Deprecate query string auth tokens (#28390) #28430
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](OAI/OpenAPI-Specification#2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) --------- Co-authored-by: delvh <dev.lh@web.de>
GiteaBot
added
modifies/api
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/M
lunny
approved these changes
Dec 12, 2023
GiteaBot
added
lgtm/need 1
wolfogre
approved these changes
Dec 12, 2023
GiteaBot
added
lgtm/done
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #28390 by @jackHay22
Changes
TokenandAccessTokenauthentication methods in swagger.DISABLE_QUERY_AUTH_TOKENto reject query string auth tokens entirely. Default isfalseNext steps
DISABLE_QUERY_AUTH_TOKENshould be true in a subsequent release and the methods should be removed in swaggerDISABLE_QUERY_AUTH_TOKENshould be removed and the implementation of the auth methods in question should be removedOpen questions
tokenoraccess_token? (This is obviously an insufficient solution on its own)