feat: remove API authentication methods that uses the URL query (#7924)

- They have been marked as deprecated since 2023 and adequate warnings have been given about this method being deprecated, remove it for Forgejo v12.
- For clarity: the reason they are deprecated is that these methods allow authentication material to be given via a URL query. This results in the authentication material being logged, which is undesired behavior.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7924
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>

routers/api/shared/middleware.go

@@ -30,7 +30,6 @@ func Middlewares() (stack []any) {
 	return append(stack,
 		context.APIContexter(),
 
-		checkDeprecatedAuthMethods,
 		// Get user from session if logged in.
 		apiAuth(buildAuthGroup()),
 		verifyAuthWithOptions(&common.VerifyOptions{
@@ -127,13 +126,6 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC
 	}
 }
 
-// check for and warn against deprecated authentication options
-func checkDeprecatedAuthMethods(ctx *context.APIContext) {
-	if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {
-		ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.")
-	}
-}
-
 func securityHeaders() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {