mirrors/owncast
1
0
Fork 0
mirror of https://github.com/owncast/owncast.git synced 2024-11-21 12:18:02 +03:00
Code Issues Projects Releases Packages Wiki Activity

Fix parsing of Authorization Bearer header (#3376)

Browse source 
The semantics of the Authorization header are defined by RFC 9110, which says:

> It uses a case-insensitive token to identify the authentication scheme:

Therefore, "bearer", "Bearer", and "bEARER" are equivalent.  This patch fixes
the parsing of the Authorization header to check for the Bearer authentication
scheme case insensitively.

I've modified one of the test cases to use lowercase "bearer", so there's test
coverage for this.
This commit is contained in:
Alyssa Ross 2023-10-21 17:00:50 +00:00 committed by GitHub
parent 6fc3fa37da
commit 092134f3f3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
router/middleware/auth.go
View file

@ -69,10 +69,13 @@ func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHand
return
}
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
token := strings.Join(authHeader, "")
authHeader := r.Header.Get("Authorization")
token := ""
if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
token = authHeader[len("bearer "):]
}
if len(authHeader) == 0 || token == "" {
if token == "" {
log.Warnln("invalid access token")
accessDenied(w)
return

2
test/automated/api/integrations.test.js
View file

@ -83,7 +83,7 @@ test('send a system message using access token', async (done) => {
};
const res = await request
.post('/api/integrations/chat/system')
.set('Authorization', 'Bearer ' + accessToken)
.set('Authorization', 'bearer ' + accessToken)
.send(payload)
.expect(200);
done();