The semantics of the Authorization header are defined by RFC 9110, which says:
> It uses a case-insensitive token to identify the authentication scheme:
Therefore, "bearer", "Bearer", and "bEARER" are equivalent. This patch fixes
the parsing of the Authorization header to check for the Bearer authentication
scheme case insensitively.
I've modified one of the test cases to use lowercase "bearer", so there's test
coverage for this.
* chore: replace nanmu/gzip by CAFxX/httpcompression for compression
Instead of using nanmu42/gzip which imports the whole gin framework,
we replace it with CAFxX/httpcompression which is more lightweight.
Fixes#2697
* Run go mod tidy
---------
Co-authored-by: Gabe Kangas <gabek@real-ity.com>
* Custom emoji editor: implement backend
This reuses the logo upload code
* Implement emoji edit admin interface
Again reuse base64 logic from the logo upload
* Allow toggling between uploaded and default emojis
* Add route that always serves uploaded emojis
This is needed for the admin emoji interface,
as otherwise the emojis will 404 if custom emojis are disabled
* Fix linter warnings
* Remove custom/uploaded emoji logic
* Reset timer after emoji deletion
* Setup: copy built-in emojis to emoji directory
* Able to authenticate user against IndieAuth. For #1273
* WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272
* Add migration to remove access tokens from user
* Add authenticated bool to user for display purposes
* Add indieauth modal and auth flair to display names. For #1273
* Validate URLs and display errors
* Renames, cleanups
* Handle relative auth endpoint paths. Add error handling for missing redirects.
* Disallow using display names in use by registered users. Closes#1810
* Verify code verifier via code challenge on callback
* Use relative path to authorization_endpoint
* Post-rebase fixes
* Use a timestamp instead of a bool for authenticated
* Propertly handle and display error in modal
* Use auth'ed timestamp to derive authenticated flag to display in chat
* Fediverse chat auth via OTP
* Increase validity time just in case
* Add fediverse auth into auth modal
* Text, validation, cleanup updates for fedi auth
* Fix typo
* Remove unused images
* Remove unused file
* Add chat display name to auth modal text
* Able to authenticate user against IndieAuth. For #1273
* WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272
* Add migration to remove access tokens from user
* Add authenticated bool to user for display purposes
* Add indieauth modal and auth flair to display names. For #1273
* Validate URLs and display errors
* Renames, cleanups
* Handle relative auth endpoint paths. Add error handling for missing redirects.
* Disallow using display names in use by registered users. Closes#1810
* Verify code verifier via code challenge on callback
* Use relative path to authorization_endpoint
* Post-rebase fixes
* Use a timestamp instead of a bool for authenticated
* Propertly handle and display error in modal
* Use auth'ed timestamp to derive authenticated flag to display in chat
* don't redirect unless a URL is present
avoids redirecting to `undefined` if there was an error
* improve error message if owncast server URL isn't set
* fix IndieAuth PKCE implementation
use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding
* return real profile data for IndieAuth response
* check the code verifier in the IndieAuth server
* Linting
* Add new chat settings modal anad split up indieauth ui
* Remove logging error
* Update the IndieAuth modal UI. For #1273
* Add IndieAuth repsonse error checking
* Disable IndieAuth client if server URL is not set.
* Add explicit error messages for specific error types
* Fix bad logic
* Return OAuth-keyed error responses for indieauth server
* Display IndieAuth error in plain text with link to return to main page
* Remove redundant check
* Add additional detail to error
* Hide IndieAuth details behind disclosure details
* Break out migration into two steps because some people have been runing dev in production
* Add auth option to user dropdown
Co-authored-by: Aaron Parecki <aaron@parecki.com>
