Avoid using `authenticate bearer` for the API
Closes #2346 (closed)
Background
See https://gitlab.com/gitlab-org/gitter/webapp/issues/2346#why-does-it-work-in-production
Testing strategy
Happy path:
- access a chat room as an anonymous user and scroll up. See the infinite scrolling request for more messages succeed.
Sad path (testing regression)
The most important thing to test is not allowing unauthorized access to private rooms. Even though no middleware has been removed, the order slightly changed for the web application.
-
Try to access private room using the website (with authorized and unauthorized user)
-
Try to access private room using API (with authorized and unauthorized user)
curl 'http://localhost:5000/api/v1/rooms/:roomId/chatMessages?access_token=:accessToken'
Note: easiest way to access the token is typing tropueContext.accessToken
into the browser console
Edited by Eric Eastwood