bearer

2024-10-01 02:59:02 +00:00 · 2023-06-29 14:36:55 +02:00 · 2023-06-29 14:36:55 +02:00 · dca496cd7d
commit dca496cd7d
parent 04b121b5f4
2 changed files with 10 additions and 2 deletions
--- a/lib/api/api_auth.go
+++ b/lib/api/api_auth.go
@ -39,7 +39,7 @@ func emitLoginAttempt(success bool, username, address string, evLogger events.Lo

 func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, next http.Handler, evLogger events.Logger) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if guiCfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {
+		if hasValidAPIKeyHeader(r, guiCfg) {
 			next.ServeHTTP(w, r)
 			return
 		}
--- a/lib/api/api_csrf.go
+++ b/lib/api/api_csrf.go
@ -59,7 +59,7 @@ func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidato

 func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// Allow requests carrying a valid API key
-	if m.apiKeyValidator.IsValidAPIKey(r.Header.Get("X-API-Key")) {
+	if hasValidAPIKeyHeader(r, m.apiKeyValidator) {
 		// Set the access-control-allow-origin header for CORS requests
 		// since a valid API key has been provided
 		w.Header().Add("Access-Control-Allow-Origin", "*")
@ -178,3 +178,11 @@ func (m *csrfManager) load() {
 		m.tokens = append(m.tokens, s.Text())
 	}
 }
+
+func hasValidAPIKeyHeader(r *http.Request, validator apiKeyValidator) bool {
+	if auth := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(auth), "bearer ") {
+		bearerToken := auth[len("bearer "):]
+		return validator.IsValidAPIKey(bearerToken)
+	}
+	return validator.IsValidAPIKey(r.Header.Get("X-API-Key"))
+}