Commit f10f00ad authored by Douwe Maan's avatar Douwe Maan

Remove Session API

parent b66c2e9a
......@@ -51,7 +51,6 @@ following locations:
- [Repository Files](repository_files.md)
- [Runners](runners.md)
- [Services](services.md)
- [Session](session.md)
- [Settings](settings.md)
- [Sidekiq metrics](sidekiq_metrics.md)
- [System Hooks](system_hooks.md)
......
# Session API
>**Deprecation notice:**
Starting in GitLab 8.11, this feature has been **disabled** for users with
[two-factor authentication][2fa] turned on. These users can access the API
using [personal access tokens] instead.
You can login with both GitLab and LDAP credentials in order to obtain the
private token.
```
POST /session
```
| Attribute | Type | Required | Description |
| ---------- | ------- | -------- | -------- |
| `login` | string | yes | The username of the user|
| `email` | string | yes if login is not provided | The email of the user |
| `password` | string | yes | The password of the user |
```bash
curl --request POST "https://gitlab.example.com/api/v4/session?login=john_smith&password=strongpassw0rd"
```
Example response:
```json
{
"name": "John Smith",
"username": "john_smith",
"id": 32,
"state": "active",
"avatar_url": null,
"created_at": "2015-01-29T21:07:19.440Z",
"is_admin": true,
"bio": null,
"skype": "",
"linkedin": "",
"twitter": "",
"website_url": "",
"email": "john@example.com",
"theme_id": 1,
"color_scheme_id": 1,
"projects_limit": 10,
"current_sign_in_at": "2015-07-07T07:10:58.392Z",
"identities": [],
"can_create_group": true,
"can_create_project": true,
"two_factor_enabled": false,
"private_token": "9koXpg98eAheJpvBs5tK"
}
```
[2fa]: ../user/profile/account/two_factor_authentication.md
[personal access tokens]: ../user/profile/personal_access_tokens.md
......@@ -157,7 +157,6 @@ module API
mount ::API::Runner
mount ::API::Runners
mount ::API::Services
mount ::API::Session
mount ::API::Settings
mount ::API::SidekiqMetrics
mount ::API::Snippets
......
module API
class Session < Grape::API
desc 'Login to get token' do
success Entities::UserWithPrivateDetails
end
params do
optional :login, type: String, desc: 'The username'
optional :email, type: String, desc: 'The email of the user'
requires :password, type: String, desc: 'The password of the user'
at_least_one_of :login, :email
end
post "/session" do
user = Gitlab::Auth.find_with_user_password(params[:email] || params[:login], params[:password])
return unauthorized! unless user
return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
present user, with: Entities::UserWithPrivateDetails
end
end
end
require 'spec_helper'
describe API::Session do
let(:user) { create(:user) }
describe "POST /session" do
context "when valid password" do
it "returns private token" do
post api("/session"), email: user.email, password: '12345678'
expect(response).to have_gitlab_http_status(201)
expect(json_response['email']).to eq(user.email)
expect(json_response['private_token']).to eq(user.private_token)
expect(json_response['is_admin']).to eq(user.admin?)
expect(json_response['can_create_project']).to eq(user.can_create_project?)
expect(json_response['can_create_group']).to eq(user.can_create_group?)
end
context 'with 2FA enabled' do
it 'rejects sign in attempts' do
user = create(:user, :two_factor)
post api('/session'), email: user.email, password: user.password
expect(response).to have_gitlab_http_status(401)
expect(response.body).to include('You have 2FA enabled.')
end
end
end
context 'when email has case-typo and password is valid' do
it 'returns private token' do
post api('/session'), email: user.email.upcase, password: '12345678'
expect(response.status).to eq 201
expect(json_response['email']).to eq user.email
expect(json_response['private_token']).to eq user.private_token
expect(json_response['is_admin']).to eq user.admin?
expect(json_response['can_create_project']).to eq user.can_create_project?
expect(json_response['can_create_group']).to eq user.can_create_group?
end
end
context 'when login has case-typo and password is valid' do
it 'returns private token' do
post api('/session'), login: user.username.upcase, password: '12345678'
expect(response.status).to eq 201
expect(json_response['email']).to eq user.email
expect(json_response['private_token']).to eq user.private_token
expect(json_response['is_admin']).to eq user.admin?
expect(json_response['can_create_project']).to eq user.can_create_project?
expect(json_response['can_create_group']).to eq user.can_create_group?
end
end
context "when invalid password" do
it "returns authentication error" do
post api("/session"), email: user.email, password: '123'
expect(response).to have_gitlab_http_status(401)
expect(json_response['email']).to be_nil
expect(json_response['private_token']).to be_nil
end
end
context "when empty password" do
it "returns authentication error with email" do
post api("/session"), email: user.email
expect(response).to have_gitlab_http_status(400)
end
it "returns authentication error with username" do
post api("/session"), email: user.username
expect(response).to have_gitlab_http_status(400)
end
end
context "when empty name" do
it "returns authentication error" do
post api("/session"), password: user.password
expect(response).to have_gitlab_http_status(400)
end
end
context "when user is blocked" do
it "returns authentication error" do
user.block
post api("/session"), email: user.username, password: user.password
expect(response).to have_gitlab_http_status(401)
end
end
context "when user is ldap_blocked" do
it "returns authentication error" do
user.ldap_block
post api("/session"), email: user.username, password: user.password
expect(response).to have_gitlab_http_status(401)
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment