H 'Content-Type: application/json' \ -d '{ "name": "drone_123123_2022-09-16-14-00" }' ``` The reason appears to be that the controller uses the request context user instead of the one specified in the path parameter: https://github.com/go-gitea/gitea/blob/548387b2beaaaeb6b1c32c3c6f226b8f53aafecb/routers/api/v1/user/app.go#L101 ### Gitea Version 1.17.2 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? - official docker image - deployed via helm chart ### Database PostgreSQL
GiteaMirror added the type/question label 2025-11-02 08:43:27 -06:00
Author
Owner

@lunny commented on GitHub (Sep 19, 2022):

You can use ?sudo=my_user with an admin token.

@lunny commented on GitHub (Sep 19, 2022): You can use `?sudo=my_user` with an admin token.
Author
Owner

@davidhiendl commented on GitHub (Sep 19, 2022):

@lunny Thanks for the info. Adding GET parameter with the target username works. It is however confusing, that the URL has a .../{username}/... path param.
But the first problem remains: It appears those endpoints don't work with a token.

@davidhiendl commented on GitHub (Sep 19, 2022): @lunny Thanks for the info. Adding GET parameter with the target username works. It is however confusing, that the URL has a `.../{username}/...` path param. But the first problem remains: It appears those endpoints don't work with a token.
Author
Owner

@abdennour commented on GitHub (Sep 19, 2022):

actually i am using the admin user which is bootstrapped with helm..

base_url=http://$USERNAME:$PASSWORD@gitea:3000/api/v1
curl -u $USERNAME:$PASSWORD -X POST ${base_url}/users/$USERNAME/tokens 

tried many times, but always getting

{"message":"auth required","url":"http://gitea:3000"}

My requirements is to bootstrap many things (organizations, repos,...etc) just after having the Gitea up & running... while doing ZERO manual administration

@abdennour commented on GitHub (Sep 19, 2022): actually i am using the admin user which is bootstrapped with helm.. ```sh base_url=http://$USERNAME:$PASSWORD@gitea:3000/api/v1 curl -u $USERNAME:$PASSWORD -X POST ${base_url}/users/$USERNAME/tokens ``` tried many times, but always getting ``` {"message":"auth required","url":"http://gitea:3000"} ``` My requirements is to bootstrap many things (organizations, repos,...etc) just after having the Gitea up & running... while doing ZERO manual administration
Author
Owner

@davidhiendl commented on GitHub (Sep 19, 2022):

@abdennour Your API URL is wrong, there is an additional "v" in it: .../apiv/v1/... -> .../api/v1/...
Also you need to use the sudo-param as @lunny pointed out.

@davidhiendl commented on GitHub (Sep 19, 2022): @abdennour Your API URL is wrong, there is an additional "v" in it: `.../apiv/v1/...` -> `.../api/v1/...` Also you need to use the sudo-param as @lunny pointed out.
Author
Owner

@abdennour commented on GitHub (Sep 19, 2022):

It's typo while copy paste here , not in the source code . Could you confirm if we remove that typo, everything else should work ? I am using the official helm chart to install it BTW

@davidhiendl alsi I already tried with ?sudo=$USERNAME .. but it does not work : (

@abdennour commented on GitHub (Sep 19, 2022): It's typo while copy paste here , not in the source code . Could you confirm if we remove that typo, everything else should work ? I am using the official helm chart to install it BTW @davidhiendl alsi I already tried with ?sudo=$USERNAME .. but it does not work : (
Author
Owner

@davidhiendl commented on GitHub (Sep 19, 2022):

@abdennour I'm using Golang to create users using the api/v1/admin/users endpoints and tokens using the api/v1/users/{user}/tokens?sudo={user}. Works fine.

@davidhiendl commented on GitHub (Sep 19, 2022): @abdennour I'm using Golang to create users using the `api/v1/admin/users` endpoints and tokens using the `api/v1/users/{user}/tokens?sudo={user}`. Works fine.
Author
Owner

@abdennour commented on GitHub (Sep 19, 2022):

If you could share snippet of code, I would appreciate that. I am familiar with Go and I can proceed with that @davidhiendl

@abdennour commented on GitHub (Sep 19, 2022): If you could share snippet of code, I would appreciate that. I am familiar with Go and I can proceed with that @davidhiendl
Author
Owner

@davidhiendl commented on GitHub (Sep 21, 2022):

