1
0
Fork 0
forgejo/modules/setting
Jack Hay 4e879fed90
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 03:48:53 +00:00
..
config Refactor system setting (#27000) 2023-10-05 09:08:19 +08:00
actions.go add skip ci functionality (#28075) 2023-11-18 13:37:08 +02:00
actions_test.go
admin.go
api.go
asset_dynamic.go
asset_static.go
attachment.go Fix incorrect default value of [attachment].MAX_SIZE (#28373) 2023-12-06 10:59:56 -05:00
attachment_test.go
cache.go
camo.go
config.go Refactor system setting (#27000) 2023-10-05 09:08:19 +08:00
config_env.go Fix environment-to-ini inherited key bug (#27543) 2023-10-10 01:10:37 +08:00
config_env_test.go Fix environment-to-ini inherited key bug (#27543) 2023-10-10 01:10:37 +08:00
config_provider.go Remove redundant len check around loop (#27464) 2023-10-06 14:49:37 +08:00
config_provider_test.go Fix INI parsing for value with trailing slash (#26995) 2023-09-10 16:15:51 +00:00
cors.go
cron.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
cron_test.go
database.go Use filepath instead of path to create SQLite3 database file (#28374) 2023-12-06 16:57:52 +00:00
database_sqlite.go
database_test.go Fix incorrect pgsql conn builder behavior (#28085) 2023-11-17 02:30:57 +00:00
federation.go
git.go
git_test.go
highlight.go
i18n.go
incoming_email.go
indexer.go
indexer_test.go
lfs.go Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
lfs_test.go Display deprecated warning in admin panel pages as well as in the log file (#26094) 2023-07-26 03:53:37 +00:00
log.go Clarify the logger's MODE config option (#26267) 2023-08-01 18:28:23 +00:00
log_test.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
mailer.go
mailer_test.go
markup.go
metrics.go
migrations.go
mime_type_map.go
mirror.go
oauth2.go Pre-register OAuth application for tea (#27509) 2023-10-08 03:51:08 +00:00
other.go
packages.go Avoid creating directories when loading config (#25944) 2023-07-18 07:32:36 -05:00
packages_test.go
path.go Update path related documents (#25417) 2023-07-19 11:22:57 +02:00
path_test.go
picture.go
project.go
proxy.go
queue.go Increase queue length (#27555) 2023-10-10 18:47:49 +08:00
repository.go Change default size of attachments and repo files (#28100) 2023-11-17 11:42:00 +00:00
repository_archive.go
repository_archive_test.go
security.go Deprecate query string auth tokens (#28390) 2023-12-12 03:48:53 +00:00
server.go Remove some dead code (#27196) 2023-09-22 23:30:31 +08:00
service.go Add reverseproxy auth for API back with default disabled (#26703) 2023-09-07 08:31:46 +00:00
service_test.go Fix allowed user types setting problem (#26200) 2023-07-28 12:15:39 -04:00
session.go Use secure cookie for HTTPS sites (#26999) 2023-09-11 17:03:51 +08:00
setting.go Make "install page" respect environment config (#25648) 2023-07-09 22:43:37 +00:00
setting_test.go
ssh.go Expanded minimum RSA Keylength to 3072 (#26604) 2023-08-28 00:53:16 +00:00
storage.go Support storage base path as prefix (#27827) 2023-11-01 19:17:18 +08:00
storage_test.go Support storage base path as prefix (#27827) 2023-11-01 19:17:18 +08:00
task.go
time.go
ui.go Allow to set explore page default sort (#27951) 2023-11-09 10:11:45 +00:00
webhook.go