12 files changed, 119 insertions, 39 deletions

diff --git a/.gitattributes b/.gitattributes
index d753b1db..059fbb18 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -19,6 +19,7 @@ Dockerfile      text
 
 # Exclude from Git archives
 .gitattributes  export-ignore
+.github         export-ignore
 .gitignore      export-ignore
 .travis.yml     export-ignore
 doc/**/*.json   export-ignore
diff --git a/.github/mailmap b/.github/mailmap
new file mode 100644
index 00000000..41d91e47
--- /dev/null
+++ b/.github/mailmap
@@ -0,0 +1,13 @@
+ArthurHoaro <arthur@hoa.ro>
+Florian Eula <eula.florian@gmail.com> feula
+Florian Eula <eula.florian@gmail.com> <mr.pikzen@gmail.com>
+Nicolas Danelon <hi@nicolasmd.com.ar> nicolasm
+Nicolas Danelon <hi@nicolasmd.com.ar> <nda@3818.com.ar>
+Nicolas Danelon <hi@nicolasmd.com.ar> <nicolasdanelon@gmail.com>
+Nicolas Danelon <hi@nicolasmd.com.ar> <nicolasdanelon@users.noreply.github.com>
+Sébastien Sauvage <sebsauvage@sebsauvage.net>
+Timo Van Neerden <fire@lehollandaisvolant.net>
+Timo Van Neerden <fire@lehollandaisvolant.net> lehollandaisvolant <levoltigeurhollandais@gmail.com>
+VirtualTam <virtualtam@flibidi.net> <tamisier.aurelien@gmail.com>
+VirtualTam <virtualtam@flibidi.net> <virtualtam+github@flibidi.net>
+VirtualTam <virtualtam@flibidi.net> <virtualtam@flibidi.org>
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 00000000..aa041ae9
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,40 @@
+   327  ArthurHoaro <arthur@hoa.ro>
+   188  VirtualTam <virtualtam@flibidi.net>
+   132  nodiscc <nodiscc@gmail.com>
+    56  Sébastien Sauvage <sebsauvage@sebsauvage.net>
+    15  Florian Eula <eula.florian@gmail.com>
+    13  Emilien Klein <emilien@klein.st>
+    12  Nicolas Danelon <hi@nicolasmd.com.ar>
+     7  Christophe HENRY <christophe.henry@sbgodin.fr>
+     4  Alexandre Alapetite <alexandre@alapetite.fr>
+     4  David Sferruzza <david.sferruzza@gmail.com>
+     3  Teromene <teromene@teromene.fr>
+     2  Chris Kuethe <chris.kuethe@gmail.com>
+     2  Knah Tsaeb <Knah-Tsaeb@knah-tsaeb.org>
+     2  Mathieu Chabanon <git@matchab.fr>
+     2  Miloš Jovanović <mjovanovic@gmail.com>
+     2  Qwerty <champlywood@free.fr>
+     2  Timo Van Neerden <fire@lehollandaisvolant.net>
+     2  julienCXX <software@chmodplusx.eu>
+     2  kalvn <kalvnthereal@gmail.com>
+     1  Adrien Oliva <adrien.oliva@yapbreak.fr>
+     1  Alexis J <alexis@effingo.be>
+     1  BoboTiG <bobotig@gmail.com>
+     1  Bronco <bronco@warriordudimanche.net>
+     1  D Low <daniellowtw@gmail.com>
+     1  Dimtion <zizou.xena@gmail.com>
+     1  Fanch <fanch-github@qth.fr>
+     1  Felix Bartels <felix@host-consultants.de>
+     1  Felix Kästner <github.com-fpunktk@fpunktk.de>
+     1  Florian Voigt <flvoigt@me.com>
+     1  Gary Marigliano <gmarigliano93@gmail.com>
+     1  Guillaume Virlet <github@virlet.org>
+     1  Jonathan Druart <jonathan.druart@gmail.com>
+     1  Julien Pivotto <roidelapluie@inuits.eu>
+     1  Kevin Canévet <kevin@streamroot.io>
+     1  Knah Tsaeb <knah-tsaeb@knah-tsaeb.org>
+     1  Lionel Martin <renarddesmers@gmail.com>
+     1  Marsup <marsup@gmail.com>
+     1  Sbgodin <Sbgodin@users.noreply.github.com>
+     1  TsT <tst2005@gmail.com>
+     1  dimtion <zizou.xena@gmail.com>
diff --git a/COPYING b/COPYING
index 547ea570..4bbdf2b3 100644
--- a/COPYING
+++ b/COPYING
@@ -1,33 +1,7 @@
 Files: *
 License: zlib/libpng
 Copyright: (c) 2011-2015 Sébastien SAUVAGE <sebsauvage@sebsauvage.net>
-           (c) 2011-2015 Alexandre Alapetite <alexandre@alapetite.fr>
-           (c) 2011-2015 David Sferruzza <david.sferruzza@gmail.com>
-           (c) 2011-2015 Christophe HENRY <christophe.henry@sbgodin.fr>
-           (c) 2011-2015 Mathieu Chabanon <git@matchab.fr>
-           (c) 2011-2015 BoboTiG <bobotig@gmail.com>
-           (c) 2011-2015 Bronco <bronco@warriordudimanche.net>
-           (c) 2011-2015 Emilien Klein <emilien@klein.st>
-           (c) 2011-2015 Knah Tsaeb <knah-tsaeb@knah-tsaeb.org>
-           (c) 2011-2015 Lionel Martin <renarddesmers@gmail.com>
-           (c) 2011-2015 lehollandaisvolant <levoltigeurhollandais@gmail.com>
-           (c) 2011-2015 timo van neerden <fire@lehollandaisvolant.net>
-           (c) 2011-2015 nodiscc <nodiscc@gmail.com>
-           (c) 2011-2015 Florian Eula <mr.pikzen@gmail.com>
-           (c) 2011-2015 Arthur Hoaro <arthur@hoa.ro>
-           (c) 2011-2015 Aurélien "VirtualTam" Tamisier <virtualtam@flibidi.net>
-           (c) 2011-2015 qwertygc <champlywood@free.fr>
-           (c) 2011-2015 idleman <idleman@idleman.fr>
-           (c) 2015 Alexis Ju <alexis@effingo.be>
-           (c) 2015 dimtion <zizou.xena@gmail.com>
-           (c) 2015 Fanch <fanch-github@qth.fr>
-           (c) 2015 Guillaume Virlet <github@virlet.org>
-           (c) 2015 Felix Bartels <felix@host-consultants.de>
-           (c) 2015 Marsup <marsup@gmail.com>
-           (c) 2015 Miloš Jovanović <mjovanovic@gmail.com>
-           (c) 2015 Nicolás Danelón <hola@nicolasdanelon.com.ar>
-           (c) 2015 TsT <tst2005@gmail.com>
-
+           (c) 2011-2017 The Shaarli Community, see AUTHORS
 
