X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2Fapi%2FApiMiddleware.php;h=66eac133649cf8c020c64164f7864b43ddf33a40;hb=f211e417bf637b8a83988175c29ee072c69f7642;hp=162e88e0bc06ea50a43e6cc1cc289212962b1edf;hpb=80677a23e2e10d78bc527e9754286787b453ce61;p=github%2Fshaarli%2FShaarli.git

diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
index 162e88e0..66eac133 100644
--- a/application/api/ApiMiddleware.php
+++ b/application/api/ApiMiddleware.php
@@ -1,9 +1,10 @@
 <?php
-
 namespace Shaarli\Api;
 
 use Shaarli\Api\Exceptions\ApiException;
 use Shaarli\Api\Exceptions\ApiAuthorizationException;
+
+use Shaarli\Config\ConfigManager;
 use Slim\Container;
 use Slim\Http\Request;
 use Slim\Http\Response;
@@ -31,7 +32,7 @@ class ApiMiddleware
     protected $container;
 
     /**
-     * @var \ConfigManager instance.
+     * @var ConfigManager instance.
      */
     protected $conf;
 
@@ -64,7 +65,7 @@ class ApiMiddleware
         try {
             $this->checkRequest($request);
             $response = $next($request, $response);
-        } catch(ApiException $e) {
+        } catch (ApiException $e) {
             $e->setResponse($response);
             $e->setDebug($this->conf->get('dev.debug', false));
             $response = $e->getApiResponse();
@@ -97,9 +98,9 @@ class ApiMiddleware
      *
      * @throws ApiAuthorizationException The token couldn't be validated.
      */
-    protected function checkToken($request) {
-        $jwt = $request->getHeaderLine('jwt');
-        if (empty($jwt)) {
+    protected function checkToken($request)
+    {
+        if (! $request->hasHeader('Authorization')) {
             throw new ApiAuthorizationException('JWT token not provided');
         }
 
@@ -107,7 +108,13 @@ class ApiMiddleware
             throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
         }
 
-        ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret'));
+        $authorization = $request->getHeaderLine('Authorization');
+
+        if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
+            throw new ApiAuthorizationException('Invalid JWT header');
+        }
+
+        ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
     }
 
     /**
@@ -116,7 +123,7 @@ class ApiMiddleware
      *
      * FIXME! LinkDB could use a refactoring to avoid this trick.
      *
-     * @param \ConfigManager $conf instance.
+     * @param ConfigManager $conf instance.
      */
     protected function setLinkDb($conf)
     {