gitbeaker
gitbeaker copied to clipboard
jdalrymple
[FR] Allow authenticating via `session cookie` + `csrf key` & `csrf token`
Description
There's a _gitlab_session cookie present once you login to gitlab, who's access is restricted, but through a browser extension with some permissions (cookies, hosts & something else - I forget) you're able to get the cookie.
And with it - you can authenticate. Well, almost - AFAIK the docs don't specify that, but you need to also add the csrf-param & csrf-token to the request to be able to fully authenticate.
Here's the request in it's simplest form, allowing you to perform authenticated actions - just as if you were authenticated with an API token (I assume, there're probably some differences):
SAMPLE_PROJECT_ID="20434942" \
SAMPLE_ACTION="issues?title=test+issue&labels=fake" \
GITLAB_SESSION_KEY="_gitlab_session" \
GITLAB_SESSION_TOKEN="<the value of _gitlab_session cookie" \
GITLAB_CSRF_KEY="authenticity_token" \
GITLAB_CSRF_TOKEN="<the value of the authenticity_token" \
curl -L \
'https://gitlab.com/api/v4/projects/$SAMPLE_PROJECT_ID/$SAMPLE_ACTION' \
-H 'cookie: $GITLAB_SESSION_KEY=$GITLAB_SESSION_TOKEN' \
--data-raw '$GITLAB_CSRF_KEY=$GITLAB_CSRF_TOKEN'
Proposal
I'd like to be able to specify, as shown in the example above, the values of GITLAB_SESSION_KEY, GITLAB_SESSION_TOKEN, GITLAB_CSRF_KEY and GITLAB_CSRF_TOKEN to gitbeaker, thus being able to make authenticated requests this way (instead of specifying the API key).
How hard and time consuming would this be? I need to ship some stuff to the refined-gitlab extension ASAP and it'll be better to just use the basic fetch API without the gitbeaker wrapper, but I'd hope to some day be able to refactor this:D
Definitely doable! the cookie should be easily added, the data part would require a little deeper of a change, but nothing more than maybe 20 min of work max
Awesome! Do you think you can do it, or should I attempt it myself? Would rather prefer the former, but am okay with the latter:D
Edit: I'm on it!