 Files: inc/reset.css
 License: BSD (http://opensource.org/licenses/BSD-3-Clause)
diff --git a/Makefile b/Makefile
index 60aec9a0..f3065b77 100644
--- a/Makefile
+++ b/Makefile
@@ -169,6 +169,12 @@ clean:
         @git clean -df
         @rm -rf sandbox
 
+### generate the AUTHORS file from Git commit information
+authors:
+        @cp .github/mailmap .mailmap
+        @git shortlog -sne > AUTHORS
+        @rm .mailmap
+
 ### generate Doxygen documentation
 doxygen: clean
         @rm -rf doxygen
@@ -214,4 +220,4 @@ htmlpages:
                         -o doc/$$base.html $$file; \
         done;
 
-htmldoc: doc htmlsidebar htmlpages
+htmldoc: authors doc htmlsidebar htmlpages
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index e8fc1f5d..a81f9056 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -122,7 +122,7 @@ function get_http_response($url, $timeout = 30, $maxBytes = 4194304)
     $content = substr($response, $headSize);
     $headers = array();
     foreach (preg_split('~[\r\n]+~', $rawHeadersLastRedir) as $line) {
-        if (empty($line) or ctype_space($line)) {
+        if (empty($line) || ctype_space($line)) {
             continue;
         }
         $splitLine = explode(': ', $line, 2);
diff --git a/application/LinkUtils.php b/application/LinkUtils.php
index cf58f808..976474de 100644
--- a/application/LinkUtils.php
+++ b/application/LinkUtils.php
@@ -89,7 +89,9 @@ function count_private($links)
 {
     $cpt = 0;
     foreach ($links as $link) {
-        $cpt = $link['private'] == true ? $cpt + 1 : $cpt;
+        if ($link['private']) {
+            $cpt += 1;
+        }
     }
 
     return $cpt;
diff --git a/application/Updater.php b/application/Updater.php
index 621c7238..eb03c6d3 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -69,7 +69,7 @@ class Updater
             return $updatesRan;
         }
 
