diff --git a/modules/setting/security.go b/modules/setting/security.go index f3480d1056..c38d8dae79 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -35,7 +35,6 @@ var ( PasswordHashAlgo string PasswordCheckPwn bool SuccessfulTokensCacheSize int - DisableQueryAuthToken bool CSRFCookieName = "_csrf" CSRFCookieHTTPOnly = true ) @@ -160,14 +159,4 @@ func loadSecurityFrom(rootCfg ConfigProvider) { PasswordComplexity = append(PasswordComplexity, name) } } - - sectionHasDisableQueryAuthToken := sec.HasKey("DISABLE_QUERY_AUTH_TOKEN") - - // TODO: default value should be true in future releases - DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false) - - // warn if the setting is set to false explicitly - if sectionHasDisableQueryAuthToken && !DisableQueryAuthToken { - log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.") - } } diff --git a/routers/api/shared/middleware.go b/routers/api/shared/middleware.go index f56acbe1bf..7d537f1ef9 100644 --- a/routers/api/shared/middleware.go +++ b/routers/api/shared/middleware.go @@ -30,7 +30,6 @@ func Middlewares() (stack []any) { return append(stack, context.APIContexter(), - checkDeprecatedAuthMethods, // Get user from session if logged in. apiAuth(buildAuthGroup()), verifyAuthWithOptions(&common.VerifyOptions{ @@ -127,13 +126,6 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC } } -// check for and warn against deprecated authentication options -func checkDeprecatedAuthMethods(ctx *context.APIContext) { - if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" { - ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.") - } -} - func securityHeaders() func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 1919664cce..18624df246 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -22,8 +22,6 @@ // // Security: // - BasicAuth : -// - Token : -// - AccessToken : // - AuthorizationHeaderToken : // - SudoParam : // - SudoHeader : @@ -32,16 +30,6 @@ // SecurityDefinitions: // BasicAuth: // type: basic -// Token: -// type: apiKey -// name: token -// in: query -// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. -// AccessToken: -// type: apiKey -// name: access_token -// in: query -// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. // AuthorizationHeaderToken: // type: apiKey // name: Authorization diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index e6d556d10b..093940aa18 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -121,18 +121,6 @@ func (o *OAuth2) Name() string { // representing whether the token exists or not func parseToken(req *http.Request) (string, bool) { _ = req.ParseForm() - if !setting.DisableQueryAuthToken { - // Check token. - if token := req.Form.Get("token"); token != "" { - return token, true - } - // Check access token. - if token := req.Form.Get("access_token"); token != "" { - return token, true - } - } else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" { - log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true") - } // check header token if auHead := req.Header.Get("Authorization"); auHead != "" { diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index 0284b95359..888b39ec82 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -29698,12 +29698,6 @@ } }, "securityDefinitions": { - "AccessToken": { - "description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.", - "type": "apiKey", - "name": "access_token", - "in": "query" - }, "AuthorizationHeaderToken": { "description": "API tokens must be prepended with \"token\" followed by a space.", "type": "apiKey", @@ -29730,24 +29724,12 @@ "type": "apiKey", "name": "X-FORGEJO-OTP", "in": "header" - }, - "Token": { - "description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.", - "type": "apiKey", - "name": "token", - "in": "query" } }, "security": [ { "BasicAuth": [] }, - { - "Token": [] - }, - { - "AccessToken": [] - }, { "AuthorizationHeaderToken": [] }, diff --git a/tests/mysql.ini.tmpl b/tests/mysql.ini.tmpl index 3315d85a3f..f44aff7594 100644 --- a/tests/mysql.ini.tmpl +++ b/tests/mysql.ini.tmpl @@ -92,7 +92,6 @@ DISABLE_GIT_HOOKS = false INSTALL_LOCK = true SECRET_KEY = 9pCviYTWSb INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTU1NTE2MTh9.hhSVGOANkaKk3vfCd2jDOIww4pUk0xtg9JRde5UogyQ -DISABLE_QUERY_AUTH_TOKEN = true [lfs] PATH = tests/{{TEST_TYPE}}/gitea-{{TEST_TYPE}}-mysql/data/lfs diff --git a/tests/pgsql.ini.tmpl b/tests/pgsql.ini.tmpl index 1e9b981800..829fdc5b75 100644 --- a/tests/pgsql.ini.tmpl +++ b/tests/pgsql.ini.tmpl @@ -97,7 +97,6 @@ DISABLE_GIT_HOOKS = false INSTALL_LOCK = true SECRET_KEY = 9pCviYTWSb INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTU1NTE2MTh9.hhSVGOANkaKk3vfCd2jDOIww4pUk0xtg9JRde5UogyQ -DISABLE_QUERY_AUTH_TOKEN = true [lfs] MINIO_BASE_PATH = lfs/ diff --git a/tests/sqlite.ini.tmpl b/tests/sqlite.ini.tmpl index df6cea44ca..d36388405b 100644 --- a/tests/sqlite.ini.tmpl +++ b/tests/sqlite.ini.tmpl @@ -94,7 +94,6 @@ DISABLE_GIT_HOOKS = false INSTALL_LOCK = true SECRET_KEY = 9pCviYTWSb INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTI3OTU5ODN9.OQkH5UmzID2XBdwQ9TAI6Jj2t1X-wElVTjbE7aoN4I8 -DISABLE_QUERY_AUTH_TOKEN = true [oauth2] JWT_SECRET = KZb_QLUd4fYVyxetjxC4eZkrBgWM2SndOOWDNtgUUko