From 094b632182ec08e1e7ec5545ab4b95ac28bc0e95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?=
 =?UTF-8?q?=C9=B4?= <jc@unknwon.io>
Date: Fri, 13 Feb 2026 15:27:48 -0500
Subject: [PATCH] context: reject access tokens passed via URL query parameters
 (#8177)

---
 .claude/commands/ghsa.md |  6 ++++--
 CHANGELOG.md             |  2 ++
 internal/context/auth.go | 18 ++++++------------
 3 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/.claude/commands/ghsa.md b/.claude/commands/ghsa.md
index 71b848c60..2c5756283 100644
--- a/.claude/commands/ghsa.md
+++ b/.claude/commands/ghsa.md
@@ -7,5 +7,7 @@ Steps:
 4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns.
 5. Implement the fix. Only add tests when there is something meaningful to test at our layer.
 6. Run all the usual build and test commands.
-7. Create a branch named after the GHSA ID, commit, and push.
-8. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
+7. If a changelog entry is warranted (user will specify), add it to CHANGELOG.md with a placeholder for the PR link.
+8. Create a branch named after the GHSA ID, commit, and push.
+9. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
+10. If a changelog entry was added, update it with the PR link, then commit and push again.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 833160bea..af6f8013c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@ All notable changes to Gogs are documented in this file.
 
 ### Removed
 
+- Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc)
+
 - Git clone via the built-in SSH server hangs. [#8132](https://github.com/gogs/gogs/issues/8132)
 
 ## 0.14.0
diff --git a/internal/context/auth.go b/internal/context/auth.go
index a5c459d52..0d58f36c9 100644
--- a/internal/context/auth.go
+++ b/internal/context/auth.go
@@ -146,18 +146,12 @@ func authenticatedUserID(store AuthStore, c *macaron.Context, sess session.Store
 
 	// Check access token.
 	if isAPIPath(c.Req.URL.Path) {
-		tokenSHA := c.Query("token")
-		if len(tokenSHA) <= 0 {
-			tokenSHA = c.Query("access_token")
-		}
-		if tokenSHA == "" {
-			// Well, check with header again.
-			auHead := c.Req.Header.Get("Authorization")
-			if len(auHead) > 0 {
-				auths := strings.Fields(auHead)
-				if len(auths) == 2 && auths[0] == "token" {
-					tokenSHA = auths[1]
-				}
+		var tokenSHA string
+		auHead := c.Req.Header.Get("Authorization")
+		if auHead != "" {
+			auths := strings.Fields(auHead)
+			if len(auths) == 2 && auths[0] == "token" {
+				tokenSHA = auths[1]
 			}
 		}