-        if ($this->methods == null) {
+        if ($this->methods === null) {
             throw new UpdaterException('Couldn\'t retrieve Updater class methods.');
         }
 
@@ -308,6 +308,22 @@ class Updater
 
         return true;
     }
+
+    /**
+     * Move the file to inc/user.css to data/user.css.
+     *
+     * Note: Due to hardcoded paths, it's not unit testable. But one line of code should be fine.
+     *
+     * @return bool true if the update is successful, false otherwise.
+     */
+    public function updateMethodMoveUserCss()
+    {
+        if (! is_file('inc/user.css')) {
+            return true;
+        }
+
+        return rename('inc/user.css', 'data/user.css');
+    }
 }
 
 /**
diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
index 162e88e0..522091ca 100644
--- a/application/api/ApiMiddleware.php
+++ b/application/api/ApiMiddleware.php
@@ -98,8 +98,7 @@ class ApiMiddleware
      * @throws ApiAuthorizationException The token couldn't be validated.
      */
     protected function checkToken($request) {
-        $jwt = $request->getHeaderLine('jwt');
-        if (empty($jwt)) {
+        if (! $request->hasHeader('Authorization')) {
             throw new ApiAuthorizationException('JWT token not provided');
         }
 
@@ -107,7 +106,13 @@ class ApiMiddleware
             throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
         }
 
-        ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret'));
+        $authorization = $request->getHeaderLine('Authorization');
+
+        if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
+            throw new ApiAuthorizationException('Invalid JWT header');
+        }
+
+        ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
     }
 
     /**
diff --git a/index.php b/index.php
index e553d1dd..a54dfb1d 100644
--- a/index.php
+++ b/index.php
@@ -204,7 +204,7 @@ function setup_login_state($conf)
         }
         // If session does not exist on server side, or IP address has changed, or session has expired, logout.
         if (empty($_SESSION['uid'])
-        || ($conf->get('security.session_protection_disabled') == false && $_SESSION['ip'] != allIPs())
+        || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
         || time() >= $_SESSION['expires_on'])
         {
             logout();
diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php
index 4d4dd9b9..d9753b1d 100644
--- a/tests/api/ApiMiddlewareTest.php
+++ b/tests/api/ApiMiddlewareTest.php
@@ -143,7 +143,7 @@ class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
         $env = Environment::mock([
             'REQUEST_METHOD' => 'GET',
             'REQUEST_URI' => '/echo',
-            'HTTP_JWT'=> 'jwt',
+            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
         ]);
         $request = Request::createFromEnvironment($env);
         $response = new Response();
@@ -157,7 +157,30 @@ class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
     }
 
     /**
-     * Invoke the middleware without an invalid JWT token (debug):
+     * Invoke the middleware with an invalid JWT token header
+     */
+    public function testInvalidJwtAuthHeaderDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+            'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: Invalid JWT header', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+
+    /**
+     * Invoke the middleware with an invalid JWT token (debug):
      * should return a 401 error Unauthorized - with a specific message and a stacktrace.
      *
      * Note: specific JWT errors tests are handled in ApiUtilsTest.
@@ -169,7 +192,7 @@ class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
         $env = Environment::mock([
             'REQUEST_METHOD' => 'GET',
             'REQUEST_URI' => '/echo',
-            'HTTP_JWT'=> 'bad jwt',
+            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
         ]);
         $request = Request::createFromEnvironment($env);
         $response = new Response();
diff --git a/tpl/default/includes.html b/tpl/default/includes.html
index c3b837f5..17b78b17 100644
--- a/tpl/default/includes.html
+++ b/tpl/default/includes.html
@@ -8,7 +8,7 @@
 <link href="images/favicon.ico#" rel="shortcut icon" type="image/x-icon" />
 <link type="text/css" rel="stylesheet" href="css/reset.css" />
 <link type="text/css" rel="stylesheet" href="css/shaarli.css" />
-{if="is_file('inc/user.css')"}<link type="text/css" rel="stylesheet" href="inc/user.css#" />{/if}
+{if="is_file('data/user.css')"}<link type="text/css" rel="stylesheet" href="data/user.css#" />{/if}
 {loop="$plugins_includes.css_files"}
 <link type="text/css" rel="stylesheet" href="{$value}#"/>
 {/loop}