diff options
author | VirtualTam <virtualtam@flibidi.net> | 2017-01-07 22:23:47 +0100 |
---|---|---|
committer | VirtualTam <virtualtam+github@flibidi.net> | 2017-01-15 13:41:04 +0100 |
commit | 63ef549749fac9d0e302842f06e7794d1daabc13 (patch) | |
tree | 0ff9dc942d61ca50a251a900f1b923ac8ff39cda /application/api | |
parent | 37ab940599d40472c5b4a3bbe5a10515046c64ee (diff) | |
download | Shaarli-63ef549749fac9d0e302842f06e7794d1daabc13.tar.gz Shaarli-63ef549749fac9d0e302842f06e7794d1daabc13.tar.zst Shaarli-63ef549749fac9d0e302842f06e7794d1daabc13.zip |
API: expect JWT in the Authorization header
Relates to https://github.com/shaarli/Shaarli/pull/731
Added:
- require the presence of the 'Authorization' header
Changed:
- use the HTTP Bearer Token authorization schema
See:
- https://jwt.io/introduction/#how-do-json-web-tokens-work-
- https://tools.ietf.org/html/rfc6750
- http://security.stackexchange.com/q/108662
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/api')
-rw-r--r-- | application/api/ApiMiddleware.php | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php index 162e88e0..522091ca 100644 --- a/application/api/ApiMiddleware.php +++ b/application/api/ApiMiddleware.php | |||
@@ -98,8 +98,7 @@ class ApiMiddleware | |||
98 | * @throws ApiAuthorizationException The token couldn't be validated. | 98 | * @throws ApiAuthorizationException The token couldn't be validated. |
99 | */ | 99 | */ |
100 | protected function checkToken($request) { | 100 | protected function checkToken($request) { |
101 | $jwt = $request->getHeaderLine('jwt'); | 101 | if (! $request->hasHeader('Authorization')) { |
102 | if (empty($jwt)) { | ||
103 | throw new ApiAuthorizationException('JWT token not provided'); | 102 | throw new ApiAuthorizationException('JWT token not provided'); |
104 | } | 103 | } |
105 | 104 | ||
@@ -107,7 +106,13 @@ class ApiMiddleware | |||
107 | throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration'); | 106 | throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration'); |
108 | } | 107 | } |
109 | 108 | ||
110 | ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret')); | 109 | $authorization = $request->getHeaderLine('Authorization'); |
110 | |||
111 | if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) { | ||
112 | throw new ApiAuthorizationException('Invalid JWT header'); | ||
113 | } | ||
114 | |||
115 | ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret')); | ||
111 | } | 116 | } |
112 | 117 | ||
113 | /** | 118 | /** |