It shows warnings although the setting is not set, this will surely be
fixed later but there is no sense in spaming the users right now. This
revert can be discarded when another fix lands in v1.21.
su -c "forgejo admin user generate-access-token -u root --raw --scopes 'all,sudo'" git
2023/12/12 15:54:45 .../setting/security.go:166:loadSecurityFrom() [W] Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.
This reverts commit 0e3a5abb69
.
Conflicts:
routers/api/v1/api.go
This commit is contained in:
parent
bd264e6aed
commit
c477780163
5 changed files with 7 additions and 39 deletions
|
@ -495,11 +495,6 @@ INTERNAL_TOKEN=
|
||||||
;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
|
;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
|
||||||
;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
|
;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
|
||||||
;SUCCESSFUL_TOKENS_CACHE_SIZE = 20
|
;SUCCESSFUL_TOKENS_CACHE_SIZE = 20
|
||||||
;;
|
|
||||||
;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities
|
|
||||||
;; stemming from cached/logged plain-text API tokens.
|
|
||||||
;; In future releases, this will become the default behavior
|
|
||||||
;DISABLE_QUERY_AUTH_TOKEN = false
|
|
||||||
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
|
@ -34,7 +34,6 @@ var (
|
||||||
PasswordHashAlgo string
|
PasswordHashAlgo string
|
||||||
PasswordCheckPwn bool
|
PasswordCheckPwn bool
|
||||||
SuccessfulTokensCacheSize int
|
SuccessfulTokensCacheSize int
|
||||||
DisableQueryAuthToken bool
|
|
||||||
CSRFCookieName = "_csrf"
|
CSRFCookieName = "_csrf"
|
||||||
CSRFCookieHTTPOnly = true
|
CSRFCookieHTTPOnly = true
|
||||||
)
|
)
|
||||||
|
@ -158,11 +157,4 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
|
||||||
PasswordComplexity = append(PasswordComplexity, name)
|
PasswordComplexity = append(PasswordComplexity, name)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: default value should be true in future releases
|
|
||||||
DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false)
|
|
||||||
|
|
||||||
if !DisableQueryAuthToken {
|
|
||||||
log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,12 +35,10 @@
|
||||||
// type: apiKey
|
// type: apiKey
|
||||||
// name: token
|
// name: token
|
||||||
// in: query
|
// in: query
|
||||||
// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.
|
|
||||||
// AccessToken:
|
// AccessToken:
|
||||||
// type: apiKey
|
// type: apiKey
|
||||||
// name: access_token
|
// name: access_token
|
||||||
// in: query
|
// in: query
|
||||||
// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.
|
|
||||||
// AuthorizationHeaderToken:
|
// AuthorizationHeaderToken:
|
||||||
// type: apiKey
|
// type: apiKey
|
||||||
// name: Authorization
|
// name: Authorization
|
||||||
|
@ -807,13 +805,6 @@ func individualPermsChecker(ctx *context.APIContext) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// check for and warn against deprecated authentication options
|
|
||||||
func checkDeprecatedAuthMethods(ctx *context.APIContext) {
|
|
||||||
if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {
|
|
||||||
ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Routes registers all v1 APIs routes to web application.
|
// Routes registers all v1 APIs routes to web application.
|
||||||
func Routes() *web.Route {
|
func Routes() *web.Route {
|
||||||
m := web.NewRoute()
|
m := web.NewRoute()
|
||||||
|
@ -832,8 +823,6 @@ func Routes() *web.Route {
|
||||||
}
|
}
|
||||||
m.Use(context.APIContexter())
|
m.Use(context.APIContexter())
|
||||||
|
|
||||||
m.Use(checkDeprecatedAuthMethods)
|
|
||||||
|
|
||||||
// Get user from session if logged in.
|
// Get user from session if logged in.
|
||||||
m.Use(apiAuth(buildAuthGroup()))
|
m.Use(apiAuth(buildAuthGroup()))
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,6 @@ import (
|
||||||
auth_model "code.gitea.io/gitea/models/auth"
|
auth_model "code.gitea.io/gitea/models/auth"
|
||||||
user_model "code.gitea.io/gitea/models/user"
|
user_model "code.gitea.io/gitea/models/user"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
|
||||||
"code.gitea.io/gitea/modules/timeutil"
|
"code.gitea.io/gitea/modules/timeutil"
|
||||||
"code.gitea.io/gitea/modules/web/middleware"
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
"code.gitea.io/gitea/services/auth/source/oauth2"
|
"code.gitea.io/gitea/services/auth/source/oauth2"
|
||||||
|
@ -63,19 +62,14 @@ func (o *OAuth2) Name() string {
|
||||||
// representing whether the token exists or not
|
// representing whether the token exists or not
|
||||||
func parseToken(req *http.Request) (string, bool) {
|
func parseToken(req *http.Request) (string, bool) {
|
||||||
_ = req.ParseForm()
|
_ = req.ParseForm()
|
||||||
if !setting.DisableQueryAuthToken {
|
// Check token.
|
||||||
// Check token.
|
if token := req.Form.Get("token"); token != "" {
|
||||||
if token := req.Form.Get("token"); token != "" {
|
return token, true
|
||||||
return token, true
|
}
|
||||||
}
|
// Check access token.
|
||||||
// Check access token.
|
if token := req.Form.Get("access_token"); token != "" {
|
||||||
if token := req.Form.Get("access_token"); token != "" {
|
return token, true
|
||||||
return token, true
|
|
||||||
}
|
|
||||||
} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
|
|
||||||
log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// check header token
|
// check header token
|
||||||
if auHead := req.Header.Get("Authorization"); auHead != "" {
|
if auHead := req.Header.Get("Authorization"); auHead != "" {
|
||||||
auths := strings.Fields(auHead)
|
auths := strings.Fields(auHead)
|
||||||
|
|
2
templates/swagger/v1_json.tmpl
generated
2
templates/swagger/v1_json.tmpl
generated
|
@ -24259,7 +24259,6 @@
|
||||||
},
|
},
|
||||||
"securityDefinitions": {
|
"securityDefinitions": {
|
||||||
"AccessToken": {
|
"AccessToken": {
|
||||||
"description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.",
|
|
||||||
"type": "apiKey",
|
"type": "apiKey",
|
||||||
"name": "access_token",
|
"name": "access_token",
|
||||||
"in": "query"
|
"in": "query"
|
||||||
|
@ -24292,7 +24291,6 @@
|
||||||
"in": "header"
|
"in": "header"
|
||||||
},
|
},
|
||||||
"Token": {
|
"Token": {
|
||||||
"description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.",
|
|
||||||
"type": "apiKey",
|
"type": "apiKey",
|
||||||
"name": "token",
|
"name": "token",
|
||||||
"in": "query"
|
"in": "query"
|
||||||
|
|
Loading…
Add table
Reference in a new issue