cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removed checking of bearer token in favor of the login cookie for authorizing web interface requests

pull/2864/head
Eicke Hauck 2021-05-05 12:24:47 +02:00
parent d2efb18ef1
commit 8c122e1ff7
1 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
middleware/middleware.go
View File

@ -71,8 +71,7 @@ func GetContext(handler http.Handler) http.HandlerFunc {
}
}
// RequireAPIKey ensures that a valid API key is set as either the api_key GET
// parameter, or a Bearer token.
// RequireAPIKey ensures that a valid API key or login cookie is set
func RequireAPIKey(handler http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
@ -84,13 +83,11 @@ func RequireAPIKey(handler http.Handler) http.Handler {
}
r.ParseForm()
ak := r.Form.Get("api_key")
// If we can't get the API key, we'll also check for the
// Authorization Bearer token
// If we can't get the API key, we'll also check if user is logged in
// via the web interface
if ak == "" {
tokens, ok := r.Header["Authorization"]
if ok && len(tokens) >= 1 {
ak = tokens[0]
ak = strings.TrimPrefix(ak, "Bearer ")
if u := ctx.Get(r, "user"); u != nil {
ak = u.(models.User).ApiKey
}
}
if ak == "" {