don't reject multiple acces tokens

This commit is contained in:
Niko Abeler 2022-11-19 14:08:16 +01:00
parent 1039a905bc
commit abc11e112f
2 changed files with 41 additions and 27 deletions

View File

@ -267,29 +267,11 @@ func userMicropubHandler(repo *owl.Repository) func(http.ResponseWriter, *http.R
} }
// verify access token // verify access token
header_token := r.Header.Get("Authorization") token := r.Header.Get("Authorization")
form_token := r.Form.Get("access_token") if token == "" {
if header_token != "" { token = r.Form.Get("access_token")
header_token = strings.TrimPrefix(header_token, "Bearer ")
}
if header_token == "" && form_token == "" {
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte("Unauthorized"))
return
}
if header_token != "" && form_token != "" {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Multiple access tokens provided"))
return
}
var token string
if header_token != "" {
token = header_token
} else { } else {
token = form_token token = strings.TrimPrefix(token, "Bearer ")
} }
valid, _ := user.ValidateAccessToken(token) valid, _ := user.ValidateAccessToken(token)

View File

@ -116,14 +116,48 @@ func TestMicropubAccessTokenInBody(t *testing.T) {
assertions.Assert(t, loc_header != "", "Location header should be set") assertions.Assert(t, loc_header != "", "Location header should be set")
} }
func TestMicropubAccessTokenInBoth(t *testing.T) { // func TestMicropubAccessTokenInBoth(t *testing.T) {
// repo, user := getSingleUserTestRepo()
// user.ResetPassword("testpassword")
// code, _ := user.GenerateAuthCode(
// "test", "test", "test", "test", "test",
// )
// token, _, _ := user.GenerateAccessToken(owl.AuthCode{
// Code: code,
// ClientId: "test",
// RedirectUri: "test",
// CodeChallenge: "test",
// CodeChallengeMethod: "test",
// Scope: "test",
// })
// // Create Request and Response
// form := url.Values{}
// form.Add("h", "entry")
// form.Add("content", "Test Content")
// form.Add("access_token", token)
// req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode()))
// req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
// req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode())))
// req.Header.Add("Authorization", "Bearer "+token)
// assertions.AssertNoError(t, err, "Error creating request")
// rr := httptest.NewRecorder()
// router := main.SingleUserRouter(&repo)
// router.ServeHTTP(rr, req)
// assertions.AssertStatus(t, rr, http.StatusBadRequest)
// }
func TestMicropubNoAccessToken(t *testing.T) {
repo, user := getSingleUserTestRepo() repo, user := getSingleUserTestRepo()
user.ResetPassword("testpassword") user.ResetPassword("testpassword")
code, _ := user.GenerateAuthCode( code, _ := user.GenerateAuthCode(
"test", "test", "test", "test", "test", "test", "test", "test", "test", "test",
) )
token, _, _ := user.GenerateAccessToken(owl.AuthCode{ user.GenerateAccessToken(owl.AuthCode{
Code: code, Code: code,
ClientId: "test", ClientId: "test",
RedirectUri: "test", RedirectUri: "test",
@ -136,16 +170,14 @@ func TestMicropubAccessTokenInBoth(t *testing.T) {
form := url.Values{} form := url.Values{}
form.Add("h", "entry") form.Add("h", "entry")
form.Add("content", "Test Content") form.Add("content", "Test Content")
form.Add("access_token", token)
req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode())) req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode()))
req.Header.Add("Content-Type", "application/x-www-form-urlencoded") req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode()))) req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode())))
req.Header.Add("Authorization", "Bearer "+token)
assertions.AssertNoError(t, err, "Error creating request") assertions.AssertNoError(t, err, "Error creating request")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
router := main.SingleUserRouter(&repo) router := main.SingleUserRouter(&repo)
router.ServeHTTP(rr, req) router.ServeHTTP(rr, req)
assertions.AssertStatus(t, rr, http.StatusBadRequest) assertions.AssertStatus(t, rr, http.StatusUnauthorized)
} }