Internal token for CLI / API administration

[lonix1]

Component

server, cli

Describe the bug

This is not strictly a bug, but a design flaw. I first asked on the discord server.

Suppose I want to lock down my woodpecker server - I don't want random users from my gitea server to be able to log in. So I set WOODPECKER_OPEN=false. The docs state that in that case I need to create users manually, using the CLI.

The problem is the CLI needs an auth token, to be able to communicate with the server. But to generate such a token I must log in to the server, which I can't do. A chicken and egg problem! 🐤 🥚

System Info

I am using 'next'

Additional context

Idea: have the CLI inside the server container, and allow it to communicate without an auth token.

Idea: proposed by @6543:

gitea use an "internal token" for this tasks... we could do similar

Validations

• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
• Check that this is a concrete bug. For Q&A join our Discord Chat Server or the Matrix room.

[6543]

tldr: add an internal token for cli/api administration tasks ...

... in this regards woodpecker does not have a own user-registry - we exclusively use Oauth2

[lonix1]

So you would set the token as a environment variable in the server container and also the cli container?

(Similar to what we have now with WOODPECKER_AGENT_SECRET.)

[anbraten]

In this PR someone wrote down a smart way to login to Woodpecker: https://github.com/earl-warren/woodpecker/blob/6d1dc73418c4c6054a200c73098aaec81f9c0d1f/.woodpecker/forgejo.yml#L35