Allow clients to supply access_tokens as headers

Clients can continue to supply access tokens as query parameters or can supply the token as a header: Authorization: Bearer <access_token_goes_here> This matches the ouath2 format of https://tools.ietf.org/html/rfc6750#section-2.1
2024-11-05 22:28:54 +01:00 · 2016-09-09 18:17:42 +01:00 · 2016-09-09 18:17:42 +01:00 · 8e01263587
commit 8e01263587
parent 8aee5aa068
1 changed files with 38 additions and 10 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -1158,7 +1158,8 @@ def has_access_token(request):
        bool: False if no access_token was given, True otherwise.
    """
    query_params = request.args.get("access_token")
-    return bool(query_params)
+    auth_headers = request.requestHeaders.getRawHeaders("Authorization")
+    return bool(query_params) or bool(auth_headers)


 def get_access_token_from_request(request, token_not_found_http_status=401):
@ -1176,7 +1177,34 @@ def get_access_token_from_request(request, token_not_found_http_status=401):
    Raises:
        AuthError: If there isn't an access_token in the request.
    """
+
+    auth_headers = request.requestHeaders.getRawHeaders("Authorization")
    query_params = request.args.get("access_token")
+    if auth_headers is not None:
+        # Try the get the access_token from a "Authorization: Bearer"
+        # header
+        if query_params is not None:
+            raise AuthError(
+                token_not_found_http_status,
+                "Mixing Authorization headers and access_token query parameters.",
+                errcode=Codes.MISSING_TOKEN,
+            )
+        if len(auth_headers) > 1:
+            raise AuthError(
+                token_not_found_http_status,
+                "Too many Authorization headers.",
+                errcode=Codes.MISSING_TOKEN,
+            )
+        parts = auth_headers[0].split(" ")
+        if parts[0] == "Bearer" and len(parts) == 2:
+            return parts[1]
+        else:
+            raise AuthError(
+                token_not_found_http_status,
+                "Invalid Authorization header.",
+                errcode=Codes.MISSING_TOKEN,
+            )
+    else:
        # Try to get the access_token from the query params.
        if not query_params:
            raise AuthError(