Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate query string auth tokens (#28390) #28430

Merged
merged 1 commit into from
Dec 12, 2023

Conversation

GiteaBot
Copy link
Collaborator

Backport #28390 by @jackHay22

Changes

  • Add deprecation warning to Token and AccessToken authentication methods in swagger.
  • Add deprecation warning header to API response. Example:
    HTTP/1.1 200 OK
    ...
    Warning: token and access_token API authentication is deprecated
    ...
    
  • Add setting DISABLE_QUERY_AUTH_TOKEN to reject query string auth tokens entirely. Default is false

Next steps

  • DISABLE_QUERY_AUTH_TOKEN should be true in a subsequent release and the methods should be removed in swagger
  • DISABLE_QUERY_AUTH_TOKEN should be removed and the implementation of the auth methods in question should be removed

Open questions

  • Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in OpenAPI Spec version 3.2.0)
  • Should the API router logger sanitize urls that use token or access_token? (This is obviously an insufficient solution on its own)

## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](OAI/OpenAPI-Specification#2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <[email protected]>
@GiteaBot GiteaBot added modifies/api This PR adds API routes or modifies them topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/changelog Adds the changelog for a new Gitea version labels Dec 12, 2023
@GiteaBot GiteaBot added this to the 1.21.2 milestone Dec 12, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 12, 2023
@pull-request-size pull-request-size bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Dec 12, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 12, 2023
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 12, 2023
@lunny lunny merged commit f144521 into go-gitea:release/v1.21 Dec 12, 2023
25 checks passed
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Mar 11, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them size/M Denotes a PR that changes 30-99 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/changelog Adds the changelog for a new Gitea version
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants