Jack Hay 4e879fed90 Deprecate query string auth tokens (#28390) ... ## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) --------- Co-authored-by: delvh <dev.lh@web.de>		2023-12-12 03:48:53 +00:00
..
actions
activitypub
analyze
assetfs
auth
avatar
base
cache
charset
container
context
contexttest
csv
doctor
emoji
eventsource
generate
git
gitgraph
graceful
hcaptcha
highlight
hostmatcher
html
httpcache
httplib
indexer
issue/template
json
label
lfs
log
markup
mcaptcha
metrics
migration
nosql
options
packages
paginator
pprof
private
process
proxy
proxyprotocol
public
queue
recaptcha
references
regexplru
repository
secret
session
setting
sitemap
ssh
storage
structs
svg
sync
system
templates
test
testlogger
timeutil
translation
turnstile
typesniffer
updatechecker
upload
uri
user
util
validation
web
webhook