mirror of
https://github.com/mattermost/mattermost.git
synced 2026-02-03 20:40:00 -05:00
c28d13cbc9
* Add parser and hasher packages The new `password` module includes two packages: - `hashers` provides a structure allowing for seamless migrations between password hashing methods. It also implements two password hashers: bcrypt, which was the current hashing method, and PBKDF2, which is the one we are migrating to. - `parser` provides types and primitives to parse PHC[0] strings, serving as the foundation of the `PasswordHasher` interface and implementations, which are all PHC-based. [0] https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md * Use latest hasher to hash new passwords The previous commit added a LatestHasher variable, that contains the `PasswordHasher` currently in use. Here, we make sure we use it for hashing new passwords, instead of the currently hardcoded bcrypt. * Use errors from hashers' package Some chore work to unify errors defined in `hashers`, not from external packages like `bcrypt`. * Implement password migration logic This commit implements the actual logic to migrate passwords, which can be summarized as: 0. When the user enters their password (either for login in `App.CheckPasswordAndAllCriteria` or for double-checking the password when the app needs additional confirmation for anything in `App.DoubleCheckPassword`), this process is started. 1. The new `App.checkUserPassword` is called. In `users.CheckUserPassword`, we parse the stored hashed password with the new PHC parser and identify whether it was generated with the current hashing method (PBKDF2). If it is, just verify the password as usual and continue normally. 2. If not, start the migration calling `App.migratePassword`: a. First, we call `Users.MigratePassword`, which validates that the stored hash and the provided password match, using the hasher that generated the old hash. b. If the user-provided password matches the old hash, then we simply re-hash that password with our current hasher, the one in `hashers.LatestHasher`. If not, we fail. c. Back in `App.migratePassword`, if the migration was successful, then we update the user in the database with the newly generated hash. * make i18n-extract * Rename getDefaultHasher to getOriginalHasher * Refactor App checkUserPsasword and migratePassword Simplify the flow in these two methods, removing the similarly named users.CheckUserPassword and users.MigratePassword, inlining the logic needed in the App layer and at the same time removing the need to parse the stored hash twice. This implements a package-level function, CompareHashAndPassword: the first step to unexport LatestHasher. * Add a package level Hash method This completely removes the need to expose LatestHasher, and lets us also remove model.HashPassword, in favour of the new hashers.Hash * Unexport LatestHasher * Remove tests for removed functions * Make the linter happy * Remove error no longer used * Allow for parameter migrations on the same hasher Before this, we were only checking that the function ID of the stored hash was the ID of the latest hashing method. Here, we no longer ignore the parameters, so that if in the future we need to migrate to the same hashing method with a different parameter (let's say PBKDF2 with work factor 120,000 instead of work factor 60,000), we can do it by updating the latestHasher variable. IsPHCValid will detect this change and force a migration if needed. * Document new functions * make i18n-extract * Fix typo in comment Co-authored-by: Ben Cooke <benkcooke@gmail.com> * Rename parser package to phcparser * Simplify phcparser.New documentation * Rename scanSymbol to scanSeparator Redefine the list of separator tokens, including EOF as one. * Document undocumented functions that are unexported * Reorder error block in checkUserPassword * Add unit tests for IsLatestHasher * Reorder code in parser.go * Enforce SHA256 as internal function for PBKDF2 * Fix typo in comment Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> --------- Co-authored-by: Ben Cooke <benkcooke@gmail.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Mattermost Build <build@mattermost.com>
