feat: remove API authentication methods that uses the URL query (#7924)

- They have been marked as deprecated since 2023 and adequate warnings have been given about this method being deprecated, remove it for Forgejo v12. - For clarity: the reason they are deprecated is that these methods allow authentication material to be given via a URL query. This results in the authentication material being logged, which is undesired behavior. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7924 Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-06-20 16:10:50 +00:00 · 2025-05-23 22:47:43 +02:00 · 2025-05-23 22:47:43 +02:00 · b2a3966e64
commit b2a3966e64
parent a5260b7f08
8 changed files with 0 additions and 64 deletions
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@ -121,18 +121,6 @@ func (o *OAuth2) Name() string {
 // representing whether the token exists or not
 func parseToken(req *http.Request) (string, bool) {
 	_ = req.ParseForm()
-	if !setting.DisableQueryAuthToken {
-		// Check token.
-		if token := req.Form.Get("token"); token != "" {
-			return token, true
-		}
-		// Check access token.
-		if token := req.Form.Get("access_token"); token != "" {
-			return token, true
-		}
-	} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
-		log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
-	}

 	// check header token
 	if auHead := req.Header.Get("Authorization"); auHead != "" {