From 38a0a5e92a99d8c0d1da45c1767857b0a239f59c Mon Sep 17 00:00:00 2001 From: Eicke Hauck Date: Tue, 16 May 2023 22:09:25 +0200 Subject: [PATCH] Reintroduced checking of bearer token to keep api intact --- middleware/middleware.go | 14 ++++++++++++-- package.json | 2 +- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/middleware/middleware.go b/middleware/middleware.go index 37484a29..12052ef8 100644 --- a/middleware/middleware.go +++ b/middleware/middleware.go @@ -71,7 +71,8 @@ func GetContext(handler http.Handler) http.HandlerFunc { } } -// RequireAPIKey ensures that a valid API key or login cookie is set +// RequireAPIKey ensures that a valid login cookie or API key is set (either +// the api_key GET parameter, or a Bearer token) func RequireAPIKey(handler http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "*") @@ -83,6 +84,15 @@ func RequireAPIKey(handler http.Handler) http.Handler { } r.ParseForm() ak := r.Form.Get("api_key") + // If we can't get the API key, we'll also check for the + // Authorization Bearer token + if ak == "" { + tokens, ok := r.Header["Authorization"] + if ok && len(tokens) >= 1 { + ak = tokens[0] + ak = strings.TrimPrefix(ak, "Bearer ") + } + } // If we can't get the API key, we'll also check if user is logged in // via the web interface if ak == "" { @@ -91,7 +101,7 @@ func RequireAPIKey(handler http.Handler) http.Handler { } } if ak == "" { - JSONError(w, http.StatusUnauthorized, "Logged out") //API Key not set + JSONError(w, http.StatusUnauthorized, "Not logged in") //API Key not set return } u, err := models.GetUserByAPIKey(ak) diff --git a/package.json b/package.json index ef574c9f..4f5ac766 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,7 @@ "@babel/preset-env": "^7.4.5", "babel-loader": "^8.0.6", "clean-css": "^4.2.1", - "gulp": "^4.0.2", + "gulp": "^4.0.0", "gulp-babel": "^8.0.0", "gulp-clean-css": "^4.0.0", "gulp-cli": "^2.2.0",