[core] Implement bearer token authentication (#3043)

2025-02-16 15:19:55 +03:00 · 2022-10-19 21:39:35 +05:00 · 2022-10-19 21:39:35 +05:00 · d483bf2b81
commit d483bf2b81
parent 5b53e76477
2 changed files with 56 additions and 1 deletions
--- a/config.default.ini.php
+++ b/config.default.ini.php
@ -57,7 +57,7 @@ by_bridge = false

 [authentication]

-; Enables authentication for all requests to this RSS-Bridge instance.
+; Enables basic authentication for all requests to this RSS-Bridge instance.
 ;
 ; Warning: You'll have to upgrade existing feeds after enabling this option!
 ;
@ -70,6 +70,9 @@ username = "admin"
 ; This default password is public knowledge. Replace it.
 password = "7afbf648a369b261"

+; This will be used only for actions that require privileged access
+access_token = ""
+
 [error]

 ; Defines how error messages are returned by RSS-Bridge
--- a/lib/ApiAuthenticationMiddleware.php
+++ b/lib/ApiAuthenticationMiddleware.php
@ -0,0 +1,52 @@
+<?php
+
+/**
+ * This file is part of RSS-Bridge, a PHP project capable of generating RSS and
+ * Atom feeds for websites that don't have one.
+ *
+ * For the full license information, please view the UNLICENSE file distributed
+ * with this source code.
+ *
+ * @package Core
+ * @license http://unlicense.org/ UNLICENSE
+ * @link    https://github.com/rss-bridge/rss-bridge
+ */
+
+final class ApiAuthenticationMiddleware
+{
+    public function __invoke($request): void
+    {
+        $accessTokenInConfig = Configuration::getConfig('authentication', 'access_token');
+        if (!$accessTokenInConfig) {
+            $this->exit('Access token is not set in this instance', 403);
+        }
+
+        if (isset($request['access_token'])) {
+            $accessTokenGiven = $request['access_token'];
+        } else {
+            $header = trim($_SERVER['HTTP_AUTHORIZATION'] ?? '');
+            $position = strrpos($header, 'Bearer ');
+
+            if ($position !== false) {
+                $accessTokenGiven = substr($header, $position + 7);
+            } else {
+                $accessTokenGiven = '';
+            }
+        }
+
+        if (!$accessTokenGiven) {
+            $this->exit('No access token given', 403);
+        }
+
+        if ($accessTokenGiven != $accessTokenInConfig) {
+            $this->exit('Incorrect access token', 403);
+        }
+    }
+
+    private function exit($message, $code)
+    {
+        http_response_code($code);
+        header('content-type: text/plain');
+        die($message);
+    }
+}