aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/api
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2017-01-07 22:23:47 +0100
committerVirtualTam <virtualtam+github@flibidi.net>2017-01-15 13:41:04 +0100
commit63ef549749fac9d0e302842f06e7794d1daabc13 (patch)
tree0ff9dc942d61ca50a251a900f1b923ac8ff39cda /application/api
parent37ab940599d40472c5b4a3bbe5a10515046c64ee (diff)
downloadShaarli-63ef549749fac9d0e302842f06e7794d1daabc13.tar.gz
Shaarli-63ef549749fac9d0e302842f06e7794d1daabc13.tar.zst
Shaarli-63ef549749fac9d0e302842f06e7794d1daabc13.zip
API: expect JWT in the Authorization header
Relates to https://github.com/shaarli/Shaarli/pull/731 Added: - require the presence of the 'Authorization' header Changed: - use the HTTP Bearer Token authorization schema See: - https://jwt.io/introduction/#how-do-json-web-tokens-work- - https://tools.ietf.org/html/rfc6750 - http://security.stackexchange.com/q/108662 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/api')
-rw-r--r--application/api/ApiMiddleware.php11
1 files changed, 8 insertions, 3 deletions
diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
index 162e88e0..522091ca 100644
--- a/application/api/ApiMiddleware.php
+++ b/application/api/ApiMiddleware.php
@@ -98,8 +98,7 @@ class ApiMiddleware
98 * @throws ApiAuthorizationException The token couldn't be validated. 98 * @throws ApiAuthorizationException The token couldn't be validated.
99 */ 99 */
100 protected function checkToken($request) { 100 protected function checkToken($request) {
101 $jwt = $request->getHeaderLine('jwt'); 101 if (! $request->hasHeader('Authorization')) {
102 if (empty($jwt)) {
103 throw new ApiAuthorizationException('JWT token not provided'); 102 throw new ApiAuthorizationException('JWT token not provided');
104 } 103 }
105 104
@@ -107,7 +106,13 @@ class ApiMiddleware
107 throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration'); 106 throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
108 } 107 }
109 108
110 ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret')); 109 $authorization = $request->getHeaderLine('Authorization');
110
111 if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
112 throw new ApiAuthorizationException('Invalid JWT header');
113 }
114
115 ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
111 } 116 }
112 117
113 /** 118 /**