##// END OF EJS Templates
security: escape the returned paths of files and directories....
security: escape the returned paths of files and directories. Nodes function is used for autocomplete in files view, it prevents from XSS type of attack in file search.

File last commit:

r1:854a839a default
r1827:9e60361c default
Show More
token-auth.rst
76 lines | 2.6 KiB | text/x-rst | RstLexer
project: added all source files and assets
r1 .. _config-token-ref:
Authentication Tokens
---------------------
|RCE| has 4 different kinds of authentication tokens.
* *API tokens*: API tokens can only be used to execute |RCE| API operations.
You can store your API token and assign it to each instance in
the :file:`/home/{user}/.rhoderc` file. See the
example in :ref:`indexing-ref` section for more details.
* *Feed tokens*: The feed token can only be used to access the RSS feed.
Usually those are safe to store inside your RSS feed reader.
* *VCS tokens*: You can use these to authenticate with |git|, |hg| and |svn|
operations instead of a password. They are designed to be used with
CI Servers or other third party tools that require |repo| access.
They are also a good replacement for SSH based access.
To use these tokens you need be enabled special authentication method on
|RCE|, as they are disabled by default.
See :ref:`enable-vcs-tokens`.
* *Web Interface tokens*: These token allows users to access the web
interface of |RCE| without logging in.
You can add these tokens to an |RCE| server url, to expose the page content
based on the given token.
This is useful to integrate 3rd party systems, good example is to expose
raw diffs to another code-review system without having to worry about
authentication.
These tokens only work if a certain view is whitelisted
under `api_access_controllers_whitelist` inside
the :file:`rhodecode.ini` file.
.. code-block:: bash
# To download a repo without logging into Web UI
https://rhodecode.com/repo/archive/tip.zip?auth_token=<web-api-token>
# To show commit diff without logging into Web UI
https://rhodecode.com/repo/changeset-diff/<sha>?auth_token=<web-api-token>
.. _enable-vcs-tokens:
Enabling VCS Tokens
^^^^^^^^^^^^^^^^^^^
To enable VCS Tokens, use the following steps:
1. Go to :menuselection:`Admin --> Authentication`.
2. Enable the ``rhodecode.lib.auth_modules.auth_token`` plugin.
3. Click :guilabel:`Save`.
Authentication Token Tips
^^^^^^^^^^^^^^^^^^^^^^^^^
* Use Authentication Tokens instead of your password with external services.
* Create multiple Authentication Tokens on your account to enable
access to your |repos| with a different |authtoken| per method used.
* Set an expiry limit on certain tokens if you think it would be a good idea.
Creating Tokens
^^^^^^^^^^^^^^^
To create authentication tokens for an user, use the following steps:
1. From the |RCM| interface go to
:menuselection:`Username --> My Account --> Auth tokens`.
2. Label and Add the tokens you wish to use with |RCE|.
.. image:: ../images/tokens.png