forgejo/modules
Jack Hay 4e879fed90
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 03:48:53 +00:00
..
actions
activitypub Upgrade to golangci-lint@v1.55.0 (#27756) 2023-10-24 02:54:59 +00:00
analyze
assetfs
auth
avatar
base
cache
charset
container
context Second part of refactor db.Find (#28194) 2023-12-11 16:56:48 +08:00
contexttest
csv
doctor Improve doctor cli behavior (#28422) 2023-12-11 15:55:10 +00:00
emoji
eventsource Final round of db.DefaultContext refactor (#27587) 2023-10-14 08:37:24 +00:00
generate
git Make gogit Repository.GetBranchNames consistent (#28348) 2023-12-07 12:08:17 -05:00
gitgraph
graceful Refactor graceful manager to use shared code (#28073) 2023-11-24 14:21:46 +00:00
hcaptcha
highlight
hostmatcher Support allowed hosts for webhook to work with proxy (#27655) 2023-10-18 09:44:36 +00:00
html
httpcache
httplib
indexer Include public repos in doer's dashboard for issue search (#28304) 2023-12-07 13:26:18 +08:00
issue/template
json
label
lfs Upgrade to golangci-lint@v1.55.0 (#27756) 2023-10-24 02:54:59 +00:00
log
markup Use restricted sanitizer for repository description (#28141) 2023-11-23 16:34:25 +00:00
mcaptcha
metrics
migration
nosql Update tool dependencies, lock govulncheck and actionlint (#25655) 2023-07-09 11:58:06 +00:00
options
packages Close all hashed buffers (#27787) 2023-10-25 21:24:24 +02:00
paginator
pprof
private
process
proxy
proxyprotocol
public
queue
recaptcha
references
regexplru
repository Second part of refactor db.Find (#28194) 2023-12-11 16:56:48 +08:00
secret
session
setting Deprecate query string auth tokens (#28390) 2023-12-12 03:48:53 +00:00
sitemap
ssh Remove SSH workaround (#27893) 2023-11-03 15:21:05 +00:00
storage
structs Fix package webhook (#27839) 2023-10-31 04:43:38 +00:00
svg
sync
system Replace more db.DefaultContext (#27628) 2023-10-15 17:46:06 +02:00
templates Render PyPi long description as document (#28272) 2023-12-05 15:02:01 +00:00
test
testlogger
timeutil
translation
turnstile
typesniffer
updatechecker Replace more db.DefaultContext (#27628) 2023-10-15 17:46:06 +02:00
upload
uri
user
util Upgrade to golangci-lint@v1.55.0 (#27756) 2023-10-24 02:54:59 +00:00
validation
web Make CORS work for oauth2 handlers (#28184) 2023-11-23 21:19:26 +08:00
webhook