cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for authenticating to the API via an Authorization Bearer token.

pull/504/merge
Jordan Wright 2018-04-21 12:19:58 -05:00
parent e1d5c809b2
commit 5f3c94d0cf
No known key found for this signature in database
GPG Key ID: 138D5AD2331B3C11
2 changed files with 36 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
controllers/api_test.go
View File

@ -109,6 +109,23 @@ func (s *ControllersSuite) TestRequireAPIKey() {
s.Equal(resp.StatusCode, http.StatusBadRequest) s.Equal(resp.StatusCode, http.StatusBadRequest)
} }
func (s *ControllersSuite) TestInvalidAPIKey() {
resp, err := http.Get(fmt.Sprintf("%s/api/groups/?api_key=%s", as.URL, "bogus-api-key"))
s.Nil(err)
defer resp.Body.Close()
s.Equal(resp.StatusCode, http.StatusBadRequest)
}
func (s *ControllersSuite) TestBearerToken() {
req, err := http.NewRequest("GET", fmt.Sprintf("%s/api/groups/", as.URL), nil)
s.Nil(err)
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", s.ApiKey))
resp, err := http.DefaultClient.Do(req)
s.Nil(err)
defer resp.Body.Close()
s.Equal(resp.StatusCode, http.StatusOK)
}
func (s *ControllersSuite) TestSiteImportBaseHref() { func (s *ControllersSuite) TestSiteImportBaseHref() {
h := "<html><head></head><body><img src=\"/test.png\"/></body></html>" h := "<html><head></head><body><img src=\"/test.png\"/></body></html>"
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

16
middleware/middleware.go
View File

@ -62,8 +62,6 @@ func GetContext(handler http.Handler) http.HandlerFunc {
func RequireAPIKey(handler http.Handler) http.HandlerFunc { func RequireAPIKey(handler http.Handler) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
ak := r.Form.Get("api_key")
w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Allow-Origin", "*")
if r.Method == "OPTIONS" { if r.Method == "OPTIONS" {
w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS") w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
@ -71,10 +69,21 @@ func RequireAPIKey(handler http.Handler) http.HandlerFunc {
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept") w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
return return
} }
r.ParseForm()
ak := r.Form.Get("api_key")
// If we can't get the API key, we'll also check for the
// Authorization Bearer token
if ak == "" {
tokens, ok := r.Header["Authorization"]
if ok && len(tokens) >= 1 {
ak = tokens[0]
ak = strings.TrimPrefix(ak, "Bearer ")
}
}
if ak == "" { if ak == "" {
JSONError(w, 400, "API Key not set") JSONError(w, 400, "API Key not set")
return return
} else { }
u, err := models.GetUserByAPIKey(ak) u, err := models.GetUserByAPIKey(ak)
if err != nil { if err != nil {
JSONError(w, 400, "Invalid API Key") JSONError(w, 400, "Invalid API Key")
@ -85,7 +94,6 @@ func RequireAPIKey(handler http.Handler) http.HandlerFunc {
handler.ServeHTTP(w, r) handler.ServeHTTP(w, r)
} }
} }
}
// RequireLogin is a simple middleware which checks to see if the user is currently logged in. // RequireLogin is a simple middleware which checks to see if the user is currently logged in.
// If not, the function returns a 302 redirect to the login page. // If not, the function returns a 302 redirect to the login page.