root/golib
1
0
Fork 0
mirror of https://github.com/therootcompany/golib.git synced 2026-03-02 23:57:59 +00:00
Code Issues Projects Releases Wiki Activity

fix: nil AuthorizationSchemes skips Authorization header (not any-scheme wildcard)

Browse Source 
Co-authored-by: coolaj86 <122831+coolaj86@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-03-02 07:35:22 +00:00
parent c8eabab03d
commit 886888d6bb
3 changed files with 9 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
auth/request.go
View File

@ -16,8 +16,8 @@ var ErrNoCredentials = errors.New("no credentials provided")
// header tokens, custom token headers, and query-parameter tokens. // header tokens, custom token headers, and query-parameter tokens.
type RequestAuthenticator struct { type RequestAuthenticator struct {
// AuthorizationSchemes lists accepted schemes for "Authorization: <scheme> <token>". // AuthorizationSchemes lists accepted schemes for "Authorization: <scheme> <token>".
// nil accepts any scheme; a non-nil empty slice skips the Authorization header // nil or an empty slice skips the Authorization header entirely;
// entirely; ["*"] also accepts any scheme; ["Bearer", "Token"] restricts to those. // ["*"] accepts any scheme; ["Bearer", "Token"] restricts to those schemes.
AuthorizationSchemes []string AuthorizationSchemes []string
// TokenHeaders lists header names checked for bearer tokens, // TokenHeaders lists header names checked for bearer tokens,
@ -43,14 +43,14 @@ func (ra *RequestAuthenticator) Authenticate(r *http.Request, a BasicAuthenticat
} }
// 2. Authorization: <scheme> <token> // 2. Authorization: <scheme> <token>
// nil AuthorizationSchemes accepts any scheme; a non-nil empty slice skips. // AuthorizationSchemes must be non-empty to check the Authorization header;
if ra.AuthorizationSchemes == nil || len(ra.AuthorizationSchemes) > 0 { // nil or empty skips it entirely.
if len(ra.AuthorizationSchemes) > 0 {
if authHeader := r.Header.Get("Authorization"); authHeader != "" { if authHeader := r.Header.Get("Authorization"); authHeader != "" {
parts := strings.SplitN(authHeader, " ", 2) parts := strings.SplitN(authHeader, " ", 2)
if len(parts) == 2 { if len(parts) == 2 {
scheme, token := parts[0], strings.TrimSpace(parts[1]) scheme, token := parts[0], strings.TrimSpace(parts[1])
if ra.AuthorizationSchemes == nil || if ra.AuthorizationSchemes[0] == "*" ||
ra.AuthorizationSchemes[0] == "*" ||
slices.Contains(ra.AuthorizationSchemes, scheme) { slices.Contains(ra.AuthorizationSchemes, scheme) {
return a.Authenticate("", token) return a.Authenticate("", token)
} }

7
cmd/auth-proxy/main.go
View File

@ -593,13 +593,8 @@ func matchPattern(grant, rMethod, rHost, rPath string) bool {
} }
func (cli *MainConfig) authenticate(r *http.Request) (auth.BasicPrinciple, error) { func (cli *MainConfig) authenticate(r *http.Request) (auth.BasicPrinciple, error) {
// nil AuthorizationHeaderSchemes means "not configured" → skip Authorization header.
schemes := cli.AuthorizationHeaderSchemes
if schemes == nil {
schemes = []string{} // non-nil empty slice → skip Authorization header
}
ra := auth.RequestAuthenticator{ ra := auth.RequestAuthenticator{
AuthorizationSchemes: schemes, AuthorizationSchemes: cli.AuthorizationHeaderSchemes,
TokenHeaders: cli.TokenHeaderNames, TokenHeaders: cli.TokenHeaderNames,
TokenQueryParams: cli.QueryParamNames, TokenQueryParams: cli.QueryParamNames,
} }

1
cmd/smsapid/main.go
View File

@ -36,6 +36,7 @@ var pingWriter jsonl.Writer
var smsAuth *csvauth.Auth var smsAuth *csvauth.Auth
var smsRequestAuth = &auth.RequestAuthenticator{ var smsRequestAuth = &auth.RequestAuthenticator{
AuthorizationSchemes: []string{"*"},
TokenHeaders: []string{"API-Key", "X-API-Key"}, TokenHeaders: []string{"API-Key", "X-API-Key"},
} }