summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorMark Haines <mjark@negativecurvature.net>2016-10-25 17:33:15 +0100
committerGitHub <noreply@github.com>2016-10-25 17:33:15 +0100
commit177f104432b3ab124bb0ae0b7e0e1c2eeae2f492 (patch)
tree0118fd2870598a004d7439f67e21c8651f425643 /synapse/api/auth.py
parentMerge branch 'release-v0.18.2' of github.com:matrix-org/synapse into develop (diff)
parentMerge branch 'develop' into markjh/bearer_token (diff)
downloadsynapse-177f104432b3ab124bb0ae0b7e0e1c2eeae2f492.tar.xz
Merge pull request #1098 from matrix-org/markjh/bearer_token
Allow clients to supply access_tokens as headers
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py46
1 files changed, 37 insertions, 9 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index b6a151a7ec..69b3392735 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -1170,7 +1170,8 @@ def has_access_token(request):
         bool: False if no access_token was given, True otherwise.
     """
     query_params = request.args.get("access_token")
-    return bool(query_params)
+    auth_headers = request.requestHeaders.getRawHeaders("Authorization")
+    return bool(query_params) or bool(auth_headers)
 
 
 def get_access_token_from_request(request, token_not_found_http_status=401):
@@ -1188,13 +1189,40 @@ def get_access_token_from_request(request, token_not_found_http_status=401):
     Raises:
         AuthError: If there isn't an access_token in the request.
     """
+
+    auth_headers = request.requestHeaders.getRawHeaders("Authorization")
     query_params = request.args.get("access_token")
-    # Try to get the access_token from the query params.
-    if not query_params:
-        raise AuthError(
-            token_not_found_http_status,
-            "Missing access token.",
-            errcode=Codes.MISSING_TOKEN
-        )
+    if auth_headers:
+        # Try the get the access_token from a "Authorization: Bearer"
+        # header
+        if query_params is not None:
+            raise AuthError(
+                token_not_found_http_status,
+                "Mixing Authorization headers and access_token query parameters.",
+                errcode=Codes.MISSING_TOKEN,
+            )
+        if len(auth_headers) > 1:
+            raise AuthError(
+                token_not_found_http_status,
+                "Too many Authorization headers.",
+                errcode=Codes.MISSING_TOKEN,
+            )
+        parts = auth_headers[0].split(" ")
+        if parts[0] == "Bearer" and len(parts) == 2:
+            return parts[1]
+        else:
+            raise AuthError(
+                token_not_found_http_status,
+                "Invalid Authorization header.",
+                errcode=Codes.MISSING_TOKEN,
+            )
+    else:
+        # Try to get the access_token from the query params.
+        if not query_params:
+            raise AuthError(
+                token_not_found_http_status,
+                "Missing access token.",
+                errcode=Codes.MISSING_TOKEN
+            )
 
-    return query_params[0]
+        return query_params[0]