feat: remove API authentication methods that uses the URL query (#7924)

- They have been marked as deprecated since 2023 and adequate warnings have been given about this method being deprecated, remove it for Forgejo v12. - For clarity: the reason they are deprecated is that these methods allow authentication material to be given via a URL query. This results in the authentication material being logged, which is undesired behavior. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7924 Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-06-19 15:40:50 +00:00 · 2025-05-23 22:47:43 +02:00 · 2025-05-23 22:47:43 +02:00 · b2a3966e64
commit b2a3966e64
parent a5260b7f08
8 changed files with 0 additions and 64 deletions
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@ -35,7 +35,6 @@ var (
 	PasswordHashAlgo                   string
 	PasswordCheckPwn                   bool
 	SuccessfulTokensCacheSize          int
-	DisableQueryAuthToken              bool
 	CSRFCookieName                     = "_csrf"
 	CSRFCookieHTTPOnly                 = true
 )
@ -160,14 +159,4 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 			PasswordComplexity = append(PasswordComplexity, name)
 		}
 	}
-
-	sectionHasDisableQueryAuthToken := sec.HasKey("DISABLE_QUERY_AUTH_TOKEN")
-
-	// TODO: default value should be true in future releases
-	DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false)
-
-	// warn if the setting is set to false explicitly
-	if sectionHasDisableQueryAuthToken && !DisableQueryAuthToken {
-		log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.")
-	}
 }