diff options
author | Jack Hay <jack@allspice.io> | 2023-12-12 04:48:53 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-12 04:48:53 +0100 |
commit | 4e879fed90665331d2a57e5abee9e0f02372c470 (patch) | |
tree | 844835c8e5e09f330ffda9c7be09eb9c5ccd10e0 /modules/setting/security.go | |
parent | [skip ci] Updated translations via Crowdin (diff) | |
download | forgejo-4e879fed90665331d2a57e5abee9e0f02372c470.tar.xz forgejo-4e879fed90665331d2a57e5abee9e0f02372c470.zip |
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example:
```
HTTP/1.1 200 OK
...
Warning: token and access_token API authentication is deprecated
...
```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`
## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed
## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)
---------
Co-authored-by: delvh <dev.lh@web.de>
Diffstat (limited to 'modules/setting/security.go')
-rw-r--r-- | modules/setting/security.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/setting/security.go b/modules/setting/security.go index 92caa05fad..4adfe20635 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -34,6 +34,7 @@ var ( PasswordHashAlgo string PasswordCheckPwn bool SuccessfulTokensCacheSize int + DisableQueryAuthToken bool CSRFCookieName = "_csrf" CSRFCookieHTTPOnly = true ) @@ -157,4 +158,11 @@ func loadSecurityFrom(rootCfg ConfigProvider) { PasswordComplexity = append(PasswordComplexity, name) } } + + // TODO: default value should be true in future releases + DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false) + + if !DisableQueryAuthToken { + log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.") + } } |