don't reject multiple acces tokens

cmd/owl/web/handler.go

@@ -267,29 +267,11 @@ func userMicropubHandler(repo *owl.Repository) func(http.ResponseWriter, *http.R
 		}
 
 		// verify access token
-		header_token := r.Header.Get("Authorization")
-		form_token := r.Form.Get("access_token")
-		if header_token != "" {
-			header_token = strings.TrimPrefix(header_token, "Bearer ")
-		}
-
-		if header_token == "" && form_token == "" {
-			w.WriteHeader(http.StatusUnauthorized)
-			w.Write([]byte("Unauthorized"))
-			return
-		}
-
-		if header_token != "" && form_token != "" {
-			w.WriteHeader(http.StatusBadRequest)
-			w.Write([]byte("Multiple access tokens provided"))
-			return
-		}
-
-		var token string
-		if header_token != "" {
-			token = header_token
+		token := r.Header.Get("Authorization")
+		if token == "" {
+			token = r.Form.Get("access_token")
 		} else {
-			token = form_token
+			token = strings.TrimPrefix(token, "Bearer ")
 		}
 
 		valid, _ := user.ValidateAccessToken(token)

cmd/owl/web/micropub_test.go

@@ -116,14 +116,48 @@ func TestMicropubAccessTokenInBody(t *testing.T) {
 	assertions.Assert(t, loc_header != "", "Location header should be set")
 }
 
-func TestMicropubAccessTokenInBoth(t *testing.T) {
+// func TestMicropubAccessTokenInBoth(t *testing.T) {
+// 	repo, user := getSingleUserTestRepo()
+// 	user.ResetPassword("testpassword")
+
+// 	code, _ := user.GenerateAuthCode(
+// 		"test", "test", "test", "test", "test",
+// 	)
+// 	token, _, _ := user.GenerateAccessToken(owl.AuthCode{
+// 		Code:                code,
+// 		ClientId:            "test",
+// 		RedirectUri:         "test",
+// 		CodeChallenge:       "test",
+// 		CodeChallengeMethod: "test",
+// 		Scope:               "test",
+// 	})
+
+// 	// Create Request and Response
+// 	form := url.Values{}
+// 	form.Add("h", "entry")
+// 	form.Add("content", "Test Content")
+// 	form.Add("access_token", token)
+
+// 	req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode()))
+// 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+// 	req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode())))
+// 	req.Header.Add("Authorization", "Bearer "+token)
+// 	assertions.AssertNoError(t, err, "Error creating request")
+// 	rr := httptest.NewRecorder()
+// 	router := main.SingleUserRouter(&repo)
+// 	router.ServeHTTP(rr, req)
+
+// 	assertions.AssertStatus(t, rr, http.StatusBadRequest)
+// }
+
+func TestMicropubNoAccessToken(t *testing.T) {
 	repo, user := getSingleUserTestRepo()
 	user.ResetPassword("testpassword")
 
 	code, _ := user.GenerateAuthCode(
 		"test", "test", "test", "test", "test",
 	)
-	token, _, _ := user.GenerateAccessToken(owl.AuthCode{
+	user.GenerateAccessToken(owl.AuthCode{
 		Code:                code,
 		ClientId:            "test",
 		RedirectUri:         "test",
@@ -136,16 +170,14 @@ func TestMicropubAccessTokenInBoth(t *testing.T) {
 	form := url.Values{}
 	form.Add("h", "entry")
 	form.Add("content", "Test Content")
-	form.Add("access_token", token)
 
 	req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode()))
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode())))
-	req.Header.Add("Authorization", "Bearer "+token)
 	assertions.AssertNoError(t, err, "Error creating request")
 	rr := httptest.NewRecorder()
 	router := main.SingleUserRouter(&repo)
 	router.ServeHTTP(rr, req)
 
-	assertions.AssertStatus(t, rr, http.StatusBadRequest)
+	assertions.AssertStatus(t, rr, http.StatusUnauthorized)
 }