mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-08-25 19:53:49 +00:00
Code Issues Projects Releases Packages Wiki Activity

Revert "feat: remove API authentication methods that uses the URL query (#7924)" (#8633)

Browse source 
This reverts commit b2a3966e64.

weblate etc. are using this method and need to be updated before the change is enforced.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8633
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This commit is contained in:
Earl Warren 2025-07-24 17:19:24 +02:00 committed by Earl Warren
commit bfa9c89e6f
8 changed files with 64 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
services/auth/oauth2.go
View file

@ -122,6 +122,18 @@ func (o *OAuth2) Name() string {
// representing whether the token exists or not
func parseToken(req *http.Request) (string, bool) {
_ = req.ParseForm()
if !setting.DisableQueryAuthToken {
// Check token.
if token := req.Form.Get("token"); token != "" {
return token, true
}
// Check access token.
if token := req.Form.Get("access_token"); token != "" {
return token, true
}
} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
}
// check header token
if auHead := req.Header.Get("Authorization"); auHead != "" {