mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-17 15:14:17 -05:00
Creating Token via API with Token authentication is not possible #9577
Closed
opened 2025-11-02 08:43:27 -06:00 by GiteaMirror
·
13 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
No Label
type/question
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#9577
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @davidhiendl on GitHub (Sep 16, 2022).
Description
In trying to write a Drone Secrets Extension to allow Drone pipelines to obtain a per-pipeline Gitea API Token automatically I ran into 2 problems:
Response:
{"message":"auth required","url":"https://gitea.test/api/swagger"}Note: The token was created for an admin user account.
Edit: Forgot to mention the same problem seems to be present for listing and deleting tokens as well.
Trying to create API tokens for different users via the API is not possible. In the following example I'm trying to create a token for the user "test123" (the user has been created already). However the token is created for my primary user (the one specified via basic auth credentials).This requires thesudoget param, the URL is however confusing because it also contains ausernamepath param.The reason appears to be that the controller uses the request context user instead of the one specified in the path parameter:
548387b2be/routers/api/v1/user/app.go (L101)Gitea Version
1.17.2
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Database
PostgreSQL
@lunny commented on GitHub (Sep 19, 2022):
You can use
?sudo=my_userwith an admin token.@davidhiendl commented on GitHub (Sep 19, 2022):
@lunny Thanks for the info. Adding GET parameter with the target username works. It is however confusing, that the URL has a
.../{username}/...path param.But the first problem remains: It appears those endpoints don't work with a token.
@abdennour commented on GitHub (Sep 19, 2022):
actually i am using the admin user which is bootstrapped with helm..
tried many times, but always getting
My requirements is to bootstrap many things (organizations, repos,...etc) just after having the Gitea up & running... while doing ZERO manual administration
@davidhiendl commented on GitHub (Sep 19, 2022):
@abdennour Your API URL is wrong, there is an additional "v" in it:
.../apiv/v1/...->.../api/v1/...Also you need to use the sudo-param as @lunny pointed out.
@abdennour commented on GitHub (Sep 19, 2022):
It's typo while copy paste here , not in the source code . Could you confirm if we remove that typo, everything else should work ? I am using the official helm chart to install it BTW
@davidhiendl alsi I already tried with ?sudo=$USERNAME .. but it does not work : (
@davidhiendl commented on GitHub (Sep 19, 2022):
@abdennour I'm using Golang to create users using the
api/v1/admin/usersendpoints and tokens using theapi/v1/users/{user}/tokens?sudo={user}. Works fine.@abdennour commented on GitHub (Sep 19, 2022):
If you could share snippet of code, I would appreciate that. I am familiar with Go and I can proceed with that @davidhiendl
@davidhiendl commented on GitHub (Sep 21, 2022):
@abdennour I've tried to use the API with curl via Ansible for automation and it works just fine. If the following does not work I suspect there is something else wrong on your end.
@davidhiendl commented on GitHub (Sep 21, 2022):
I updated the ticket name and description to better reflect the problem besides the
sudoparam.@abdennour commented on GitHub (Sep 21, 2022):
Thank you @davidhiendl ! Actually, I switched to the CLI and it works like a charm :
tea login add --name admin
tea org list
@abdennour commented on GitHub (Sep 26, 2022):
FYI guys,, you need to generate a token before... then use that token for subsequent calls.
And to generate the token, you need to use this syntax:
Note that body which requires
nameparamThen pipe response with
grep -o -P '(?<=sha1":").*(?=","token)'& your token is parsed. Good luck!@davidhiendl commented on GitHub (Sep 26, 2022):
@abdennour Please read the issue again. The issue is not creating a token using basic auth on the API, but rather creating additional tokens using an already existing token.
@techknowlogick commented on GitHub (Sep 26, 2022):
This is intentionally not possible, and related basic auth will be deprecated in the future (no date set yet). Creating app tokens with existing app tokens may be revisited when scoped tokens are introduced.