diff --git a/common/seaf-utils.c b/common/seaf-utils.c index 8310da2..ed1c99d 100644 --- a/common/seaf-utils.c +++ b/common/seaf-utils.c @@ -494,3 +494,29 @@ out: return jwt_token; } #endif + +char * +seaf_parse_auth_token (const char *auth_token) +{ + char *token = NULL; + char **parts = NULL; + + if (!auth_token) { + return NULL; + } + + parts = g_strsplit (auth_token, " ", 2); + if (!parts) { + return NULL; + } + + if (g_strv_length (parts) < 2) { + g_strfreev (parts); + return NULL; + } + + token = g_strdup(parts[1]); + + g_strfreev (parts); + return token; +} diff --git a/common/seaf-utils.h b/common/seaf-utils.h index 6aecc61..7c9349d 100644 --- a/common/seaf-utils.h +++ b/common/seaf-utils.h @@ -24,4 +24,7 @@ load_seahub_private_key (SeafileSession *session, const char *conf_dir); char * seaf_gen_notif_server_jwt (const char *repo_id, const char *username); +char * +seaf_parse_auth_token (const char *auth_token); + #endif diff --git a/fileserver/sync_api.go b/fileserver/sync_api.go index bccb6d2..54b36ad 100644 --- a/fileserver/sync_api.go +++ b/fileserver/sync_api.go @@ -1166,8 +1166,11 @@ func checkPermission(repoID, user, op string, skipCache bool) *appError { func validateToken(r *http.Request, repoID string, skipCache bool) (string, *appError) { token := r.Header.Get("Seafile-Repo-Token") if token == "" { - msg := "token is null" - return "", &appError{nil, msg, http.StatusBadRequest} + token = utils.GetAuthorizationToken(r.Header) + if token == "" { + msg := "token is null" + return "", &appError{nil, msg, http.StatusBadRequest} + } } if value, ok := tokenCache.Load(token); ok { diff --git a/fileserver/utils/http.go b/fileserver/utils/http.go index d0c8935..b1fe79c 100644 --- a/fileserver/utils/http.go +++ b/fileserver/utils/http.go @@ -5,10 +5,20 @@ import ( "fmt" "io" "net/http" + "strings" ) var HttpReqContext, HttpReqCancel = context.WithCancel(context.Background()) +func GetAuthorizationToken(h http.Header) string { + auth := h.Get("Authorization") + splitResult := strings.Split(auth, " ") + if len(splitResult) > 1 { + return splitResult[1] + } + return "" +} + func HttpCommon(method, url string, header map[string][]string, reader io.Reader) (int, []byte, error) { req, err := http.NewRequestWithContext(HttpReqContext, method, url, reader) if err != nil { diff --git a/server/http-server.c b/server/http-server.c index 1cba4ea..8839c21 100644 --- a/server/http-server.c +++ b/server/http-server.c @@ -235,11 +235,17 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req, { char *email = NULL; TokenInfo *token_info; + char *tmp_token = NULL; const char *token = evhtp_kv_find (req->headers_in, "Seafile-Repo-Token"); if (token == NULL) { - evhtp_send_reply (req, EVHTP_RES_BADREQ); - return EVHTP_RES_BADREQ; + const char *auth_token = evhtp_kv_find (req->headers_in, "Authorization"); + tmp_token = seaf_parse_auth_token (auth_token); + if (tmp_token == NULL) { + evhtp_send_reply (req, EVHTP_RES_BADREQ); + return EVHTP_RES_BADREQ; + } + token = tmp_token; } if (!skip_cache) { @@ -249,12 +255,14 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req, if (token_info) { if (strcmp (token_info->repo_id, repo_id) != 0) { pthread_mutex_unlock (&htp_server->token_cache_lock); + g_free (tmp_token); return EVHTP_RES_FORBIDDEN; } if (username) *username = g_strdup(token_info->email); pthread_mutex_unlock (&htp_server->token_cache_lock); + g_free (tmp_token); return EVHTP_RES_OK; } @@ -267,6 +275,7 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req, pthread_mutex_lock (&htp_server->token_cache_lock); g_hash_table_remove (htp_server->token_cache, token); pthread_mutex_unlock (&htp_server->token_cache_lock); + g_free (tmp_token); return EVHTP_RES_FORBIDDEN; } @@ -281,6 +290,7 @@ validate_token (HttpServer *htp_server, evhtp_request_t *req, if (username) *username = g_strdup(email); + g_free (tmp_token); return EVHTP_RES_OK; }