mirrors/cobalt
1
0
Fork 0
mirror of https://github.com/imputnet/cobalt.git synced 2025-06-28 17:38:31 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

core/api: normalize bearer authorization

Browse Source
This commit is contained in:
jj 2024-10-20 10:00:00 +00:00
parent 0e52e1f8b0
commit d55dddea2e
No known key found for this signature in database
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
api/src/core/api.js
View File

@ -158,19 +158,20 @@ export const runAPI = (express, app, __dirname) => {
return fail(res, "error.api.auth.jwt.missing"); return fail(res, "error.api.auth.jwt.missing");
} }
if (!authorization.startsWith("Bearer ") || authorization.length > 256) { if (authorization.length >= 256) {
return fail(res, "error.api.auth.jwt.invalid"); return fail(res, "error.api.auth.jwt.invalid");
} }
const verifyJwt = jwt.verify( const [ type, token, ...rest ] = authorization.split(" ");
authorization.split("Bearer ", 2)[1] if (!token || type.toLowerCase() !== 'bearer' || rest.length) {
);
if (!verifyJwt) {
return fail(res, "error.api.auth.jwt.invalid"); return fail(res, "error.api.auth.jwt.invalid");
} }
req.rateLimitKey = generateHmac(req.header("Authorization"), ipSalt); if (!jwt.verify(token)) {
return fail(res, "error.api.auth.jwt.invalid");
}
req.rateLimitKey = generateHmac(token, ipSalt);
} catch { } catch {
return fail(res, "error.api.generic"); return fail(res, "error.api.generic");
} }