API shouldn't allow to authorize with session

[roksanaer]

Original below.

This is what Bartek mentioned below, our API controllers accept both token and session authorization strategy, which leads to the erroneous and misleading behaviour.

The API paths should be excluded from the omniauth (?).

Another way this manifests is that when a request is sent to an API endpoint without authorization and no "Accept" header, then you are redirected to the AAI, which is an undesired behaviour.

$ curl -X GET "https://marketplace.eosc-portal.eu/api/v1/resources"
<html><body>You are being <a href="https://marketplace.eosc-portal.eu/users/auth/checkin">redirected</a>.</body></html>

If you specify the header, then the response is correct:

$ curl -X GET "https://marketplace.eosc-portal.eu/api/v1/resources" -H  "Accept: application/json"
{"error":"You need to sign in or sign up before continuing."}

The description is valid for v3.17.0.

---

After revoking the API token, it still can be used in the API when opened in the same browser window.

Needs investigation

Raised during release 3.6.0 retro

[bwilk]

I have a feeling that for the UI user session we have another Device authorization policy that is being used instead of the token verification (especially in Swagger)

[jswk]

I elaborated a little about the issue in the description: https://github.com/cyfronet-fid/marketplace/issues/1787#issue-799301669.

[michal-szostak]

I'm not entirely sure whether we should treat this behaviour as a bug - for API exploration being able to use browser's session to authorize is a pretty handy behaviour. We should fix the bugs / errors issue though.