Jack Hay 4e879fed90 Deprecate query string auth tokens (#28390) ... ## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) --------- Co-authored-by: delvh <dev.lh@web.de>		2023-12-12 03:48:53 +00:00
..
api	Deprecate query string auth tokens (#28390)	2023-12-12 03:48:53 +00:00
common	Clean up template locale usage (#27856)	2023-10-31 22:11:48 +08:00
install	Enhanced auth token / remember me (#27606)	2023-10-14 00:56:41 +00:00
private	Fix typo "GetLatestRunnerToken" (#27680)	2023-10-18 15:52:44 +00:00
utils	Implement FSFE REUSE for golang files (#21840)	2022-11-27 18:20:29 +00:00
web	Second part of refactor db.Find (#28194)	2023-12-11 16:56:48 +08:00
init.go	Replace more db.DefaultContext (#27628)	2023-10-15 17:46:06 +02:00