Add check Authorization header (#686)

Co-authored-by: 杨赫然 <heran.yang@seafile.com>

common/seaf-utils.c

@@ -494,3 +494,29 @@ out:
     return jwt_token;
 }
 #endif
+
+char *
+seaf_parse_auth_token (const char *auth_token)
+{
+    char *token = NULL;
+    char **parts = NULL;
+
+    if (!auth_token) {
+        return NULL;
+    }
+
+    parts = g_strsplit (auth_token, " ", 2);
+    if (!parts) {
+        return NULL;
+    }
+
+    if (g_strv_length (parts) < 2) {
+        g_strfreev (parts);
+        return NULL;
+    }
+
+    token = g_strdup(parts[1]);
+
+    g_strfreev (parts);
+    return token;
+}

common/seaf-utils.h

@@ -24,4 +24,7 @@ load_seahub_private_key (SeafileSession *session, const char *conf_dir);
 char *
 seaf_gen_notif_server_jwt (const char *repo_id, const char *username);
 
+char *
+seaf_parse_auth_token (const char *auth_token);
+
 #endif

fileserver/sync_api.go

@@ -1166,8 +1166,11 @@ func checkPermission(repoID, user, op string, skipCache bool) *appError {
 func validateToken(r *http.Request, repoID string, skipCache bool) (string, *appError) {
 	token := r.Header.Get("Seafile-Repo-Token")
 	if token == "" {
-		msg := "token is null"
-		return "", &appError{nil, msg, http.StatusBadRequest}
+		token = utils.GetAuthorizationToken(r.Header)
+		if token == "" {
+			msg := "token is null"
+			return "", &appError{nil, msg, http.StatusBadRequest}
+		}
 	}
 
 	if value, ok := tokenCache.Load(token); ok {

fileserver/utils/http.go

@@ -5,10 +5,20 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 )
 
 var HttpReqContext, HttpReqCancel = context.WithCancel(context.Background())
 
+func GetAuthorizationToken(h http.Header) string {
+	auth := h.Get("Authorization")
+	splitResult := strings.Split(auth, " ")
+	if len(splitResult) > 1 {
+		return splitResult[1]
+	}
+	return ""
+}
+
 func HttpCommon(method, url string, header map[string][]string, reader io.Reader) (int, []byte, error) {
 	req, err := http.NewRequestWithContext(HttpReqContext, method, url, reader)
 	if err != nil {

server/http-server.c

@@ -235,11 +235,17 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req,
 {
     char *email = NULL;
     TokenInfo *token_info;
+    char *tmp_token = NULL;
 
     const char *token = evhtp_kv_find (req->headers_in, "Seafile-Repo-Token");
     if (token == NULL) {
-        evhtp_send_reply (req, EVHTP_RES_BADREQ);
-        return EVHTP_RES_BADREQ;
+        const char *auth_token = evhtp_kv_find (req->headers_in, "Authorization");
+        tmp_token = seaf_parse_auth_token (auth_token);
+        if (tmp_token == NULL) {
+            evhtp_send_reply (req, EVHTP_RES_BADREQ);
+            return EVHTP_RES_BADREQ;
+        }
+        token = tmp_token;
     }
 
     if (!skip_cache) {
@@ -249,12 +255,14 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req,
         if (token_info) {
             if (strcmp (token_info->repo_id, repo_id) != 0) {
                 pthread_mutex_unlock (&htp_server->token_cache_lock);
+                g_free (tmp_token);
                 return EVHTP_RES_FORBIDDEN;
             }
 
             if (username)
                 *username = g_strdup(token_info->email);
             pthread_mutex_unlock (&htp_server->token_cache_lock);
+            g_free (tmp_token);
             return EVHTP_RES_OK;
         }
 
@@ -267,6 +275,7 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req,
         pthread_mutex_lock (&htp_server->token_cache_lock);
         g_hash_table_remove (htp_server->token_cache, token);
         pthread_mutex_unlock (&htp_server->token_cache_lock);
+        g_free (tmp_token);
         return EVHTP_RES_FORBIDDEN;
     }
 
@@ -281,6 +290,7 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req,
 
     if (username)
         *username = g_strdup(email);
+    g_free (tmp_token);
     return EVHTP_RES_OK;
 }