add release note and expand feature flag description IQSS#9063

GPortas · Mar 27, 2023 · 5eb13b0 · 5eb13b0
1 parent e728617
commit 5eb13b0
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/doc/release-notes/9063-session-api-auth.md b/doc/release-notes/9063-session-api-auth.md
@@ -0,0 +1 @@
+A feature flag called "api-session-auth" has been added temporarily to aid in the development of the new frontend (#9063) but will be removed once bearer tokens (#9229) have been implemented. There is a security risk (CSRF) in enabling this flag! Do not use it in production! For more information, see http://preview.guides.gdcc.io/en/develop/installation/config.html#feature-flags
diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst
@@ -2191,7 +2191,7 @@ please find all known feature flags below. Any of these flags can be activated u
       - Description
       - Default status
     * - api-session-auth
-      - Enables API authentication via session cookie (JSESSIONID). Caution: Enabling this feature flag exposes the installation to CSRF risks.
+      - Enables API authentication via session cookie (JSESSIONID). **Caution: Enabling this feature flag exposes the installation to CSRF risks!** We expect this feature flag to be temporary (only used by frontend developers, see `#9063 <https://github.com/IQSS/dataverse/issues/9063>`_) and removed once support for bearer tokens has been implemented (see `#9229 <https://github.com/IQSS/dataverse/issues/9229>`_).
       - ``Off``
 
 **Note:** Can be set via any `supported MicroProfile Config API source`_, e.g. the environment variable