[v12.0/forgejo] Revert "feat: remove API authentication methods that uses the URL query (#7924)" (#8653)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8633 This reverts commit b2a3966e64. weblate etc. are using this method and need to be updated before the change is enforced. Co-authored-by: Earl Warren <contact@earl-warren.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8653 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2025-10-05 19:30:58 +00:00 · 2025-07-24 17:53:11 +02:00 · 2025-07-24 17:53:11 +02:00 · bcd0821f3e
commit bcd0821f3e
parent 8b06eb1bea
8 changed files with 64 additions and 0 deletions
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@ -122,6 +122,18 @@ func (o *OAuth2) Name() string {
 // representing whether the token exists or not
 func parseToken(req *http.Request) (string, bool) {
 	_ = req.ParseForm()
+	if !setting.DisableQueryAuthToken {
+		// Check token.
+		if token := req.Form.Get("token"); token != "" {
+			return token, true
+		}
+		// Check access token.
+		if token := req.Form.Get("access_token"); token != "" {
+			return token, true
+		}
+	} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
+		log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
+	}

 	// check header token
 	if auHead := req.Header.Get("Authorization"); auHead != "" {