From 2bd08a7b3f6523e41e60204e08fced22b3d9af84 Mon Sep 17 00:00:00 2001 From: Nathan Sobo Date: Mon, 25 Apr 2022 20:10:14 -0600 Subject: [PATCH] Validate API token for all API routes --- crates/collab/src/api.rs | 40 +++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/crates/collab/src/api.rs b/crates/collab/src/api.rs index 180066907e..6cdd28044c 100644 --- a/crates/collab/src/api.rs +++ b/crates/collab/src/api.rs @@ -31,7 +31,7 @@ pub fn routes(state: Arc) -> Router { } pub async fn validate_api_token(req: Request, next: Next) -> impl IntoResponse { - let mut auth_header = req + let token = req .headers() .get(http::header::AUTHORIZATION) .and_then(|header| header.to_str().ok()) @@ -40,8 +40,24 @@ pub async fn validate_api_token(req: Request, next: Next) -> impl IntoR StatusCode::BAD_REQUEST, "missing authorization header".to_string(), ) + })? + .strip_prefix("token ") + .ok_or_else(|| { + Error::Http( + StatusCode::BAD_REQUEST, + "invalid authorization header".to_string(), + ) })?; + let state = req.extensions().get::>().unwrap(); + + if token != state.api_token { + Err(Error::Http( + StatusCode::UNAUTHORIZED, + "invalid authorization token".to_string(), + ))? + } + Ok::<_, Error>(next.run(req).await) } @@ -163,25 +179,3 @@ async fn create_access_token( encrypted_access_token, })) } - -// #[async_trait] -// pub trait RequestExt { -// async fn require_token(&self) -> tide::Result<()>; -// } - -// #[async_trait] -// impl RequestExt for Request { -// async fn require_token(&self) -> tide::Result<()> { -// let token = self -// .header("Authorization") -// .and_then(|header| header.get(0)) -// .and_then(|header| header.as_str().strip_prefix("token ")) -// .ok_or_else(|| surf::Error::from_str(403, "invalid authorization header"))?; - -// if token == self.state().config.api_token { -// Ok(()) -// } else { -// Err(tide::Error::from_str(403, "invalid authorization token")) -// } -// } -// }