gitlab-org--gitlab-foss/lib/api/session.rb

module API
  class Session < Grape::API
    desc 'Login to get token' do
      success Entities::UserWithPrivateDetails
    end
    params do
      optional :login, type: String, desc: 'The username'
      optional :email, type: String, desc: 'The email of the user'
      requires :password, type: String, desc: 'The password of the user'
      at_least_one_of :login, :email
    end
    post "/session" do
      user = Gitlab::Auth.find_with_user_password(params[:email] || params[:login], params[:password])

      return unauthorized! unless user
      return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
      present user, with: Entities::UserWithPrivateDetails
    end
  end
end
Refactor API classes. So api classes like Gitlab::Issues become API::Issues 2013-05-14 08:33:31 -04:00			`module API`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`class Session < Grape::API`
Grapify the session API 2016-11-09 11:36:35 -05:00			`desc 'Login to get token' do`
Don't display the `is_admin?` flag for user API responses. - To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint 2017-04-21 05:47:58 -04:00			`success Entities::UserWithPrivateDetails`
Grapify the session API 2016-11-09 11:36:35 -05:00			`end`
			`params do`
			`optional :login, type: String, desc: 'The username'`
			`optional :email, type: String, desc: 'The email of the user'`
			`requires :password, type: String, desc: 'The password of the user'`
			`at_least_one_of :login, :email`
			`end`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`post "/session" do`
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos. 2016-06-10 08:51:16 -04:00			`user = Gitlab::Auth.find_with_user_password(params[:email] \|\| params[:login], params[:password])`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00
Add LDAP support to /api/session 2013-07-16 04:28:19 -04:00			`return unauthorized! unless user`
Small refactor and syntax fixes. 2016-08-17 18:39:20 -04:00			`return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?`
Don't display the `is_admin?` flag for user API responses. - To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint 2017-04-21 05:47:58 -04:00			`present user, with: Entities::UserWithPrivateDetails`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`end`
			`end`
			`end`