From 63b9ebb4304b92ca98561c9016c590fb68ec1de9 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Mon, 18 Dec 2023 19:30:08 +0100 Subject: [PATCH] [GITEA] Revert "Deprecate query string auth tokens (#28390)" It shows warnings although the setting is not set, this will surely be fixed later but there is no sense in spaming the users right now. This revert can be discarded when another fix lands in v1.21. su -c "forgejo admin user generate-access-token -u root --raw --scopes 'all,sudo'" git 2023/12/12 15:54:45 .../setting/security.go:166:loadSecurityFrom() [W] Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24. This reverts commit 4e879fed90665331d2a57e5abee9e0f02372c470. Conflicts: routers/api/v1/api.go trivial context conflict (cherry picked from commit dec6f8055907c39450ae62d34fc5f1a98082fc85) (cherry picked from commit 807b6d9066cb04d9c70e471dec8ceb7be4016ac7) (cherry picked from commit 37e21a0c174bd9a040d31170abf0ac9249f54c5b) --- custom/conf/app.example.ini | 5 ----- modules/setting/security.go | 8 -------- routers/api/v1/api.go | 11 ----------- services/auth/oauth2.go | 20 +++++++------------- templates/swagger/v1_json.tmpl | 2 -- 5 files changed, 7 insertions(+), 39 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index ab670220d9..8f93e9354a 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -496,11 +496,6 @@ INTERNAL_TOKEN= ;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. ;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security. ;SUCCESSFUL_TOKENS_CACHE_SIZE = 20 -;; -;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities -;; stemming from cached/logged plain-text API tokens. -;; In future releases, this will become the default behavior -;DISABLE_QUERY_AUTH_TOKEN = false ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/modules/setting/security.go b/modules/setting/security.go index 4adfe20635..92caa05fad 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -34,7 +34,6 @@ var ( PasswordHashAlgo string PasswordCheckPwn bool SuccessfulTokensCacheSize int - DisableQueryAuthToken bool CSRFCookieName = "_csrf" CSRFCookieHTTPOnly = true ) @@ -158,11 +157,4 @@ func loadSecurityFrom(rootCfg ConfigProvider) { PasswordComplexity = append(PasswordComplexity, name) } } - - // TODO: default value should be true in future releases - DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false) - - if !DisableQueryAuthToken { - log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.") - } } diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 7ec74ab70e..c182a474c5 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -35,12 +35,10 @@ // type: apiKey // name: token // in: query -// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. // AccessToken: // type: apiKey // name: access_token // in: query -// description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead. // AuthorizationHeaderToken: // type: apiKey // name: Authorization @@ -808,13 +806,6 @@ func individualPermsChecker(ctx *context.APIContext) { } } -// check for and warn against deprecated authentication options -func checkDeprecatedAuthMethods(ctx *context.APIContext) { - if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" { - ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.") - } -} - // Routes registers all v1 APIs routes to web application. func Routes() *web.Route { m := web.NewRoute() @@ -831,8 +822,6 @@ func Routes() *web.Route { } m.Use(context.APIContexter()) - m.Use(checkDeprecatedAuthMethods) - // Get user from session if logged in. m.Use(apiAuth(buildAuthGroup())) diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index f2f7858a85..08a2a05539 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -14,7 +14,6 @@ import ( auth_model "code.gitea.io/gitea/models/auth" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/services/auth/source/oauth2" @@ -63,19 +62,14 @@ func (o *OAuth2) Name() string { // representing whether the token exists or not func parseToken(req *http.Request) (string, bool) { _ = req.ParseForm() - if !setting.DisableQueryAuthToken { - // Check token. - if token := req.Form.Get("token"); token != "" { - return token, true - } - // Check access token. - if token := req.Form.Get("access_token"); token != "" { - return token, true - } - } else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" { - log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true") + // Check token. + if token := req.Form.Get("token"); token != "" { + return token, true + } + // Check access token. + if token := req.Form.Get("access_token"); token != "" { + return token, true } - // check header token if auHead := req.Header.Get("Authorization"); auHead != "" { auths := strings.Fields(auHead) diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index 4d7bf00549..d7332d195d 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -24206,7 +24206,6 @@ }, "securityDefinitions": { "AccessToken": { - "description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.", "type": "apiKey", "name": "access_token", "in": "query" @@ -24239,7 +24238,6 @@ "in": "header" }, "Token": { - "description": "This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.", "type": "apiKey", "name": "token", "in": "query"