Merge branch '1940-admin-token-oauthless-auth' into 'develop'

[#1940] Reinstated OAuth-less `admin_token` authentication Closes #1940 See merge request pleroma/pleroma!2760
author: feld <feld@feld.me> 2020-07-14 16:48:26 +0000
committer: feld <feld@feld.me> 2020-07-14 16:48:26 +0000
commit: 2909dc873b1cf4b2fdfd310d2bb61104d31cea17 (patch)
tree: df0f854766448cb0e286a2024f9a8ea90f33f7c3 /docs/configuration/cheatsheet.md
parent: 246f49d6858973fbb8fd4d4d9c2e5be7f9ccb283 (diff)
parent: 124b4709dcf12a417f5164e53ef3ba67e538d4c7 (diff)
download: pleroma-2909dc873b1cf4b2fdfd310d2bb61104d31cea17.tar.gz
pleroma-2909dc873b1cf4b2fdfd310d2bb61104d31cea17.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/docs/configuration/cheatsheet.md b/docs/configuration/cheatsheet.md
index 7b1fd92f3..92299b990 100644
--- a/docs/configuration/cheatsheet.md
+++ b/docs/configuration/cheatsheet.md
@@ -814,6 +814,8 @@ or
 curl -H "X-Admin-Token: somerandomtoken" "http://localhost:4000/api/pleroma/admin/users/invites"
 ```
 
+Warning: it's discouraged to use this feature because of the associated security risk: static / rarely changed instance-wide token is much weaker compared to email-password pair of a real admin user; consider using HTTP Basic Auth or OAuth-based authentication instead.
+
 ### :auth
 
 * `Pleroma.Web.Auth.PleromaAuthenticator`: default database authenticator.
author	feld <feld@feld.me>	2020-07-14 16:48:26 +0000
committer	feld <feld@feld.me>	2020-07-14 16:48:26 +0000
commit	2909dc873b1cf4b2fdfd310d2bb61104d31cea17 (patch)
tree	df0f854766448cb0e286a2024f9a8ea90f33f7c3 /docs/configuration/cheatsheet.md
parent	246f49d6858973fbb8fd4d4d9c2e5be7f9ccb283 (diff)
parent	124b4709dcf12a417f5164e53ef3ba67e538d4c7 (diff)
download	pleroma-2909dc873b1cf4b2fdfd310d2bb61104d31cea17.tar.gz pleroma-2909dc873b1cf4b2fdfd310d2bb61104d31cea17.zip