[v12.0/forgejo] Revert "feat: remove API authentication methods that uses the URL query (#7924)" (#8653)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8633 This reverts commit b2a3966e64. weblate etc. are using this method and need to be updated before the change is enforced. Co-authored-by: Earl Warren <contact@earl-warren.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8653 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2025-10-15 19:42:04 +00:00 · 2025-07-24 17:53:11 +02:00 · 2025-07-24 17:53:11 +02:00 · bcd0821f3e
commit bcd0821f3e
parent 8b06eb1bea
8 changed files with 64 additions and 0 deletions
--- a/routers/api/shared/middleware.go
+++ b/routers/api/shared/middleware.go
@ -30,6 +30,7 @@ func Middlewares() (stack []any) {
 	return append(stack,
 		context.APIContexter(),

+		checkDeprecatedAuthMethods,
 		// Get user from session if logged in.
 		apiAuth(buildAuthGroup()),
 		verifyAuthWithOptions(&common.VerifyOptions{
@ -126,6 +127,13 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC
 	}
 }

+// check for and warn against deprecated authentication options
+func checkDeprecatedAuthMethods(ctx *context.APIContext) {
+	if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {
+		ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.")
+	}
+}
+
 func securityHeaders() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -22,6 +22,8 @@
 //
 //	Security:
 //	- BasicAuth :
+//	- Token :
+//	- AccessToken :
 //	- AuthorizationHeaderToken :
 //	- SudoParam :
 //	- SudoHeader :
@ -30,6 +32,16 @@
 //	SecurityDefinitions:
 //	BasicAuth:
 //	     type: basic
+//	Token:
+//	     type: apiKey
+//	     name: token
+//	     in: query
+//	     description: This authentication option is deprecated for removal in Forgejo v13.0.0. Please use AuthorizationHeaderToken instead.
+//	AccessToken:
+//	     type: apiKey
+//	     name: access_token
+//	     in: query
+//	     description: This authentication option is deprecated for removal in Forgejo v13.0.0. Please use AuthorizationHeaderToken instead.
 //	AuthorizationHeaderToken:
 //	     type: apiKey
 //	     name: Authorization