crash.software
Projects
Pull Requests
Issues
Builds
gophish
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY gophish Commits 5f3c94d0
🤬

  • Add support for authenticating to the API via an Authorization Bearer token.

  • Loading...
  • Jordan Wright committed 6 years ago
    5f3c94d0
    1 parent e1d5c809
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    controllers/api_test.go
    skipped 108 lines
    109 109   s.Equal(resp.StatusCode, http.StatusBadRequest)
    110 110  }
    111 111   
     112 +func (s *ControllersSuite) TestInvalidAPIKey() {
     113 + resp, err := http.Get(fmt.Sprintf("%s/api/groups/?api_key=%s", as.URL, "bogus-api-key"))
     114 + s.Nil(err)
     115 + defer resp.Body.Close()
     116 + s.Equal(resp.StatusCode, http.StatusBadRequest)
     117 +}
     118 + 
     119 +func (s *ControllersSuite) TestBearerToken() {
     120 + req, err := http.NewRequest("GET", fmt.Sprintf("%s/api/groups/", as.URL), nil)
     121 + s.Nil(err)
     122 + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", s.ApiKey))
     123 + resp, err := http.DefaultClient.Do(req)
     124 + s.Nil(err)
     125 + defer resp.Body.Close()
     126 + s.Equal(resp.StatusCode, http.StatusOK)
     127 +}
     128 + 
    112 129  func (s *ControllersSuite) TestSiteImportBaseHref() {
    113 130   h := "<html><head></head><body><img src=\"/test.png\"/></body></html>"
    114 131   ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    skipped 29 lines
  • ■ ■ ■ ■ ■ ■
    middleware/middleware.go
    skipped 61 lines
    62 62   
    63 63  func RequireAPIKey(handler http.Handler) http.HandlerFunc {
    64 64   return func(w http.ResponseWriter, r *http.Request) {
    65  - r.ParseForm()
    66  - ak := r.Form.Get("api_key")
    67 65   w.Header().Set("Access-Control-Allow-Origin", "*")
    68 66   if r.Method == "OPTIONS" {
    69 67   w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
    skipped 1 lines
    71 69   w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
    72 70   return
    73 71   }
     72 + r.ParseForm()
     73 + ak := r.Form.Get("api_key")
     74 + // If we can't get the API key, we'll also check for the
     75 + // Authorization Bearer token
     76 + if ak == "" {
     77 + tokens, ok := r.Header["Authorization"]
     78 + if ok && len(tokens) >= 1 {
     79 + ak = tokens[0]
     80 + ak = strings.TrimPrefix(ak, "Bearer ")
     81 + }
     82 + }
    74 83   if ak == "" {
    75 84   JSONError(w, 400, "API Key not set")
    76 85   return
    77  - } else {
    78  - u, err := models.GetUserByAPIKey(ak)
    79  - if err != nil {
    80  - JSONError(w, 400, "Invalid API Key")
    81  - return
    82  - }
    83  - r = ctx.Set(r, "user_id", u.Id)
    84  - r = ctx.Set(r, "api_key", ak)
    85  - handler.ServeHTTP(w, r)
     86 + }
     87 + u, err := models.GetUserByAPIKey(ak)
     88 + if err != nil {
     89 + JSONError(w, 400, "Invalid API Key")
     90 + return
    86 91   }
     92 + r = ctx.Set(r, "user_id", u.Id)
     93 + r = ctx.Set(r, "api_key", ak)
     94 + handler.ServeHTTP(w, r)
    87 95   }
    88 96  }
    89 97   
    skipped 23 lines
Please wait...
Page is in error, reload to recover