mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-27 00:23:41 +09:00 
			
		
		
		
	Deprecate query string auth tokens (#28390)
## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) --------- Co-authored-by: delvh <dev.lh@web.de>
This commit is contained in:
		| @@ -35,10 +35,12 @@ | ||||
| //	     type: apiKey | ||||
| //	     name: token | ||||
| //	     in: query | ||||
| //	     description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. | ||||
| //	AccessToken: | ||||
| //	     type: apiKey | ||||
| //	     name: access_token | ||||
| //	     in: query | ||||
| //	     description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. | ||||
| //	AuthorizationHeaderToken: | ||||
| //	     type: apiKey | ||||
| //	     name: Authorization | ||||
| @@ -788,6 +790,13 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC | ||||
| 	} | ||||
| } | ||||
|  | ||||
| // check for and warn against deprecated authentication options | ||||
| func checkDeprecatedAuthMethods(ctx *context.APIContext) { | ||||
| 	if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" { | ||||
| 		ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.") | ||||
| 	} | ||||
| } | ||||
|  | ||||
| // Routes registers all v1 APIs routes to web application. | ||||
| func Routes() *web.Route { | ||||
| 	m := web.NewRoute() | ||||
| @@ -806,6 +815,8 @@ func Routes() *web.Route { | ||||
| 	} | ||||
| 	m.Use(context.APIContexter()) | ||||
|  | ||||
| 	m.Use(checkDeprecatedAuthMethods) | ||||
|  | ||||
| 	// Get user from session if logged in. | ||||
| 	m.Use(apiAuth(buildAuthGroup())) | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user