From 295bfba72993c372e7b338438947d8e1a6bed8fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?= =?UTF-8?q?=C9=B4?= Date: Fri, 13 Feb 2026 15:27:48 -0500 Subject: [PATCH] context: reject access tokens passed via URL query parameters (#8177) --- .claude/commands/ghsa.md | 6 ++++-- CHANGELOG.md | 1 + docs/api-reference/introduction.mdx | 14 +------------- docs/api-reference/openapi.json | 6 ------ internal/context/auth.go | 18 ++++++------------ 5 files changed, 12 insertions(+), 33 deletions(-) diff --git a/.claude/commands/ghsa.md b/.claude/commands/ghsa.md index 71b848c60..2c5756283 100644 --- a/.claude/commands/ghsa.md +++ b/.claude/commands/ghsa.md @@ -7,5 +7,7 @@ Steps: 4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns. 5. Implement the fix. Only add tests when there is something meaningful to test at our layer. 6. Run all the usual build and test commands. -7. Create a branch named after the GHSA ID, commit, and push. -8. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA. +7. If a changelog entry is warranted (user will specify), add it to CHANGELOG.md with a placeholder for the PR link. +8. Create a branch named after the GHSA ID, commit, and push. +9. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA. +10. If a changelog entry was added, update it with the PR link, then commit and push again. diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e28789d5..5fab41eff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ All notable changes to Gogs are documented in this file. ### Removed +- Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc) - The `gogs cert` subcommand. [#8153](https://github.com/gogs/gogs/pull/8153) - The `[email] DISABLE_HELO` configuration option. HELO/EHLO is now always sent during SMTP handshake. [#8164](https://github.com/gogs/gogs/pull/8164) - Support for MSSQL as a database backend. Stay on 0.14 for continued usage. [#8173](https://github.com/gogs/gogs/pull/8173) diff --git a/docs/api-reference/introduction.mdx b/docs/api-reference/introduction.mdx index 3e0f32604..7a17718ee 100644 --- a/docs/api-reference/introduction.mdx +++ b/docs/api-reference/introduction.mdx @@ -55,23 +55,11 @@ There are two ways to authenticate through the Gogs API. Requests that require a - Personal access tokens are the recommended way to authenticate. They can be sent via a request **header** or a **URL query parameter**. - - **Using a header:** + Personal access tokens must be sent via the `Authorization` request header. ```bash curl -H "Authorization: token {YOUR_ACCESS_TOKEN}" https://gogs.example.com/api/v1/user/repos ``` - - **Using a query parameter:** - - ```bash - curl https://gogs.example.com/api/v1/user/repos?token={YOUR_ACCESS_TOKEN} - ``` - - - Using the `Authorization` header is preferred over the query parameter, as URLs may be logged by proxies and servers. - diff --git a/docs/api-reference/openapi.json b/docs/api-reference/openapi.json index f4eaad7b3..3219124ad 100644 --- a/docs/api-reference/openapi.json +++ b/docs/api-reference/openapi.json @@ -5449,12 +5449,6 @@ "in": "header", "name": "Authorization", "description": "Personal access token. Use format: token {YOUR_ACCESS_TOKEN}" - }, - "TokenQuery": { - "type": "apiKey", - "in": "query", - "name": "token", - "description": "Access token as query parameter" } }, "schemas": { diff --git a/internal/context/auth.go b/internal/context/auth.go index 487c8cfbb..97fa4dff9 100644 --- a/internal/context/auth.go +++ b/internal/context/auth.go @@ -146,18 +146,12 @@ func authenticatedUserID(store AuthStore, c *macaron.Context, sess session.Store // Check access token. if isAPIPath(c.Req.URL.Path) { - tokenSHA := c.Query("token") - if len(tokenSHA) <= 0 { - tokenSHA = c.Query("access_token") - } - if tokenSHA == "" { - // Well, check with header again. - auHead := c.Req.Header.Get("Authorization") - if len(auHead) > 0 { - auths := strings.Fields(auHead) - if len(auths) == 2 && auths[0] == "token" { - tokenSHA = auths[1] - } + var tokenSHA string + auHead := c.Req.Header.Get("Authorization") + if auHead != "" { + auths := strings.Fields(auHead) + if len(auths) == 2 && auths[0] == "token" { + tokenSHA = auths[1] } }