diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 56bd26622a..a341b32693 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -496,11 +496,6 @@ INTERNAL_TOKEN= ;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. ;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security. ;SUCCESSFUL_TOKENS_CACHE_SIZE = 20 -;; -;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities -;; stemming from cached/logged plain-text API tokens. -;; In future releases, this will become the default behavior -;DISABLE_QUERY_AUTH_TOKEN = false ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/modules/setting/security.go b/modules/setting/security.go index 4adfe20635..92caa05fad 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -34,7 +34,6 @@ var ( PasswordHashAlgo string PasswordCheckPwn bool SuccessfulTokensCacheSize int - DisableQueryAuthToken bool CSRFCookieName = "_csrf" CSRFCookieHTTPOnly = true ) @@ -158,11 +157,4 @@ func loadSecurityFrom(rootCfg ConfigProvider) { PasswordComplexity = append(PasswordComplexity, name) } } - - // TODO: default value should be true in future releases - DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false) - - if !DisableQueryAuthToken { - log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.") - } } diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index b1bc1a6308..768c0a36f8 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -35,12 +35,10 @@ // type: apiKey // name: token // in: query -// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. // AccessToken: // type: apiKey // name: access_token // in: query -// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. // AuthorizationHeaderToken: // type: apiKey // name: Authorization @@ -808,13 +806,6 @@ func individualPermsChecker(ctx *context.APIContext) { } } -// check for and warn against deprecated authentication options -func checkDeprecatedAuthMethods(ctx *context.APIContext) { - if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" { - ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.") - } -} - // Routes registers all v1 APIs routes to web application. func Routes() *web.Route { m := web.NewRoute() @@ -833,8 +824,6 @@ func Routes() *web.Route { } m.Use(context.APIContexter()) - m.Use(checkDeprecatedAuthMethods) - // Get user from session if logged in. m.Use(apiAuth(buildAuthGroup())) diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index f2f7858a85..08a2a05539 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -14,7 +14,6 @@ import ( auth_model "code.gitea.io/gitea/models/auth" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/services/auth/source/oauth2" @@ -63,19 +62,14 @@ func (o *OAuth2) Name() string { // representing whether the token exists or not func parseToken(req *http.Request) (string, bool) { _ = req.ParseForm() - if !setting.DisableQueryAuthToken { - // Check token. - if token := req.Form.Get("token"); token != "" { - return token, true - } - // Check access token. - if token := req.Form.Get("access_token"); token != "" { - return token, true - } - } else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" { - log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true") + // Check token. + if token := req.Form.Get("token"); token != "" { + return token, true + } + // Check access token. + if token := req.Form.Get("access_token"); token != "" { + return token, true } - // check header token if auHead := req.Header.Get("Authorization"); auHead != "" { auths := strings.Fields(auHead) diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index 4ce7b5e974..14744aebc8 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -24106,7 +24106,6 @@ }, "securityDefinitions": { "AccessToken": { - "description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.", "type": "apiKey", "name": "access_token", "in": "query" @@ -24139,7 +24138,6 @@ "in": "header" }, "Token": { - "description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.", "type": "apiKey", "name": "token", "in": "query"