...
|
...
|
@@ -2,6 +2,7 @@ package paramtoken
|
2
|
2
|
|
3
|
3
|
import (
|
4
|
4
|
"net/http"
|
|
5
|
+ "regexp"
|
5
|
6
|
"strings"
|
6
|
7
|
|
7
|
8
|
"github.com/openshift/origin/pkg/auth/authenticator"
|
...
|
...
|
@@ -26,6 +27,11 @@ func New(param string, auth authenticator.Token, removeParam bool) *Authenticato
|
26
|
26
|
}
|
27
|
27
|
|
28
|
28
|
func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
|
|
29
|
+ // Only accept query param auth for websocket connections
|
|
30
|
+ if !isWebSocketRequest(req) {
|
|
31
|
+ return nil, false, nil
|
|
32
|
+ }
|
|
33
|
+
|
29
|
34
|
q := req.URL.Query()
|
30
|
35
|
token := strings.TrimSpace(q.Get(a.param))
|
31
|
36
|
if token == "" {
|
...
|
...
|
@@ -38,3 +44,13 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
|
38
|
38
|
}
|
39
|
39
|
return user, ok, err
|
40
|
40
|
}
|
|
41
|
+
|
|
42
|
+var (
|
|
43
|
+ // connectionUpgradeRegex matches any Connection header value that includes upgrade
|
|
44
|
+ connectionUpgradeRegex = regexp.MustCompile("(^|.*,\\s*)upgrade($|\\s*,)")
|
|
45
|
+)
|
|
46
|
+
|
|
47
|
+// isWebSocketRequest returns true if the incoming request contains connection upgrade headers for WebSockets.
|
|
48
|
+func isWebSocketRequest(req *http.Request) bool {
|
|
49
|
+ return connectionUpgradeRegex.MatchString(strings.ToLower(req.Header.Get("Connection"))) && strings.ToLower(req.Header.Get("Upgrade")) == "websocket"
|
|
50
|
+}
|