empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

#7624 accept empty bearer authorization token. (#7685)

Browse Source 
* Fix #7624 accept empty bearer authorization token.

* add changes file
This commit is contained in:
Frank Sievertsen 2022-09-12 16:09:41 +02:00 committed by GitHub
parent a88984730f
commit dd8cf37a85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 80 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changes/bug-7624-sso-login-button-not-working Normal file
View File

@ -0,0 +1 @@
- Fix Single Sign On button not working after a failed authorization attempt.

15
server/contexts/token/token.go
View File

@ -20,14 +20,17 @@ type Token string
func FromHTTPRequest(r *http.Request) Token { func FromHTTPRequest(r *http.Request) Token {
headers := r.Header.Get("Authorization") headers := r.Header.Get("Authorization")
headerParts := strings.Split(headers, " ") headerParts := strings.Split(headers, " ")
if len(headerParts) != 2 || strings.ToUpper(headerParts[0]) != "BEARER" { if len(headerParts) > 0 && strings.ToUpper(headerParts[0]) == "BEARER" {
if err := r.ParseForm(); err != nil { if len(headerParts) == 2 {
return "" return Token(headerParts[1])
} }
// This indicates "no token". We don't want to read the request-body here.
return Token(r.FormValue("token")) return ""
} }
return Token(headerParts[1]) if err := r.ParseForm(); err != nil {
return ""
}
return Token(r.FormValue("token"))
} }
// NewContext returns a new context carrying the Authorization Bearer token. // NewContext returns a new context carrying the Authorization Bearer token.

70
server/contexts/token/token_test.go Normal file
View File

@ -0,0 +1,70 @@
package token
import (
"io"
"net/http"
"strings"
"testing"
)
func TestFromHTTPRequest(t *testing.T) {
tests := []struct {
name string
r *http.Request
want Token
}{
{
name: "no auth",
want: "",
r: &http.Request{},
}, {
name: "empty auth",
r: &http.Request{
Header: map[string][]string{
"Authorization": {""},
},
},
want: "",
}, {
name: "BEARER no data",
r: &http.Request{
Header: map[string][]string{
"Authorization": {"BEARER"},
"Content-Type": {"application/x-www-form-urlencoded"},
},
Method: http.MethodPost,
Body: io.NopCloser(strings.NewReader("token=bar")),
},
want: "",
}, {
name: "BEARER foobar",
r: &http.Request{
Header: map[string][]string{
"Authorization": {"BEARER foobar"},
"Content-Type": {"application/x-www-form-urlencoded"},
},
Method: http.MethodPost,
Body: io.NopCloser(strings.NewReader("token=bar")),
},
want: "foobar",
}, {
name: "from body",
r: &http.Request{
Header: map[string][]string{
"Authorization": {"FOOBAR foobar"},
"Content-Type": {"application/x-www-form-urlencoded"},
},
Method: http.MethodPost,
Body: io.NopCloser(strings.NewReader("token=bar")),
},
want: "bar",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := FromHTTPRequest(tt.r); got != tt.want {
t.Errorf("FromHTTPRequest() = %v, want %v", got, tt.want)
}
})
}
}