From 48d7ec6919bc9f5b04fc1754e0bb40b20abcb128 Mon Sep 17 00:00:00 2001
From: Tulir Asokan <tulir@maunium.net>
Date: Tue, 24 Nov 2020 16:48:29 +0200
Subject: [PATCH] Allow browsers to authenticate in login websocket

---
 provisioning.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/provisioning.go b/provisioning.go
index 5b19ae6..c0048a7 100644
--- a/provisioning.go
+++ b/provisioning.go
@@ -53,7 +53,18 @@ func (prov *ProvisioningAPI) Init() {
 func (prov *ProvisioningAPI) AuthMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		auth := r.Header.Get("Authorization")
-		auth = auth[len("Bearer "):]
+		if len(auth) == 0 && strings.HasSuffix(r.URL.Path, "/login") {
+			authParts := strings.Split(r.Header.Get("Sec-WebSocket-Protocol"), ",")
+			for _, part := range authParts {
+				part = strings.TrimSpace(part)
+				if strings.HasPrefix(part, "net.maunium.whatsapp.auth-") {
+					auth = part[len("net.maunium.whatsapp.auth-"):]
+					break
+				}
+			}
+		} else if strings.HasPrefix(auth, "Bearer ") {
+			auth = auth[len("Bearer "):]
+		}
 		if auth != prov.bridge.Config.AppService.Provisioning.SharedSecret {
 			jsonResponse(w, http.StatusForbidden, map[string]interface{}{
 				"error":   "Invalid auth token",
@@ -320,7 +331,12 @@ func (prov *ProvisioningAPI) Logout(w http.ResponseWriter, r *http.Request) {
 	jsonResponse(w, http.StatusOK, Response{true, "Logged out successfully."})
 }
 
-var upgrader = websocket.Upgrader{}
+var upgrader = websocket.Upgrader{
+	CheckOrigin: func(r *http.Request) bool {
+		return true
+	},
+	Subprotocols: []string{"net.maunium.whatsapp.login"},
+}
 
 func (prov *ProvisioningAPI) Login(w http.ResponseWriter, r *http.Request) {
 	userID := r.URL.Query().Get("user_id")