483 lines
17 KiB
Go
483 lines
17 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package app
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
"path"
|
|
"strings"
|
|
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/mattermost/mattermost/server/public/shared/mlog"
|
|
"github.com/mattermost/mattermost/server/public/shared/request"
|
|
"github.com/mattermost/mattermost/server/v8/channels/app/password/hashers"
|
|
"github.com/mattermost/mattermost/server/v8/channels/app/users"
|
|
"github.com/mattermost/mattermost/server/v8/channels/utils"
|
|
"github.com/mattermost/mattermost/server/v8/platform/shared/mfa"
|
|
)
|
|
|
|
type TokenLocation int
|
|
|
|
const (
|
|
TokenLocationNotFound TokenLocation = iota
|
|
TokenLocationHeader
|
|
TokenLocationCookie
|
|
TokenLocationQueryString
|
|
TokenLocationCloudHeader
|
|
TokenLocationRemoteClusterHeader
|
|
)
|
|
|
|
func (tl TokenLocation) String() string {
|
|
switch tl {
|
|
case TokenLocationNotFound:
|
|
return "Not Found"
|
|
case TokenLocationHeader:
|
|
return "Header"
|
|
case TokenLocationCookie:
|
|
return "Cookie"
|
|
case TokenLocationQueryString:
|
|
return "QueryString"
|
|
case TokenLocationCloudHeader:
|
|
return "CloudHeader"
|
|
case TokenLocationRemoteClusterHeader:
|
|
return "RemoteClusterHeader"
|
|
default:
|
|
return "Unknown"
|
|
}
|
|
}
|
|
|
|
func (a *App) IsPasswordValid(rctx request.CTX, password string) *model.AppError {
|
|
if err := users.IsPasswordValidWithSettings(password, &a.Config().PasswordSettings); err != nil {
|
|
var invErr *users.ErrInvalidPassword
|
|
switch {
|
|
case errors.As(err, &invErr):
|
|
return model.NewAppError("User.IsValid", invErr.Id(), map[string]any{"Min": *a.Config().PasswordSettings.MinimumLength}, "", http.StatusBadRequest).Wrap(err)
|
|
default:
|
|
return model.NewAppError("User.IsValid", "app.valid_password_generic.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) checkUserPassword(user *model.User, password string, invalidateCache bool) *model.AppError {
|
|
if user.Password == "" || password == "" {
|
|
return model.NewAppError("checkUserPassword", "api.user.check_user_password.invalid.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized)
|
|
}
|
|
|
|
// Get the hasher and parsed PHC
|
|
hasher, phc, err := hashers.GetHasherFromPHCString(user.Password)
|
|
if err != nil {
|
|
return model.NewAppError("checkUserPassword", "api.user.check_user_password.invalid_hash.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized)
|
|
}
|
|
|
|
// Compare the password using the hasher that generated it
|
|
err = hasher.CompareHashAndPassword(phc, password)
|
|
if err != nil && errors.Is(err, hashers.ErrMismatchedHashAndPassword) {
|
|
// Increment the number of failed password attempts in case of
|
|
// mismatched hash and password
|
|
if passErr := a.Srv().Store().User().UpdateFailedPasswordAttempts(user.Id, user.FailedAttempts+1); passErr != nil {
|
|
return model.NewAppError("CheckPasswordAndAllCriteria", "app.user.update_failed_pwd_attempts.app_error", nil, "", http.StatusInternalServerError).Wrap(passErr)
|
|
}
|
|
|
|
if invalidateCache {
|
|
a.InvalidateCacheForUser(user.Id)
|
|
}
|
|
|
|
return model.NewAppError("checkUserPassword", "api.user.check_user_password.invalid.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized).Wrap(err)
|
|
} else if err != nil {
|
|
return model.NewAppError("checkUserPassword", "app.valid_password_generic.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
// Migrate the password if needed
|
|
if !hashers.IsLatestHasher(hasher) {
|
|
return a.migratePassword(user, password)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// migratePassword updates the database with the user's password hashed with the
|
|
// latest hashing method. It assumes that the password has been already validated.
