Revert "feat: remove API authentication methods that uses the URL query (#7924)" (#8633)

This reverts commit b2a3966e64. weblate etc. are using this method and need to be updated before the change is enforced. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8633 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Co-authored-by: Earl Warren <contact@earl-warren.org> Co-committed-by: Earl Warren <contact@earl-warren.org>
2025-08-17 00:26:48 +02:00 · 2025-07-24 17:19:24 +02:00 · 2025-07-24 17:19:24 +02:00 · bfa9c89e6f
commit bfa9c89e6f
parent 87a7bf2436
8 changed files with 64 additions and 0 deletions
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@ -35,6 +35,7 @@ var (
 	PasswordHashAlgo                   string
 	PasswordCheckPwn                   bool
 	SuccessfulTokensCacheSize          int
+	DisableQueryAuthToken              bool
 	CSRFCookieName                     = "_csrf"
 	CSRFCookieHTTPOnly                 = true
 )
@ -159,4 +160,14 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 			PasswordComplexity = append(PasswordComplexity, name)
 		}
 	}
+
+	sectionHasDisableQueryAuthToken := sec.HasKey("DISABLE_QUERY_AUTH_TOKEN")
+
+	// TODO: default value should be true in future releases
+	DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false)
+
+	// warn if the setting is set to false explicitly
+	if sectionHasDisableQueryAuthToken && !DisableQueryAuthToken {
+		log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.")
+	}
 }