Infrastructure/forgejo
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-02-21 13:26:24 -05:00
Code Issues Activity
forgejo/modules/setting
History
Giteabot f144521aea
Deprecate query string auth tokens (#28390) (#28430) 
Backport #28390 by @jackHay22

## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

Co-authored-by: Jack Hay <jack@allspice.io>
Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 13:45:00 +08:00
..
config Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
actions.go Make Actions tasks/jobs timeouts configurable by the user (#27400) (#27402) 2023-10-03 10:26:35 +08:00
actions_test.go
admin.go
api.go
asset_dynamic.go
asset_static.go
attachment.go Fix incorrect default value of [attachment].MAX_SIZE (#28373) (#28376) 2023-12-06 19:32:23 +00:00
attachment_test.go
cache.go
camo.go
config.go Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
config_env.go Fix environment-to-ini inherited key bug (#27543) (#27546) 2023-10-09 17:46:58 +00:00
config_env_test.go Fix environment-to-ini inherited key bug (#27543) (#27546) 2023-10-09 17:46:58 +00:00
config_provider.go Fix INI parsing for value with trailing slash (#26995) 2023-09-10 16:15:51 +00:00
config_provider_test.go Fix INI parsing for value with trailing slash (#26995) 2023-09-10 16:15:51 +00:00
cors.go
cron.go
cron_test.go
database.go Use filepath instead of path to create SQLite3 database file (#28374) (#28378) 2023-12-06 11:22:18 -06:00
database_sqlite.go
database_test.go Fix incorrect pgsql conn builder behavior (#28085) (#28098) 2023-11-17 10:45:04 +00:00
federation.go
git.go
git_test.go
highlight.go
i18n.go
incoming_email.go
indexer.go
indexer_test.go
lfs.go
lfs_test.go
log.go
log_test.go
mailer.go
mailer_test.go
markup.go
metrics.go
migrations.go
mime_type_map.go
mirror.go
oauth2.go
other.go
packages.go
packages_test.go
path.go
path_test.go
picture.go
project.go
proxy.go
queue.go Increase queue length (#27555) (#27562) 2023-10-10 20:22:26 +08:00
repository.go Change default size of attachments and repo files (#28100) (#28106) 2023-11-17 13:30:42 +01:00
repository_archive.go
repository_archive_test.go
security.go Deprecate query string auth tokens (#28390) (#28430) 2023-12-12 13:45:00 +08:00
server.go
service.go Add reverseproxy auth for API back with default disabled (#26703) 2023-09-07 08:31:46 +00:00
service_test.go
session.go Use secure cookie for HTTPS sites (#26999) 2023-09-11 17:03:51 +08:00
setting.go
setting_test.go
ssh.go Expanded minimum RSA Keylength to 3072 (#26604) 2023-08-28 00:53:16 +00:00
storage.go
storage_test.go
task.go
time.go
ui.go
webhook.go