|
|
func (a *App) migratePassword(user *model.User, password string) *model.AppError {
|
|
// Compute the new hash with the latest hashing method
|
|
newHash, err := hashers.Hash(password)
|
|
if err != nil {
|
|
return model.NewAppError("migratePassword", "app.user.check_user_password.failed_migration", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
// Update the password
|
|
if err := a.Srv().Store().User().UpdatePassword(user.Id, newHash); err != nil {
|
|
return model.NewAppError("migratePassword", "app.user.check_user_password.failed_update", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
a.InvalidateCacheForUser(user.Id)
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) CheckPasswordAndAllCriteria(rctx request.CTX, userID string, password string, mfaToken string) *model.AppError {
|
|
// MM-37585
|
|
// Use locks to avoid concurrently checking AND updating the failed login attempts.
|
|
a.ch.emailLoginAttemptsMut.Lock()
|
|
defer a.ch.emailLoginAttemptsMut.Unlock()
|
|
|
|
user, err := a.GetUser(userID)
|
|
if err != nil {
|
|
if err.Id != MissingAccountError {
|
|
err.StatusCode = http.StatusInternalServerError
|
|
return err
|
|
}
|
|
err.StatusCode = http.StatusBadRequest
|
|
return err
|
|
}
|
|
|
|
if err := a.CheckUserPreflightAuthenticationCriteria(rctx, user, mfaToken); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := a.checkUserPassword(user, password, false); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := a.CheckUserMfa(rctx, user, mfaToken); err != nil {
|
|
// If the mfaToken is not set, we assume the client used this as a pre-flight request to query the server
|
|
// about the MFA state of the user in question
|
|
if mfaToken != "" {
|
|
if passErr := a.Srv().Store().User().UpdateFailedPasswordAttempts(user.Id, user.FailedAttempts+1); passErr != nil {
|
|
return model.NewAppError("CheckPasswordAndAllCriteria", "app.user.update_failed_pwd_attempts.app_error", nil, "", http.StatusInternalServerError).Wrap(passErr)
|
|
}
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
if passErr := a.Srv().Store().User().UpdateFailedPasswordAttempts(user.Id, 0); passErr != nil {
|
|
return model.NewAppError("CheckPasswordAndAllCriteria", "app.user.update_failed_pwd_attempts.app_error", nil, "", http.StatusInternalServerError).Wrap(passErr)
|
|
}
|
|
|
|
if err := a.CheckUserPostflightAuthenticationCriteria(rctx, user); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// This to be used for places we check the users password when they are already logged in
|
|
func (a *App) DoubleCheckPassword(rctx request.CTX, user *model.User, password string) *model.AppError {
|
|
if err := checkUserLoginAttempts(user, *a.Config().ServiceSettings.MaximumLoginAttempts); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := a.checkUserPassword(user, password, true); err != nil {
|
|
return err
|
|
}
|
|
|
|
if passErr := a.Srv().Store().User().UpdateFailedPasswordAttempts(user.Id, 0); passErr != nil {
|
|
return model.NewAppError("DoubleCheckPassword", "app.user.update_failed_pwd_attempts.app_error", nil, "", http.StatusInternalServerError).Wrap(passErr)
|
|
}
|
|
|
|
a.InvalidateCacheForUser(user.Id)
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) checkLdapUserPasswordAndAllCriteria(rctx request.CTX, user *model.User, password, mfaToken string) (*model.User, *model.AppError) {
|
|
// MM-37585: Use locks to avoid concurrently checking AND updating the failed login attempts.
|
|
a.ch.ldapLoginAttemptsMut.Lock()
|
|
defer a.ch.ldapLoginAttemptsMut.Unlock()
|
|
|
|
// We need to get the latest value of the user from the database after we acquire the lock. user is nil for first-time LDAP users.
