Bind prompt history to Gitea's server-rendered session identity without an API token
Hop-State: A_06FNB7D05ZQ3AHD1V0GY5P8 Hop-Proposal: R_06FNB7CDK6ZKM505CPR2DY8 Hop-Task: T_06FNB715NCG0M3SVDJAGHY8 Hop-Attempt: AT_06FNB715NCK5MKAVH59TE0G
This commit is contained in:
@@ -33,9 +33,9 @@ view check the viewer's repository access before returning potentially
|
||||
sensitive prompt text.
|
||||
|
||||
The control plane verifies the browser session through Gitea's protected web
|
||||
settings route, then uses `GITEA_API_TOKEN` to resolve the server-rendered login
|
||||
to Gitea's immutable user ID. Gitea's `/api/v1/user` endpoint is token-only and
|
||||
must not be used to validate browser sessions.
|
||||
settings route. Hop's custom Gitea header renders the active account's immutable
|
||||
user ID into that protected response, so browser-session verification does not
|
||||
depend on Gitea's token-only `/api/v1/user` endpoint or `GITEA_API_TOKEN`.
|
||||
|
||||
For nginx, the control-plane location should precede the Gitea catch-all:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user