API: expect JWT in the Authorization header

[github/shaarli/Shaarli.git] / application / api / ApiMiddleware.php

diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
index 162e88e0bc06ea50a43e6cc1cc289212962b1edf..522091cac39328222d790b441f29195e2d64fe78 100644 (file)
--- a/application/api/ApiMiddleware.php
+++ b/application/api/ApiMiddleware.php
@@ -98,8 +98,7 @@ class ApiMiddleware
      * @throws ApiAuthorizationException The token couldn't be validated.
      */
     protected function checkToken($request) {
-        $jwt = $request->getHeaderLine('jwt');
-        if (empty($jwt)) {
+        if (! $request->hasHeader('Authorization')) {
             throw new ApiAuthorizationException('JWT token not provided');
         }
 
@@ -107,7 +106,13 @@ class ApiMiddleware
             throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
         }
 
-        ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret'));
+        $authorization = $request->getHeaderLine('Authorization');
+
+        if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
+            throw new ApiAuthorizationException('Invalid JWT header');
+        }
+
+        ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
     }
 
     /**