|
|
if user.Id != "" {
|
|
var err *model.AppError
|
|
user, err = a.GetUser(user.Id)
|
|
if err != nil {
|
|
if err.Id != MissingAccountError {
|
|
err.StatusCode = http.StatusInternalServerError
|
|
return nil, err
|
|
}
|
|
err.StatusCode = http.StatusBadRequest
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
ldapID := user.AuthData
|
|
|
|
if a.Ldap() == nil || ldapID == nil {
|
|
err := model.NewAppError("doLdapAuthentication", "api.user.login_ldap.not_available.app_error", nil, "", http.StatusNotImplemented)
|
|
return nil, err
|
|
}
|
|
|
|
// First time LDAP users will not have a userID
|
|
if user.Id != "" {
|
|
if err := checkUserLoginAttempts(user, *a.Config().LdapSettings.MaximumLoginAttempts); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
ldapUser, err := a.Ldap().DoLogin(rctx, *ldapID, password)
|
|
if err != nil {
|
|
// If this is a new LDAP user, we need to get the user from the database because DoLogin will have created the user.
|
|
if user.Id == "" {
|
|
var getUserByAuthErr *model.AppError
|
|
ldapUser, getUserByAuthErr = a.GetUserByAuth(ldapID, model.UserAuthServiceLdap)
|
|
if getUserByAuthErr != nil {
|
|
return nil, getUserByAuthErr
|
|
}
|
|
} else {
|
|
ldapUser = user
|
|
}
|
|
|
|
// Log a info to make it easier to admin to spot that a user tried to log in with a legitimate user name.
|
|
if err.Id == "ent.ldap.do_login.invalid_password.app_error" {
|
|
rctx.Logger().LogM(mlog.MlvlLDAPInfo, "A user tried to sign in, which matched an LDAP account, but the password was incorrect.", mlog.String("ldap_id", *ldapID))
|
|
|
|
if passErr := a.Srv().Store().User().UpdateFailedPasswordAttempts(ldapUser.Id, ldapUser.FailedAttempts+1); passErr != nil {
|
|
return nil, model.NewAppError("CheckPasswordAndAllCriteria", "app.user.update_failed_pwd_attempts.app_error", nil, "", http.StatusInternalServerError).Wrap(passErr)
|
|
}
|
|
}
|
|
|
|
err.StatusCode = http.StatusUnauthorized
|
|
return nil, err
|
|
}
|
|
|
|
if err = a.CheckUserMfa(rctx, ldapUser, mfaToken); err != nil {
|
|
// If the mfaToken is not set, we assume the client used this as a pre-flight request to query the server
|
|
// about the MFA state of the user in question
|
|
if mfaToken != "" && ldapUser.Id != "" {
|
|
if passErr := a.Srv().Store().User().UpdateFailedPasswordAttempts(ldapUser.Id, ldapUser.FailedAttempts+1); passErr != nil {
|
|
return nil, model.NewAppError("CheckPasswordAndAllCriteria", "app.user.update_failed_pwd_attempts.app_error", nil, "", http.StatusInternalServerError).Wrap(passErr)
|
|
}
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
if err = checkUserNotDisabled(ldapUser); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if ldapUser.FailedAttempts > 0 {
|
|
if passErr := a.Srv().Store().User().UpdateFailedPasswordAttempts(ldapUser.Id, 0); passErr != nil {
|
|
return nil, model.NewAppError("CheckPasswordAndAllCriteria", "app.user.update_failed_pwd_attempts.app_error", nil, "", http.StatusInternalServerError).Wrap(passErr)
|
|
}
|
|
}
|
|
|
|
// user successfully authenticated
|
|
return ldapUser, nil
|
|
}
|
|
|
|
func (a *App) CheckUserAllAuthenticationCriteria(rctx request.CTX, user *model.User, mfaToken string) *model.AppError {
|
|
if err := a.CheckUserPreflightAuthenticationCriteria(rctx, user, mfaToken); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := a.CheckUserPostflightAuthenticationCriteria(rctx, user); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) CheckUserPreflightAuthenticationCriteria(rctx request.CTX, user *model.User, mfaToken string) *model.AppError {
