don't reject multiple acces tokens

2022-11-19 14:08:16 +01:00 · 2022-11-19 14:08:16 +01:00 · abc11e112f
parent 1039a905bc
commit abc11e112f
2 changed files with 41 additions and 27 deletions
--- a/cmd/owl/web/handler.go
+++ b/cmd/owl/web/handler.go
@ -267,29 +267,11 @@ func userMicropubHandler(repo *owl.Repository) func(http.ResponseWriter, *http.R
 		}
 		// verify access token
-		header_token := r.Header.Get("Authorization")
+		token := r.Header.Get("Authorization")
-		form_token := r.Form.Get("access_token")
+		if token == "" {
-		if header_token != "" {
+			token = r.Form.Get("access_token")
 			header_token = strings.TrimPrefix(header_token, "Bearer ")
 		}
 		if header_token == "" && form_token == "" {
 			w.WriteHeader(http.StatusUnauthorized)
 			w.Write([]byte("Unauthorized"))
 			return
 		}
 		if header_token != "" && form_token != "" {
 			w.WriteHeader(http.StatusBadRequest)
 			w.Write([]byte("Multiple access tokens provided"))
 			return
 		}
 		var token string
 		if header_token != "" {
 			token = header_token
 		} else {
-			token = form_token
+			token = strings.TrimPrefix(token, "Bearer ")
 		}
 		valid, _ := user.ValidateAccessToken(token)
--- a/cmd/owl/web/micropub_test.go
+++ b/cmd/owl/web/micropub_test.go
@ -116,14 +116,48 @@ func TestMicropubAccessTokenInBody(t *testing.T) {
 	assertions.Assert(t, loc_header != "", "Location header should be set")
 }
-func TestMicropubAccessTokenInBoth(t *testing.T) {
+// func TestMicropubAccessTokenInBoth(t *testing.T) {
 // 	repo, user := getSingleUserTestRepo()
 // 	user.ResetPassword("testpassword")
 // 	code, _ := user.GenerateAuthCode(
 // 		"test", "test", "test", "test", "test",
 // 	)
 // 	token, _, _ := user.GenerateAccessToken(owl.AuthCode{
 // 		Code:                code,
 // 		ClientId:            "test",
 // 		RedirectUri:         "test",
 // 		CodeChallenge:       "test",
 // 		CodeChallengeMethod: "test",
 // 		Scope:               "test",
 // 	})
 // 	// Create Request and Response
 // 	form := url.Values{}
 // 	form.Add("h", "entry")
 // 	form.Add("content", "Test Content")
 // 	form.Add("access_token", token)
 // 	req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode()))
 // 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 // 	req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode())))
 // 	req.Header.Add("Authorization", "Bearer "+token)
 // 	assertions.AssertNoError(t, err, "Error creating request")
 // 	rr := httptest.NewRecorder()
 // 	router := main.SingleUserRouter(&repo)
 // 	router.ServeHTTP(rr, req)
 // 	assertions.AssertStatus(t, rr, http.StatusBadRequest)
 // }
 func TestMicropubNoAccessToken(t *testing.T) {
 	repo, user := getSingleUserTestRepo()
 	user.ResetPassword("testpassword")
 	code, _ := user.GenerateAuthCode(
 		"test", "test", "test", "test", "test",
 	)
-	token, _, _ := user.GenerateAccessToken(owl.AuthCode{
+	user.GenerateAccessToken(owl.AuthCode{
 		Code:                code,
 		ClientId:            "test",
 		RedirectUri:         "test",
@ -136,16 +170,14 @@ func TestMicropubAccessTokenInBoth(t *testing.T) {
 	form := url.Values{}
 	form.Add("h", "entry")
 	form.Add("content", "Test Content")
 	form.Add("access_token", token)
 	req, err := http.NewRequest("POST", user.MicropubUrl(), strings.NewReader(form.Encode()))
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Add("Content-Length", strconv.Itoa(len(form.Encode())))
 	req.Header.Add("Authorization", "Bearer "+token)
 	assertions.AssertNoError(t, err, "Error creating request")
 	rr := httptest.NewRecorder()
 	router := main.SingleUserRouter(&repo)
 	router.ServeHTTP(rr, req)
-	assertions.AssertStatus(t, rr, http.StatusBadRequest)
+	assertions.AssertStatus(t, rr, http.StatusUnauthorized)
 }