yel/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-12-15 21:45:35 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
73047854c0
gitea/modules
History
Jack Hay 4e879fed90
Deprecate query string auth tokens (#28390) 
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 03:48:53 +00:00
..
actions chore(actions): support cron schedule task (#26655) 2023-08-24 03:06:51 +00:00
activitypub Upgrade to golangci-lint@v1.55.0 (#27756) 2023-10-24 02:54:59 +00:00
analyze
assetfs Use Set[Type] instead of map[Type]bool/struct{}. (#26804) 2023-08-30 06:55:25 +00:00
auth Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
avatar
base
cache
charset
container
context Second part of refactor db.Find (#28194) 2023-12-11 16:56:48 +08:00
contexttest Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
csv
doctor Improve doctor cli behavior (#28422) 2023-12-11 15:55:10 +00:00
emoji
eventsource Final round of db.DefaultContext refactor (#27587) 2023-10-14 08:37:24 +00:00
generate Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
git Make gogit Repository.GetBranchNames consistent (#28348) 2023-12-07 12:08:17 -05:00
gitgraph More db.DefaultContext refactor (#27265) 2023-09-29 12:12:54 +00:00
graceful Refactor graceful manager to use shared code (#28073) 2023-11-24 14:21:46 +00:00
hcaptcha
highlight
hostmatcher Support allowed hosts for webhook to work with proxy (#27655) 2023-10-18 09:44:36 +00:00
html
httpcache
httplib
indexer Include public repos in doer's dashboard for issue search (#28304) 2023-12-07 13:26:18 +08:00
issue/template
json
label
lfs Upgrade to golangci-lint@v1.55.0 (#27756) 2023-10-24 02:54:59 +00:00
log Reduce some allocations in type conversion (#26772) 2023-08-29 00:43:16 +08:00
markup Use restricted sanitizer for repository description (#28141) 2023-11-23 16:34:25 +00:00
mcaptcha
metrics Reduce usage of db.DefaultContext (#27073) 2023-09-14 17:09:32 +00:00
migration
nosql
options
packages Close all hashed buffers (#27787) 2023-10-25 21:24:24 +02:00
paginator
pprof
private
process Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
proxy
proxyprotocol
public
queue Increase queue length (#27555) 2023-10-10 18:47:49 +08:00
recaptcha
references Replace 'userxx' with 'orgxx' in all test files when the user type is org (#27052) 2023-09-14 02:59:53 +00:00
regexplru
repository Second part of refactor db.Find (#28194) 2023-12-11 16:56:48 +08:00
secret
session Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
setting Deprecate query string auth tokens (#28390) 2023-12-12 03:48:53 +00:00
sitemap
ssh Remove SSH workaround (#27893) 2023-11-03 15:21:05 +00:00
storage Fix object storage path handling (#27024) 2023-09-13 01:18:52 +00:00
structs Fix package webhook (#27839) 2023-10-31 04:43:38 +00:00
svg
sync
system Replace more db.DefaultContext (#27628) 2023-10-15 17:46:06 +02:00
templates Render PyPi long description as document (#28272) 2023-12-05 15:02:01 +00:00
test Move web/api context related testing function into a separate package (#26859) 2023-09-01 11:26:07 +00:00
testlogger
timeutil
translation
turnstile
typesniffer Detect ogg mime-type as audio or video (#26494) 2023-08-15 10:31:25 +08:00
updatechecker Replace more db.DefaultContext (#27628) 2023-10-15 17:46:06 +02:00
upload
uri
user
util Upgrade to golangci-lint@v1.55.0 (#27756) 2023-10-24 02:54:59 +00:00
validation Check blocklist for emails when adding them to account (#26812) 2023-08-30 10:46:49 -05:00
web Make CORS work for oauth2 handlers (#28184) 2023-11-23 21:19:26 +08:00
webhook