context: reject access tokens passed via URL query parameters (#8177)

.claude/commands/ghsa.md

@@ -7,5 +7,7 @@ Steps:
 4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns.
 5. Implement the fix. Only add tests when there is something meaningful to test at our layer.
 6. Run all the usual build and test commands.
-7. Create a branch named after the GHSA ID, commit, and push.
-8. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
+7. If a changelog entry is warranted (user will specify), add it to CHANGELOG.md with a placeholder for the PR link.
+8. Create a branch named after the GHSA ID, commit, and push.
+9. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
+10. If a changelog entry was added, update it with the PR link, then commit and push again.

CHANGELOG.md

@@ -10,6 +10,7 @@ All notable changes to Gogs are documented in this file.
 
 ### Removed
 
+- Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc)
 - The `gogs cert` subcommand. [#8153](https://github.com/gogs/gogs/pull/8153)
 - The `[email] DISABLE_HELO` configuration option. HELO/EHLO is now always sent during SMTP handshake. [#8164](https://github.com/gogs/gogs/pull/8164)
 - Support for MSSQL as a database backend. Stay on 0.14 for continued usage. [#8173](https://github.com/gogs/gogs/pull/8173)

docs/api-reference/introduction.mdx

@@ -55,23 +55,11 @@ There are two ways to authenticate through the Gogs API. Requests that require a
     </Warning>
   </Tab>
   <Tab title="Access token">
-    Personal access tokens are the recommended way to authenticate. They can be sent via a request **header** or a **URL query parameter**.
-
-    **Using a header:**
+    Personal access tokens must be sent via the `Authorization` request header.
 
     ```bash
     curl -H "Authorization: token {YOUR_ACCESS_TOKEN}" https://gogs.example.com/api/v1/user/repos
     ```
-
-    **Using a query parameter:**
-
-    ```bash
-    curl https://gogs.example.com/api/v1/user/repos?token={YOUR_ACCESS_TOKEN}
-    ```
-
-    <Tip>
-      Using the `Authorization` header is preferred over the query parameter, as URLs may be logged by proxies and servers.
-    </Tip>
   </Tab>
 </Tabs>
 

docs/api-reference/openapi.json

@@ -5449,12 +5449,6 @@
         "in": "header",
         "name": "Authorization",
         "description": "Personal access token. Use format: token {YOUR_ACCESS_TOKEN}"
-      },
-      "TokenQuery": {
-        "type": "apiKey",
-        "in": "query",
-        "name": "token",
-        "description": "Access token as query parameter"
       }
     },
     "schemas": {

internal/context/auth.go

@@ -146,18 +146,12 @@ func authenticatedUserID(store AuthStore, c *macaron.Context, sess session.Store
 
 	// Check access token.
 	if isAPIPath(c.Req.URL.Path) {
-		tokenSHA := c.Query("token")
-		if len(tokenSHA) <= 0 {
-			tokenSHA = c.Query("access_token")
-		}
-		if tokenSHA == "" {
-			// Well, check with header again.
-			auHead := c.Req.Header.Get("Authorization")
-			if len(auHead) > 0 {
-				auths := strings.Fields(auHead)
-				if len(auths) == 2 && auths[0] == "token" {
-					tokenSHA = auths[1]
-				}
+		var tokenSHA string
+		auHead := c.Req.Header.Get("Authorization")
+		if auHead != "" {
+			auths := strings.Fields(auHead)
+			if len(auths) == 2 && auths[0] == "token" {
+				tokenSHA = auths[1]
 			}
 		}