From dca496cd7d66ba7cc4aacd6e7319e620a047a21e Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@kastelo.net>
Date: Thu, 29 Jun 2023 14:36:55 +0200
Subject: [PATCH] bearer

---
 lib/api/api_auth.go |  2 +-
 lib/api/api_csrf.go | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/api/api_auth.go b/lib/api/api_auth.go
index ad3d86638..58a97e558 100644
--- a/lib/api/api_auth.go
+++ b/lib/api/api_auth.go
@@ -39,7 +39,7 @@ func emitLoginAttempt(success bool, username, address string, evLogger events.Lo
 
 func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, next http.Handler, evLogger events.Logger) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if guiCfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {
+		if hasValidAPIKeyHeader(r, guiCfg) {
 			next.ServeHTTP(w, r)
 			return
 		}
diff --git a/lib/api/api_csrf.go b/lib/api/api_csrf.go
index b597c2e49..f2caffc90 100644
--- a/lib/api/api_csrf.go
+++ b/lib/api/api_csrf.go
@@ -59,7 +59,7 @@ func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidato
 
 func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// Allow requests carrying a valid API key
-	if m.apiKeyValidator.IsValidAPIKey(r.Header.Get("X-API-Key")) {
+	if hasValidAPIKeyHeader(r, m.apiKeyValidator) {
 		// Set the access-control-allow-origin header for CORS requests
 		// since a valid API key has been provided
 		w.Header().Add("Access-Control-Allow-Origin", "*")
@@ -178,3 +178,11 @@ func (m *csrfManager) load() {
 		m.tokens = append(m.tokens, s.Text())
 	}
 }
+
+func hasValidAPIKeyHeader(r *http.Request, validator apiKeyValidator) bool {
+	if auth := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(auth), "bearer ") {
+		bearerToken := auth[len("bearer "):]
+		return validator.IsValidAPIKey(bearerToken)
+	}
+	return validator.IsValidAPIKey(r.Header.Get("X-API-Key"))
+}