diff options
| author | Jack Hay <jack@allspice.io> | 2023-12-11 22:48:53 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-12 03:48:53 +0000 |
| commit | 4e879fed90665331d2a57e5abee9e0f02372c470 (patch) | |
| tree | 844835c8e5e09f330ffda9c7be09eb9c5ccd10e0 /modules/setting/security.go | |
| parent | baea205675e6bdd058ada1e7ff148582cabeb6dc (diff) | |
| download | gitea-4e879fed90665331d2a57e5abee9e0f02372c470.tar.gz gitea-4e879fed90665331d2a57e5abee9e0f02372c470.zip | |
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example:
```
HTTP/1.1 200 OK
...
Warning: token and access_token API authentication is deprecated
...
```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`
## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed
## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)
---------
Co-authored-by: delvh <dev.lh@web.de>
Diffstat (limited to 'modules/setting/security.go')
| -rw-r--r-- | modules/setting/security.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/setting/security.go b/modules/setting/security.go index 92caa05fad..4adfe20635 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -34,6 +34,7 @@ var ( PasswordHashAlgo string PasswordCheckPwn bool SuccessfulTokensCacheSize int + DisableQueryAuthToken bool CSRFCookieName = "_csrf" CSRFCookieHTTPOnly = true ) @@ -157,4 +158,11 @@ func loadSecurityFrom(rootCfg ConfigProvider) { PasswordComplexity = append(PasswordComplexity, name) } } + + // TODO: default value should be true in future releases + DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false) + + if !DisableQueryAuthToken { + log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.") + } } |