|
|
if err := checkUserNotDisabled(user); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := checkUserNotBot(user); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := checkUserLoginAttempts(user, *a.Config().ServiceSettings.MaximumLoginAttempts); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) CheckUserPostflightAuthenticationCriteria(rctx request.CTX, user *model.User) *model.AppError {
|
|
if !user.EmailVerified && *a.Config().EmailSettings.RequireEmailVerification {
|
|
return model.NewAppError("Login", "api.user.login.not_verified.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) CheckUserMfa(rctx request.CTX, user *model.User, token string) *model.AppError {
|
|
if !user.MfaActive || !*a.Config().ServiceSettings.EnableMultifactorAuthentication {
|
|
return nil
|
|
}
|
|
|
|
if !*a.Config().ServiceSettings.EnableMultifactorAuthentication {
|
|
return model.NewAppError("CheckUserMfa", "mfa.mfa_disabled.app_error", nil, "", http.StatusNotImplemented)
|
|
}
|
|
|
|
ok, err := mfa.New(a.Srv().Store().User()).ValidateToken(user, token)
|
|
if err != nil {
|
|
return model.NewAppError("CheckUserMfa", "mfa.validate_token.authenticate.app_error", nil, "", http.StatusBadRequest).Wrap(err)
|
|
}
|
|
|
|
if !ok {
|
|
return model.NewAppError("checkUserMfa", "api.user.check_user_mfa.bad_code.app_error", nil, "", http.StatusUnauthorized)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) MFARequired(rctx request.CTX) *model.AppError {
|
|
if license := a.Channels().License(); license == nil || !*license.Features.MFA || !*a.Config().ServiceSettings.EnableMultifactorAuthentication || !*a.Config().ServiceSettings.EnforceMultifactorAuthentication {
|
|
return nil
|
|
}
|
|
|
|
session := rctx.Session()
|
|
// Session cannot be nil or empty if MFA is to be enforced.
|
|
if session == nil || session.Id == "" {
|
|
return model.NewAppError("MfaRequired", "api.context.get_session.app_error", nil, "", http.StatusUnauthorized)
|
|
}
|
|
|
|
// OAuth integrations are excepted
|
|
if session.IsOAuth {
|
|
return nil
|
|
}
|
|
|
|
user, err := a.GetUser(session.UserId)
|
|
if err != nil {
|
|
return model.NewAppError("MfaRequired", "api.context.get_user.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
if user.IsGuest() && !*a.Config().GuestAccountsSettings.EnforceMultifactorAuthentication {
|
|
return nil
|
|
}
|
|
// Only required for email and ldap accounts
|
|
if user.AuthService != "" &&
|
|
user.AuthService != model.UserAuthServiceEmail &&
|
|
user.AuthService != model.UserAuthServiceLdap {
|
|
return nil
|
|
}
|
|
|
|
// Special case to let user get themself
|
|
subpath, _ := utils.GetSubpathFromConfig(a.Config())
|
|
if rctx.Path() == path.Join(subpath, "/api/v4/users/me") {
|
|
return nil
|
|
}
|
|
|
|
// Bots are exempt
|
|
if user.IsBot {
|
|
return nil
|
|
}
|
|
|
|
if !user.MfaActive {
|
|
return model.NewAppError("MfaRequired", "api.context.mfa_required.app_error", nil, "", http.StatusForbidden)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func checkUserLoginAttempts(user *model.User, maxAttempts int) *model.AppError {
|
|
if user.FailedAttempts >= maxAttempts {
|
|
if user.AuthService == model.UserAuthServiceLdap {
|
|
return model.NewAppError("checkUserLoginAttempts", "api.user.check_user_login_attempts.too_many_ldap.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized)
|
|
}
|
|
