You've already forked agentic-coding-workflow
feat(middleware): support ?token= query param fallback for browser WebSocket auth
This commit is contained in:
@@ -99,11 +99,19 @@ func UserIDFromContext(ctx context.Context) (uuid.UUID, bool) {
|
|||||||
// prefix; case-insensitive matching is intentionally NOT performed
|
// prefix; case-insensitive matching is intentionally NOT performed
|
||||||
// because RFC 6750 specifies the literal "Bearer" scheme name and being
|
// because RFC 6750 specifies the literal "Bearer" scheme name and being
|
||||||
// strict here keeps the parsing surface small.
|
// strict here keeps the parsing surface small.
|
||||||
|
//
|
||||||
|
// As a fallback, ?token= query parameter is accepted for endpoints that
|
||||||
|
// cannot send custom headers (notably browser-native WebSocket connections).
|
||||||
|
// Callers must keep token lifetimes short so the URL-borne token is not a
|
||||||
|
// long-lived secret should it be logged by intermediaries.
|
||||||
func extractBearer(r *http.Request) string {
|
func extractBearer(r *http.Request) string {
|
||||||
h := r.Header.Get("Authorization")
|
h := r.Header.Get("Authorization")
|
||||||
const prefix = "Bearer "
|
const prefix = "Bearer "
|
||||||
if !strings.HasPrefix(h, prefix) {
|
if strings.HasPrefix(h, prefix) {
|
||||||
return ""
|
|
||||||
}
|
|
||||||
return strings.TrimSpace(h[len(prefix):])
|
return strings.TrimSpace(h[len(prefix):])
|
||||||
}
|
}
|
||||||
|
if q := r.URL.Query().Get("token"); q != "" {
|
||||||
|
return q
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user