Issue with CSRF being required on api token auth
Description
When trying to interact with the APIs from an external system for some automation and integration some requests using a bearer token would be rejected due to missing CSRF token. API requests where the Authorization: Bearer
header is present should not care of CSRF tokens being available as they are designed to be cross site and the header should be a sufficient mean of authentication.
Example:
curl -X 'PUT' 'https://kr.test/api/0/organizations/test/issues/1/' \
-H 'accept: application/json' \
-H 'Authorization: Bearer TOKEN' \
-H 'Content-Type: application/json' \
-d '{ "status": "unresolved" }'
Returns
{"detail": "CSRF check Failed"}
Proposed Solution(s)
Having a quick look at the code and experimenting around looks like that by swapping the authentication methods in https://gitlab.com/glitchtip/glitchtip-backend/-/blob/master/glitchtip/api/api.py?ref_type=heads#L37 fixes the problem.