Remove Session API

doc/api/README.md

@@ -50,7 +50,6 @@ following locations:
 - [Repository Files](repository_files.md)
 - [Runners](runners.md)
 - [Services](services.md)
-- [Session](session.md)
 - [Settings](settings.md)
 - [Sidekiq metrics](sidekiq_metrics.md)
 - [System Hooks](system_hooks.md)

doc/api/session.md

-# Session API
-
->**Deprecation notice:**
-Starting in GitLab 8.11, this feature has been **disabled** for users with
-[two-factor authentication][2fa] turned on. These users can access the API
-using [personal access tokens] instead.
-
-You can login with both GitLab and LDAP credentials in order to obtain the
-private token.
-
-```
-POST /session
-```
-
-| Attribute  | Type    | Required | Description |
-| ---------- | ------- | -------- | -------- |
-| `login`    | string  | yes      | The username of the user|
-| `email`    | string  | yes if login is not provided | The email of the user |
-| `password` | string  | yes     | The password of the user |
-
-```bash
-curl --request POST "https://gitlab.example.com/api/v4/session?login=john_smith&password=strongpassw0rd"
-```
-
-Example response:
-
-```json
-{
-  "name": "John Smith",
-  "username": "john_smith",
-  "id": 32,
-  "state": "active",
-  "avatar_url": null,
-  "created_at": "2015-01-29T21:07:19.440Z",
-  "is_admin": true,
-  "bio": null,
-  "skype": "",
-  "linkedin": "",
-  "twitter": "",
-  "website_url": "",
-  "email": "john@example.com",
-  "theme_id": 1,
-  "color_scheme_id": 1,
-  "projects_limit": 10,
-  "current_sign_in_at": "2015-07-07T07:10:58.392Z",
-  "identities": [],
-  "can_create_group": true,
-  "can_create_project": true,
-  "two_factor_enabled": false,
-  "private_token": "9koXpg98eAheJpvBs5tK"
-}
-```
-
-[2fa]: ../user/profile/account/two_factor_authentication.md
-[personal access tokens]: ../user/profile/personal_access_tokens.md

lib/api/api.rb

@@ -142,7 +142,6 @@ module API
     mount ::API::Runner
     mount ::API::Runners
     mount ::API::Services
-    mount ::API::Session
     mount ::API::Settings
     mount ::API::SidekiqMetrics
     mount ::API::Snippets

lib/api/session.rb

-module API
-  class Session < Grape::API
-    desc 'Login to get token' do
-      success Entities::UserWithPrivateDetails
-    end
-    params do
-      optional :login, type: String, desc: 'The username'
-      optional :email, type: String, desc: 'The email of the user'
-      requires :password, type: String, desc: 'The password of the user'
-      at_least_one_of :login, :email
-    end
-    post "/session" do
-      user = Gitlab::Auth.find_with_user_password(params[:email] || params[:login], params[:password])
-
-      return unauthorized! unless user
-      return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
-      present user, with: Entities::UserWithPrivateDetails
-    end
-  end
-end

spec/requests/api/session_spec.rb

-require 'spec_helper'
-
-describe API::Session do
-  let(:user) { create(:user) }
-
-  describe "POST /session" do
-    context "when valid password" do
-      it "returns private token" do
-        post api("/session"), email: user.email, password: '12345678'
-        expect(response).to have_gitlab_http_status(201)
-
-        expect(json_response['email']).to eq(user.email)
-        expect(json_response['private_token']).to eq(user.private_token)
-        expect(json_response['is_admin']).to eq(user.admin?)
-        expect(json_response['can_create_project']).to eq(user.can_create_project?)
-        expect(json_response['can_create_group']).to eq(user.can_create_group?)
-      end
-
-      context 'with 2FA enabled' do
-        it 'rejects sign in attempts' do
-          user = create(:user, :two_factor)
-
-          post api('/session'), email: user.email, password: user.password
-
-          expect(response).to have_gitlab_http_status(401)
-          expect(response.body).to include('You have 2FA enabled.')
-        end
-      end
-    end
-
-    context 'when email has case-typo and password is valid' do
-      it 'returns private token' do
-        post api('/session'), email: user.email.upcase, password: '12345678'
-        expect(response.status).to eq 201
-
-        expect(json_response['email']).to eq user.email
-        expect(json_response['private_token']).to eq user.private_token
-        expect(json_response['is_admin']).to eq user.admin?
-        expect(json_response['can_create_project']).to eq user.can_create_project?
-        expect(json_response['can_create_group']).to eq user.can_create_group?
-      end
-    end
-
-    context 'when login has case-typo and password is valid' do
-      it 'returns private token' do
-        post api('/session'), login: user.username.upcase, password: '12345678'
-        expect(response.status).to eq 201
-
-        expect(json_response['email']).to eq user.email
-        expect(json_response['private_token']).to eq user.private_token
-        expect(json_response['is_admin']).to eq user.admin?
-        expect(json_response['can_create_project']).to eq user.can_create_project?
-        expect(json_response['can_create_group']).to eq user.can_create_group?
-      end
-    end
-
-    context "when invalid password" do
-      it "returns authentication error" do
-        post api("/session"), email: user.email, password: '123'
-        expect(response).to have_gitlab_http_status(401)
-
-        expect(json_response['email']).to be_nil
-        expect(json_response['private_token']).to be_nil
-      end
-    end
-
-    context "when empty password" do
-      it "returns authentication error with email" do
-        post api("/session"), email: user.email
-
-        expect(response).to have_gitlab_http_status(400)
-      end
-
-      it "returns authentication error with username" do
-        post api("/session"), email: user.username
-
-        expect(response).to have_gitlab_http_status(400)
-      end
-    end
-
-    context "when empty name" do
-      it "returns authentication error" do
-        post api("/session"), password: user.password
-
-        expect(response).to have_gitlab_http_status(400)
-      end
-    end
-
-    context "when user is blocked" do
-      it "returns authentication error" do
-        user.block
-        post api("/session"), email: user.username, password: user.password
-
-        expect(response).to have_gitlab_http_status(401)
-      end
-    end
-
-    context "when user is ldap_blocked" do
-      it "returns authentication error" do
-        user.ldap_block
-        post api("/session"), email: user.username, password: user.password
-
-        expect(response).to have_gitlab_http_status(401)
-      end
-    end
-  end
-end