diff options
| author | Jack Hay <jack@allspice.io> | 2023-12-12 04:48:53 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-12 04:48:53 +0100 |
| commit | 4e879fed90665331d2a57e5abee9e0f02372c470 (patch) | |
| tree | 844835c8e5e09f330ffda9c7be09eb9c5ccd10e0 /custom/conf | |
| parent | [skip ci] Updated translations via Crowdin (diff) | |
| download | forgejo-4e879fed90665331d2a57e5abee9e0f02372c470.tar.xz forgejo-4e879fed90665331d2a57e5abee9e0f02372c470.zip | |
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example:
```
HTTP/1.1 200 OK
...
Warning: token and access_token API authentication is deprecated
...
```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`
## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed
## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)
---------
Co-authored-by: delvh <dev.lh@web.de>
Diffstat (limited to 'custom/conf')
| -rw-r--r-- | custom/conf/app.example.ini | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 18d6fe37a8..e10c4f7582 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -492,6 +492,11 @@ INTERNAL_TOKEN= ;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. ;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security. ;SUCCESSFUL_TOKENS_CACHE_SIZE = 20 +;; +;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities +;; stemming from cached/logged plain-text API tokens. +;; In future releases, this will become the default behavior +;DISABLE_QUERY_AUTH_TOKEN = false ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |