gitea/modules/setting
Giteabot f144521aea
Deprecate query string auth tokens (#28390) (#28430)
Backport #28390 by @jackHay22

## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

Co-authored-by: Jack Hay <jack@allspice.io>
Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 13:45:00 +08:00
..
config Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
actions_test.go Restrict [actions].DEFAULT_ACTIONS_URL to only github or self (#25581) 2023-06-30 07:26:36 +00:00
actions.go Make Actions tasks/jobs timeouts configurable by the user (#27400) (#27402) 2023-10-03 10:26:35 +08:00
admin.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
api.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
asset_dynamic.go Use a general approach to access custom/static/builtin assets (#24022) 2023-04-12 18:16:45 +08:00
asset_static.go Use a general approach to access custom/static/builtin assets (#24022) 2023-04-12 18:16:45 +08:00
attachment_test.go Fix all possible setting error related storages and added some tests (#23911) 2023-06-14 11:42:38 +08:00
attachment.go Fix incorrect default value of [attachment].MAX_SIZE (#28373) (#28376) 2023-12-06 19:32:23 +00:00
cache.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
camo.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
config_env_test.go Fix environment-to-ini inherited key bug (#27543) (#27546) 2023-10-09 17:46:58 +00:00
config_env.go Fix environment-to-ini inherited key bug (#27543) (#27546) 2023-10-09 17:46:58 +00:00
config_provider_test.go Fix INI parsing for value with trailing slash (#26995) 2023-09-10 16:15:51 +00:00
config_provider.go Fix INI parsing for value with trailing slash (#26995) 2023-09-10 16:15:51 +00:00
config.go Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
cors.go Fix incorrect CORS default values (#24206) 2023-04-19 15:30:10 -04:00
cron_test.go Rewrite queue (#24505) 2023-05-08 19:49:59 +08:00
cron.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
database_sqlite.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
database_test.go Fix incorrect pgsql conn builder behavior (#28085) (#28098) 2023-11-17 10:45:04 +00:00
database.go Use filepath instead of path to create SQLite3 database file (#28374) (#28378) 2023-12-06 11:22:18 -06:00
federation.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
git_test.go Use [git.config] for reflog cleaning up (#24958) 2023-05-28 01:07:14 +00:00
git.go Use [git.config] for reflog cleaning up (#24958) 2023-05-28 01:07:14 +00:00
highlight.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
i18n.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
incoming_email.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
indexer_test.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
indexer.go Allow skipping forks and mirrors from being indexed (#23187) 2023-05-25 16:13:47 +08:00
lfs_test.go Display deprecated warning in admin panel pages as well as in the log file (#26094) 2023-07-26 03:53:37 +00:00
lfs.go Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
log_test.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
log.go Clarify the logger's MODE config option (#26267) 2023-08-01 18:28:23 +00:00
mailer_test.go Remove unnecessary code (#24610) 2023-05-10 04:57:06 +00:00
mailer.go Make mailer SMTP check have timed context (#24751) 2023-05-16 22:55:51 +02:00
markup.go Add .livemd as a markdown extension (#22730) 2023-04-26 11:22:54 -04:00
metrics.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
migrations.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
mime_type_map.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
mirror.go Avoid polluting the config (#25345) 2023-06-18 16:10:44 +00:00
oauth2.go Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
other.go Refactor setting.Other and remove unused SHOW_FOOTER_BRANDING (#24270) 2023-04-22 19:38:25 -04:00
packages_test.go Fix all possible setting error related storages and added some tests (#23911) 2023-06-14 11:42:38 +08:00
packages.go Avoid creating directories when loading config (#25944) 2023-07-18 07:32:36 -05:00
path_test.go Refactor path & config system (#25330) 2023-06-21 13:50:26 +08:00
path.go Update path related documents (#25417) 2023-07-19 11:22:57 +02:00
picture.go Fix all possible setting error related storages and added some tests (#23911) 2023-06-14 11:42:38 +08:00
project.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
proxy.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00
queue.go Increase queue length (#27555) (#27562) 2023-10-10 20:22:26 +08:00
repository_archive_test.go Fix all possible setting error related storages and added some tests (#23911) 2023-06-14 11:42:38 +08:00
repository_archive.go Fix all possible setting error related storages and added some tests (#23911) 2023-06-14 11:42:38 +08:00
repository.go Change default size of attachments and repo files (#28100) (#28106) 2023-11-17 13:30:42 +01:00
security.go Deprecate query string auth tokens (#28390) (#28430) 2023-12-12 13:45:00 +08:00
server.go Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974) 2023-07-21 12:14:20 +00:00
service_test.go Fix allowed user types setting problem (#26200) 2023-07-28 12:15:39 -04:00
service.go Add reverseproxy auth for API back with default disabled (#26703) 2023-09-07 08:31:46 +00:00
session.go Use secure cookie for HTTPS sites (#26999) 2023-09-11 17:03:51 +08:00
setting_test.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
setting.go Make "install page" respect environment config (#25648) 2023-07-09 22:43:37 +00:00
ssh.go Expanded minimum RSA Keylength to 3072 (#26604) 2023-08-28 00:53:16 +00:00
storage_test.go Fix storage path logic especially for relative paths (#26441) 2023-08-13 22:09:25 +02:00
storage.go Fix storage path logic especially for relative paths (#26441) 2023-08-13 22:09:25 +02:00
task.go handle deprecated settings (#22992) 2023-02-20 16:18:26 -06:00
time.go Remove unused setting time.FORMAT (#24430) 2023-04-29 22:51:43 +02:00
ui.go Remove the service worker (#25010) 2023-05-31 02:07:04 +00:00
webhook.go Refactor the setting to make unit test easier (#22405) 2023-02-20 00:12:01 +08:00