kevadesu/forgejo
1
0
Fork 1
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-08-20 18:17:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

Revert "feat: remove API authentication methods that uses the URL query (#7924)" (#8633)

Browse source 
This reverts commit b2a3966e64.

weblate etc. are using this method and need to be updated before the change is enforced.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8633
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This commit is contained in:
Earl Warren 2025-07-24 17:19:24 +02:00 committed by Earl Warren
parent 87a7bf2436
commit bfa9c89e6f
8 changed files with 64 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
routers/api/shared/middleware.go
View file

@ -30,6 +30,7 @@ func Middlewares() (stack []any) {
return append(stack,
context.APIContexter(),
checkDeprecatedAuthMethods,
// Get user from session if logged in.
apiAuth(buildAuthGroup()),
verifyAuthWithOptions(&common.VerifyOptions{
@ -126,6 +127,13 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC
}
}
// check for and warn against deprecated authentication options
func checkDeprecatedAuthMethods(ctx *context.APIContext) {
if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {
ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.")
}
}
func securityHeaders() func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {