Infrastructure/forgejo
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-27 18:04:04 -05:00
Code Issues Activity
forgejo/modules/setting
History
Giteabot f144521aea
Deprecate query string auth tokens (#28390) (#28430) 
Backport #28390 by @jackHay22

## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

Co-authored-by: Jack Hay <jack@allspice.io>
Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 13:45:00 +08:00
..
config Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
actions.go Make Actions tasks/jobs timeouts configurable by the user (#27400) (#27402) 2023-10-03 10:26:35 +08:00
actions_test.go Restrict [actions].DEFAULT_ACTIONS_URL to only github or self (#25581) 2023-06-30 07:26:36 +00:00
admin.go
api.go
asset_dynamic.go
asset_static.go
attachment.go Fix incorrect default value of [attachment].MAX_SIZE (#28373) (#28376) 2023-12-06 19:32:23 +00:00
attachment_test.go
cache.go
camo.go
config.go Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
config_env.go Fix environment-to-ini inherited key bug (#27543) (#27546) 2023-10-09 17:46:58 +00:00
config_env_test.go Fix environment-to-ini inherited key bug (#27543) (#27546) 2023-10-09 17:46:58 +00:00
config_provider.go Fix INI parsing for value with trailing slash (#26995) 2023-09-10 16:15:51 +00:00
config_provider_test.go Fix INI parsing for value with trailing slash (#26995) 2023-09-10 16:15:51 +00:00
cors.go
cron.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
cron_test.go
database.go Use filepath instead of path to create SQLite3 database file (#28374) (#28378) 2023-12-06 11:22:18 -06:00
database_sqlite.go
database_test.go Fix incorrect pgsql conn builder behavior (#28085) (#28098) 2023-11-17 10:45:04 +00:00
federation.go
git.go
git_test.go
highlight.go
i18n.go
incoming_email.go
indexer.go
indexer_test.go
lfs.go Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
lfs_test.go Display deprecated warning in admin panel pages as well as in the log file (#26094) 2023-07-26 03:53:37 +00:00
log.go Clarify the logger's MODE config option (#26267) 2023-08-01 18:28:23 +00:00
log_test.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
mailer.go
mailer_test.go
markup.go
metrics.go
migrations.go
mime_type_map.go
mirror.go
oauth2.go Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
other.go
packages.go Avoid creating directories when loading config (#25944) 2023-07-18 07:32:36 -05:00
packages_test.go
path.go Update path related documents (#25417) 2023-07-19 11:22:57 +02:00
path_test.go Refactor path & config system (#25330) 2023-06-21 13:50:26 +08:00
picture.go
project.go
proxy.go
queue.go Increase queue length (#27555) (#27562) 2023-10-10 20:22:26 +08:00
repository.go Change default size of attachments and repo files (#28100) (#28106) 2023-11-17 13:30:42 +01:00
repository_archive.go
repository_archive_test.go
security.go Deprecate query string auth tokens (#28390) (#28430) 2023-12-12 13:45:00 +08:00
server.go Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974) 2023-07-21 12:14:20 +00:00
service.go Add reverseproxy auth for API back with default disabled (#26703) 2023-09-07 08:31:46 +00:00
service_test.go Fix allowed user types setting problem (#26200) 2023-07-28 12:15:39 -04:00
session.go Use secure cookie for HTTPS sites (#26999) 2023-09-11 17:03:51 +08:00
setting.go Make "install page" respect environment config (#25648) 2023-07-09 22:43:37 +00:00
setting_test.go
ssh.go Expanded minimum RSA Keylength to 3072 (#26604) 2023-08-28 00:53:16 +00:00
storage.go Fix storage path logic especially for relative paths (#26441) 2023-08-13 22:09:25 +02:00
storage_test.go Fix storage path logic especially for relative paths (#26441) 2023-08-13 22:09:25 +02:00
task.go
time.go
ui.go
webhook.go