From abc11e112fdd9ca69cd8d6df6ff2c4b1c620a853 Mon Sep 17 00:00:00 2001 From: Niko Abeler Date: Sat, 19 Nov 2022 14:08:16 +0100 Subject: [PATCH] don't reject multiple acces tokens --- cmd/owl/web/handler.go | 26 ++++------------------ cmd/owl/web/micropub_test.go | 42 +++++++++++++++++++++++++++++++----- 2 files changed, 41 insertions(+), 27 deletions(-) diff --git a/cmd/owl/web/handler.go b/cmd/owl/web/handler.go index eaed8f4..84ddd6e 100644 --- a/cmd/owl/web/handler.go +++ b/cmd/owl/web/handler.go @@ -267,29 +267,11 @@ func userMicropubHandler(repo *owl.Repository) func(http.ResponseWriter, *http.R } // verify access token - header_token := r.Header.Get("Authorization") - form_token := r.Form.Get("access_token") - if header_token != "" { - header_token = strings.TrimPrefix(header_token, "Bearer ") - } - - if header_token == "" && form_token == "" { - w.WriteHeader(http.StatusUnauthorized) - w.Write([]byte("Unauthorized")) - return - } - - if header_token != "" && form_token != "" { - w.WriteHeader(http.StatusBadRequest) - w.Write([]byte("Multiple access tokens provided")) - return - } - - var token string - if header_token != "" { - token = header_token + token := r.Header.Get("Authorization") + if token == "" { + token = r.Form.Get("access_token") } else { - token = form_token + token = strings.TrimPrefix(token, "Bearer ") } valid, _ := user.ValidateAccessToken(token) diff --git a/cmd/owl/web/micropub_test.go b/cmd/owl/web/micropub_test.go index 7947a13..d9574ff 100644 --- a/cmd/owl/web/micropub_test.go +++ b/cmd/owl/web/micropub_test.go @@ -116,14 +116,48 @@ func TestMicropubAccessTokenInBody(t *testing.T) { assertions.Assert(t, loc_header != "", "Location header should be set") } -func TestMicropubAccessTokenInBoth(t *testing.T) { +// func TestMicropubAccessTokenInBoth(t *testing.T) { +// repo, user := getSingleUserTestRepo() +// user.ResetPassword("testpassword") + +// code, _ := user.GenerateAuthCode( +// "test", "test", "test", "test", "test", +// ) +// token, _, _ := user.GenerateAccessToken(owl.AuthCode{ +// Code: code, +// ClientId: "test", +// RedirectUri: "test", +// CodeChallenge: "test", +// CodeChallengeMethod: "test", +// Scope: "test", +// }) + +// // Create Request and Response +// form := url.Values{} +// form.Add("h", "entry") +// form.Add("content", "Test Content") +// form.Add("access_token", token) + +// req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode())) +// req.Header.Add("Content-Type", "application/x-www-form-urlencoded") +// req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode()))) +// req.Header.Add("Authorization", "Bearer "+token) +// assertions.AssertNoError(t, err, "Error creating request") +// rr := httptest.NewRecorder() +// router := main.SingleUserRouter(&repo) +// router.ServeHTTP(rr, req) + +// assertions.AssertStatus(t, rr, http.StatusBadRequest) +// } + +func TestMicropubNoAccessToken(t *testing.T) { repo, user := getSingleUserTestRepo() user.ResetPassword("testpassword") code, _ := user.GenerateAuthCode( "test", "test", "test", "test", "test", ) - token, _, _ := user.GenerateAccessToken(owl.AuthCode{ + user.GenerateAccessToken(owl.AuthCode{ Code: code, ClientId: "test", RedirectUri: "test", @@ -136,16 +170,14 @@ func TestMicropubAccessTokenInBoth(t *testing.T) { form := url.Values{} form.Add("h", "entry") form.Add("content", "Test Content") - form.Add("access_token", token) req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode())) req.Header.Add("Content-Type", "application/x-www-form-urlencoded") req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode()))) - req.Header.Add("Authorization", "Bearer "+token) assertions.AssertNoError(t, err, "Error creating request") rr := httptest.NewRecorder() router := main.SingleUserRouter(&repo) router.ServeHTTP(rr, req) - assertions.AssertStatus(t, rr, http.StatusBadRequest) + assertions.AssertStatus(t, rr, http.StatusUnauthorized) }