Recognize authenticated Gitea browser sessions without weakening per-user prompt isolation
Hop-State: A_06FNB6HTKZAXH2SX1G8AB0R Hop-Proposal: R_06FNB6HA40Y1E1T39G6YJHG Hop-Task: T_06FNB5TE4DHAVABVH82WBN8 Hop-Attempt: AT_06FNB5TE4FW7MD6KTFYP3EG
This commit is contained in:
@@ -32,6 +32,11 @@ plane, preserving the browser's Gitea session cookie. This lets the Prompts
|
||||
view check the viewer's repository access before returning potentially
|
||||
sensitive prompt text.
|
||||
|
||||
The control plane verifies the browser session through Gitea's protected web
|
||||
settings route, then uses `GITEA_API_TOKEN` to resolve the server-rendered login
|
||||
to Gitea's immutable user ID. Gitea's `/api/v1/user` endpoint is token-only and
|
||||
must not be used to validate browser sessions.
|
||||
|
||||
For nginx, the control-plane location should precede the Gitea catch-all:
|
||||
|
||||
```nginx
|
||||
|
||||
Reference in New Issue
Block a user