From 63ef549749fac9d0e302842f06e7794d1daabc13 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sat, 7 Jan 2017 22:23:47 +0100 Subject: API: expect JWT in the Authorization header Relates to https://github.com/shaarli/Shaarli/pull/731 Added: - require the presence of the 'Authorization' header Changed: - use the HTTP Bearer Token authorization schema See: - https://jwt.io/introduction/#how-do-json-web-tokens-work- - https://tools.ietf.org/html/rfc6750 - http://security.stackexchange.com/q/108662 Signed-off-by: VirtualTam --- application/api/ApiMiddleware.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'application/api/ApiMiddleware.php') diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php index 162e88e0..522091ca 100644 --- a/application/api/ApiMiddleware.php +++ b/application/api/ApiMiddleware.php @@ -98,8 +98,7 @@ class ApiMiddleware * @throws ApiAuthorizationException The token couldn't be validated. */ protected function checkToken($request) { - $jwt = $request->getHeaderLine('jwt'); - if (empty($jwt)) { + if (! $request->hasHeader('Authorization')) { throw new ApiAuthorizationException('JWT token not provided'); } @@ -107,7 +106,13 @@ class ApiMiddleware throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration'); } - ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret')); + $authorization = $request->getHeaderLine('Authorization'); + + if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) { + throw new ApiAuthorizationException('Invalid JWT header'); + } + + ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret')); } /** -- cgit v1.2.3