From 63ef549749fac9d0e302842f06e7794d1daabc13 Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Sat, 7 Jan 2017 22:23:47 +0100
Subject: API: expect JWT in the Authorization header

Relates to https://github.com/shaarli/Shaarli/pull/731

Added:
- require the presence of the 'Authorization' header

Changed:
- use the HTTP Bearer Token authorization schema

See:
- https://jwt.io/introduction/#how-do-json-web-tokens-work-
- https://tools.ietf.org/html/rfc6750
- http://security.stackexchange.com/q/108662

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 application/api/ApiMiddleware.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'application/api/ApiMiddleware.php')

diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
index 162e88e0..522091ca 100644
--- a/application/api/ApiMiddleware.php
+++ b/application/api/ApiMiddleware.php
@@ -98,8 +98,7 @@ class ApiMiddleware
      * @throws ApiAuthorizationException The token couldn't be validated.
      */
     protected function checkToken($request) {
-        $jwt = $request->getHeaderLine('jwt');
-        if (empty($jwt)) {
+        if (! $request->hasHeader('Authorization')) {
             throw new ApiAuthorizationException('JWT token not provided');
         }
 
@@ -107,7 +106,13 @@ class ApiMiddleware
             throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
         }
 
-        ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret'));
+        $authorization = $request->getHeaderLine('Authorization');
+
+        if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
+            throw new ApiAuthorizationException('Invalid JWT header');
+        }
+
+        ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
     }
 
     /**
-- 
cgit v1.2.3