cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removed checking of bearer token in favor of the login cookie for authorizing web interface requests

pull/2864/head
Eicke Hauck 2021-05-05 12:24:47 +02:00
parent d2efb18ef1
commit 8c122e1ff7
1 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
middleware/middleware.go
View File

@ -71,8 +71,7 @@ func GetContext(handler http.Handler) http.HandlerFunc {
} }
} }
// RequireAPIKey ensures that a valid API key is set as either the api_key GET // RequireAPIKey ensures that a valid API key or login cookie is set
// parameter, or a Bearer token.
func RequireAPIKey(handler http.Handler) http.Handler { func RequireAPIKey(handler http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Allow-Origin", "*")
@ -84,13 +83,11 @@ func RequireAPIKey(handler http.Handler) http.Handler {
} }
r.ParseForm() r.ParseForm()
ak := r.Form.Get("api_key") ak := r.Form.Get("api_key")
// If we can't get the API key, we'll also check for the // If we can't get the API key, we'll also check if user is logged in
// Authorization Bearer token // via the web interface
if ak == "" { if ak == "" {
tokens, ok := r.Header["Authorization"] if u := ctx.Get(r, "user"); u != nil {
if ok && len(tokens) >= 1 { ak = u.(models.User).ApiKey
ak = tokens[0]
ak = strings.TrimPrefix(ak, "Bearer ")
} }
} }
if ak == "" { if ak == "" {