Clarify authentication code and overwriting methods in API Controllers for token auth
The API must only require token authentication, and must not allow any cookie-based sessions. Why? because APIs can't have CSRF protection, and without CSRF protection, a cookie-based API allows any other web page to access the API as the user.
I feel like this breaks this requirement:
def current_user @current_user ||= token_authenticate || warden.user || anonymous end
It looks like it still falls back to cookies if there is no token. Won't warden.user go check the session?
It would be better for ApiController to not inherit from ApplicationController, and for ApiController to define its own current_user.
Even better would be to get rid of warden middleware, and to make the API a separate application, but that is a bigger change.
(from redmine: created on 2017-01-03)
Edited by azul