diff options
| author | Mark Haines <mjark@negativecurvature.net> | 2016-10-25 17:33:15 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-10-25 17:33:15 +0100 |
| commit | 177f104432b3ab124bb0ae0b7e0e1c2eeae2f492 (patch) | |
| tree | 0118fd2870598a004d7439f67e21c8651f425643 /synapse/api | |
| parent | Merge branch 'release-v0.18.2' of github.com:matrix-org/synapse into develop (diff) | |
| parent | Merge branch 'develop' into markjh/bearer_token (diff) | |
| download | synapse-177f104432b3ab124bb0ae0b7e0e1c2eeae2f492.tar.xz | |
Merge pull request #1098 from matrix-org/markjh/bearer_token
Allow clients to supply access_tokens as headers
Diffstat (limited to 'synapse/api')
| -rw-r--r-- | synapse/api/auth.py | 46 |
1 files changed, 37 insertions, 9 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index b6a151a7ec..69b3392735 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -1170,7 +1170,8 @@ def has_access_token(request): bool: False if no access_token was given, True otherwise. """ query_params = request.args.get("access_token") - return bool(query_params) + auth_headers = request.requestHeaders.getRawHeaders("Authorization") + return bool(query_params) or bool(auth_headers) def get_access_token_from_request(request, token_not_found_http_status=401): @@ -1188,13 +1189,40 @@ def get_access_token_from_request(request, token_not_found_http_status=401): Raises: AuthError: If there isn't an access_token in the request. """ + + auth_headers = request.requestHeaders.getRawHeaders("Authorization") query_params = request.args.get("access_token") - # Try to get the access_token from the query params. - if not query_params: - raise AuthError( - token_not_found_http_status, - "Missing access token.", - errcode=Codes.MISSING_TOKEN - ) + if auth_headers: + # Try the get the access_token from a "Authorization: Bearer" + # header + if query_params is not None: + raise AuthError( + token_not_found_http_status, + "Mixing Authorization headers and access_token query parameters.", + errcode=Codes.MISSING_TOKEN, + ) + if len(auth_headers) > 1: + raise AuthError( + token_not_found_http_status, + "Too many Authorization headers.", + errcode=Codes.MISSING_TOKEN, + ) + parts = auth_headers[0].split(" ") + if parts[0] == "Bearer" and len(parts) == 2: + return parts[1] + else: + raise AuthError( + token_not_found_http_status, + "Invalid Authorization header.", + errcode=Codes.MISSING_TOKEN, + ) + else: + # Try to get the access_token from the query params. + if not query_params: + raise AuthError( + token_not_found_http_status, + "Missing access token.", + errcode=Codes.MISSING_TOKEN + ) - return query_params[0] + return query_params[0] |