Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FR] Allow authenticating via session cookie + csrf key & csrf token #1098

Open
kiprasmel opened this issue Aug 22, 2020 · 2 comments
Open
Labels
type:feature Changes add a new feature

Comments

@kiprasmel
Copy link
Contributor

kiprasmel commented Aug 22, 2020

Description

There's a _gitlab_session cookie present once you login to gitlab, who's access is restricted, but through a browser extension with some permissions (cookies, hosts & something else - I forget) you're able to get the cookie.

And with it - you can authenticate. Well, almost - AFAIK the docs don't specify that, but you need to also add the csrf-param & csrf-token to the request to be able to fully authenticate.

Here's the request in it's simplest form, allowing you to perform authenticated actions - just as if you were authenticated with an API token (I assume, there're probably some differences):

SAMPLE_PROJECT_ID="20434942" \
SAMPLE_ACTION="issues?title=test+issue&labels=fake" \
GITLAB_SESSION_KEY="_gitlab_session" \
GITLAB_SESSION_TOKEN="<the value of _gitlab_session cookie" \
GITLAB_CSRF_KEY="authenticity_token" \
GITLAB_CSRF_TOKEN="<the value of the authenticity_token" \
curl -L \
  'https://gitlab.com/api/v4/projects/$SAMPLE_PROJECT_ID/$SAMPLE_ACTION' \
  -H 'cookie: $GITLAB_SESSION_KEY=$GITLAB_SESSION_TOKEN' \
  --data-raw '$GITLAB_CSRF_KEY=$GITLAB_CSRF_TOKEN'

Proposal

I'd like to be able to specify, as shown in the example above, the values of GITLAB_SESSION_KEY, GITLAB_SESSION_TOKEN, GITLAB_CSRF_KEY and GITLAB_CSRF_TOKEN to gitbeaker, thus being able to make authenticated requests this way (instead of specifying the API key).

How hard and time consuming would this be? I need to ship some stuff to the refined-gitlab extension ASAP and it'll be better to just use the basic fetch API without the gitbeaker wrapper, but I'd hope to some day be able to refactor this:D

@kiprasmel kiprasmel changed the title [FR] Allow authenticating via session cookie + `csrf [FR] Allow authenticating via session cookie + csrf key & csrf token Aug 22, 2020
@jdalrymple
Copy link
Owner

Definitely doable! the cookie should be easily added, the data part would require a little deeper of a change, but nothing more than maybe 20 min of work max

@kiprasmel
Copy link
Contributor Author

kiprasmel commented Aug 23, 2020

Awesome! Do you think you can do it, or should I attempt it myself? Would rather prefer the former, but am okay with the latter:D

Edit: I'm on it!

kiprasmel pushed a commit to kiprasmel/gitbeaker that referenced this issue Aug 23, 2020
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105
kiprasmel pushed a commit to kiprasmel/gitbeaker that referenced this issue Sep 30, 2020
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105
kiprasmel pushed a commit to kiprasmel/gitbeaker that referenced this issue Sep 30, 2020
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105
kiprasmel pushed a commit to kiprasmel/gitbeaker that referenced this issue Nov 12, 2020
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105
kiprasmel pushed a commit to kiprasmel/gitbeaker that referenced this issue Feb 5, 2021
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105
kiprasmel pushed a commit to kiprasmel/gitbeaker that referenced this issue Feb 5, 2021
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105
kiprasmel pushed a commit to kiprasmel/gitbeaker that referenced this issue Feb 5, 2021
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105

Signed-off-by: Kipras Melnikovas <[email protected]>
toniopelo pushed a commit to toniopelo/gitbeaker that referenced this issue Sep 15, 2021
Fixes jdalrymple#1098

These are the issues I encountered - please help:

- [ ] fix TODOs
- [ ] lint & fix (for me, there were a lot of unrelated changes after
running lint:fix, so I didn't.)
- [ ] verify this works because I couldn't test it because of jdalrymple#1105

Signed-off-by: Kipras Melnikovas <[email protected]>
@jdalrymple jdalrymple added the type:feature Changes add a new feature label Apr 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:feature Changes add a new feature
Projects
None yet
2 participants