API: expect JWT in the Authorization header
Relates to https://github.com/shaarli/Shaarli/pull/731 Added: - require the presence of the 'Authorization' header Changed: - use the HTTP Bearer Token authorization schema See: - https://jwt.io/introduction/#how-do-json-web-tokens-work- - https://tools.ietf.org/html/rfc6750 - http://security.stackexchange.com/q/108662 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
This commit is contained in:
VirtualTam
VirtualTam
parent
37ab940599
commit
63ef549749
2 changed files with 34 additions and 6 deletions
application/api
|
|
@ -98,8 +98,7 @@ class ApiMiddleware
|
|||
* @throws ApiAuthorizationException The token couldn't be validated.
|
||||
*/
|
||||
protected function checkToken($request) {
|
||||
$jwt = $request->getHeaderLine('jwt');
|
||||
if (empty($jwt)) {
|
||||
if (! $request->hasHeader('Authorization')) {
|
||||
throw new ApiAuthorizationException('JWT token not provided');
|
||||
}
|
||||
|
||||
|
|
@ -107,7 +106,13 @@ class ApiMiddleware
|
|||
throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
|
||||
}
|
||||
|
||||
ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret'));
|
||||
$authorization = $request->getHeaderLine('Authorization');
|
||||
|
||||
if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
|
||||
throw new ApiAuthorizationException('Invalid JWT header');
|
||||
}
|
||||
|
||||
ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue