Fix bug where auth token is not set from cookie when excluded endpoint (#1360)

Co-authored-by: Ben Toogood <ben@micro.mu>
This commit is contained in:
ben-toogood 2020-03-17 19:24:10 +00:00 committed by GitHub
parent 8a41d369f2
commit 00cd2448a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -31,11 +31,26 @@ const (
)
func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
loginURL := h.auth.Options().LoginURL
// Extract the token from the request
var token string
if header := req.Header.Get("Authorization"); len(header) > 0 {
// Extract the auth token from the request
if strings.HasPrefix(header, BearerScheme) {
token = header[len(BearerScheme):]
}
} else {
// Get the token out the cookies if not provided in headers
if c, err := req.Cookie("micro-token"); err == nil && c != nil {
token = strings.TrimPrefix(c.Value, auth.CookieName+"=")
req.Header.Set("Authorization", BearerScheme+token)
}
}
// Return if the user disabled auth on this endpoint
excludes := h.auth.Options().Exclude
excludes = append(excludes, DefaultExcludes...)
loginURL := h.auth.Options().LoginURL
if len(loginURL) > 0 {
excludes = append(excludes, loginURL)
}
@ -55,20 +70,6 @@ func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
}
}
var token string
if header := req.Header.Get("Authorization"); len(header) > 0 {
// Extract the auth token from the request
if strings.HasPrefix(header, BearerScheme) {
token = header[len(BearerScheme):]
}
} else {
// Get the token out the cookies if not provided in headers
if c, err := req.Cookie("micro-token"); err == nil && c != nil {
token = strings.TrimPrefix(c.Value, auth.CookieName+"=")
req.Header.Set("Authorization", BearerScheme+token)
}
}
// If the token is valid, allow the request
if _, err := h.auth.Verify(token); err == nil {
h.handler.ServeHTTP(w, req)