return model.NewAppError("checkUserLoginAttempts", "api.user.check_user_login_attempts.too_many.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func checkUserNotDisabled(user *model.User) *model.AppError {
|
|
if user.DeleteAt > 0 {
|
|
return model.NewAppError("Login", "api.user.login.inactive.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func checkUserNotBot(user *model.User) *model.AppError {
|
|
if user.IsBot {
|
|
return model.NewAppError("Login", "api.user.login.bot_login_forbidden.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (a *App) authenticateUser(rctx request.CTX, user *model.User, password, mfaToken string) (*model.User, *model.AppError) {
|
|
license := a.Srv().License()
|
|
ldapAvailable := *a.Config().LdapSettings.Enable && a.Ldap() != nil && license != nil && *license.Features.LDAP
|
|
|
|
if user.AuthService == model.UserAuthServiceLdap {
|
|
if !ldapAvailable {
|
|
err := model.NewAppError("login", "api.user.login_ldap.not_available.app_error", nil, "", http.StatusNotImplemented)
|
|
return user, err
|
|
}
|
|
|
|
ldapUser, err := a.checkLdapUserPasswordAndAllCriteria(rctx, user, password, mfaToken)
|
|
if err != nil {
|
|
err.StatusCode = http.StatusUnauthorized
|
|
return user, err
|
|
}
|
|
|
|
// slightly redundant to get the user again, but we need to get it from the LDAP server
|
|
return ldapUser, nil
|
|
}
|
|
|
|
if user.AuthService != "" {
|
|
authService := user.AuthService
|
|
if authService == model.UserAuthServiceSaml {
|
|
authService = strings.ToUpper(authService)
|
|
}
|
|
err := model.NewAppError("login", "api.user.login.use_auth_service.app_error", map[string]any{"AuthService": authService}, "", http.StatusBadRequest)
|
|
return user, err
|
|
}
|
|
|
|
if err := a.CheckPasswordAndAllCriteria(rctx, user.Id, password, mfaToken); err != nil {
|
|
if err.Id == "api.user.check_user_password.invalid.app_error" {
|
|
rctx.Logger().LogM(mlog.MlvlLDAPInfo, "A user tried to sign in, which matched a Mattermost account, but the password was incorrect.", mlog.String("username", user.Username))
|
|
}
|
|
|
|
err.StatusCode = http.StatusUnauthorized
|
|
return user, err
|
|
}
|
|
|
|
return user, nil
|
|
}
|
|
|
|
func ParseAuthTokenFromRequest(r *http.Request) (token string, loc TokenLocation) {
|
|
defer func() {
|
|
// Stripping off tokens of large sizes
|
|
// to prevent logging a large string.
|
|
if len(token) > 50 {
|
|
token = token[:50]
|
|
}
|
|
}()
|
|
|
|
authHeader := r.Header.Get(model.HeaderAuth)
|
|
|
|
// Attempt to parse the token from the cookie
|
|
if cookie, err := r.Cookie(model.SessionCookieToken); err == nil {
|
|
return cookie.Value, TokenLocationCookie
|
|
}
|
|
|
|
// Parse the token from the header
|
|
if len(authHeader) > 6 && strings.ToUpper(authHeader[0:6]) == model.HeaderBearer {
|
|
// Default session token
|
|
return authHeader[7:], TokenLocationHeader
|
|
}
|
|
|
|
if len(authHeader) > 5 && strings.ToLower(authHeader[0:5]) == model.HeaderToken {
|
|
// OAuth token
|
|
return authHeader[6:], TokenLocationHeader
|
|
}
|
|
|
|
// Attempt to parse token out of the query string
|
|
if token := r.URL.Query().Get("access_token"); token != "" {
|
|
return token, TokenLocationQueryString
|
|
}
|
|
|
|
if token := r.Header.Get(model.HeaderCloudToken); token != "" {
|
|
return token, TokenLocationCloudHeader
|
|
}
|
|
|
|
if token := r.Header.Get(model.HeaderRemoteclusterToken); token != "" {
|
|
return token, TokenLocationRemoteClusterHeader
|
|
}
|
|
|
|
return "", TokenLocationNotFound
|
|
}
|