@abdennour I've tried to use the API with curl via Ansible for automation and it works just fine. If the following does not work I suspect there is something else wrong on your end.

curl -X 'POST' \
  'https://gitea.example.com/api/v1/admin/users' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -u "adminuser:adminpassword" \
  -d '{
  "email": "user@example.com",
  "full_name": "Example User",
  "login_name": "example",
  "must_change_password": true,
  "password": "example123",
  "restricted": true,
  "send_notify": true,
  "username": "example"
}'
@davidhiendl commented on GitHub (Sep 21, 2022): @abdennour I've tried to use the API with curl via Ansible for automation and it works just fine. If the following does not work I suspect there is something else wrong on your end. ```bash curl -X 'POST' \ 'https://gitea.example.com/api/v1/admin/users' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -u "adminuser:adminpassword" \ -d '{ "email": "user@example.com", "full_name": "Example User", "login_name": "example", "must_change_password": true, "password": "example123", "restricted": true, "send_notify": true, "username": "example" }' ```
Author
Owner

@davidhiendl commented on GitHub (Sep 21, 2022):

I updated the ticket name and description to better reflect the problem besides the sudo param.

@davidhiendl commented on GitHub (Sep 21, 2022): I updated the ticket name and description to better reflect the problem besides the `sudo` param.
Author
Owner

@abdennour commented on GitHub (Sep 21, 2022):

Thank you @davidhiendl ! Actually, I switched to the CLI and it works like a charm :

tea login add --name admin
tea org list

docker run -it --rm \
  -e GITEA_SERVER_URL=http://gitea:3000 \
  -e GITEA_SERVER_USER=gitea_admin \
  -e GITEA_SERVER_PASSWORD=**** \
  abdennour/gitea-cli:0.9.0-alpine \
    organizations list
@abdennour commented on GitHub (Sep 21, 2022): Thank you @davidhiendl ! Actually, I switched to the CLI and it works like a charm : tea login add --name admin tea org list ```sh docker run -it --rm \ -e GITEA_SERVER_URL=http://gitea:3000 \ -e GITEA_SERVER_USER=gitea_admin \ -e GITEA_SERVER_PASSWORD=**** \ abdennour/gitea-cli:0.9.0-alpine \ organizations list ```
Author
Owner

@abdennour commented on GitHub (Sep 26, 2022):

FYI guys,, you need to generate a token before... then use that token for subsequent calls.
And to generate the token, you need to use this syntax:

curl -X POST -u ${GITEA_SERVER_USER}:${GITEA_SERVER_PASSWORD} "${GITEA_SERVER_URL}/api/v1/users/${GITEA_SERVER_USER}/tokens" -H  "accept: application/json" -H "Content-Type: application/json" -d "{  
	\"name\": \"${TOKENNAME}\"
}"

Note that body which requires name param
Then pipe response with grep -o -P '(?<=sha1":").*(?=","token)' & your token is parsed. Good luck!

@abdennour commented on GitHub (Sep 26, 2022): FYI guys,, you need to generate a token before... then use that token for subsequent calls. And to generate the token, you need to use this syntax: ```sh curl -X POST -u ${GITEA_SERVER_USER}:${GITEA_SERVER_PASSWORD} "${GITEA_SERVER_URL}/api/v1/users/${GITEA_SERVER_USER}/tokens" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"name\": \"${TOKENNAME}\" }" ``` Note that body which requires `name` param Then pipe response with `grep -o -P '(?<=sha1":").*(?=","token)'` & your token is parsed. Good luck!
Author
Owner

@davidhiendl commented on GitHub (Sep 26, 2022):

@abdennour Please read the issue again. The issue is not creating a token using basic auth on the API, but rather creating additional tokens using an already existing token.

@davidhiendl commented on GitHub (Sep 26, 2022): @abdennour Please read the issue again. The issue is not creating a token using basic auth on the API, but rather creating **additional** tokens using an already existing token.
Author
Owner

@techknowlogick commented on GitHub (Sep 26, 2022):

using an already existing token.

This is intentionally not possible, and related basic auth will be deprecated in the future (no date set yet). Creating app tokens with existing app tokens may be revisited when scoped tokens are introduced.

@techknowlogick commented on GitHub (Sep 26, 2022): > using an already existing token. This is intentionally not possible, and related basic auth will be deprecated in the future (no date set yet). Creating app tokens with existing app tokens may be revisited when scoped tokens are introduced.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#9577