Browse code
Limit queryparam auth to websockets
Jordan Liggitt authored on 2016/04/25 06:33:51Showing 1 changed files
| ... | ... |
@@ -2,6 +2,7 @@ package paramtoken |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"net/http" |
| 5 |
+ "regexp" |
|
| 5 | 6 |
"strings" |
| 6 | 7 |
|
| 7 | 8 |
"github.com/openshift/origin/pkg/auth/authenticator" |
| ... | ... |
@@ -26,6 +27,11 @@ func New(param string, auth authenticator.Token, removeParam bool) *Authenticato |
| 26 | 26 |
} |
| 27 | 27 |
|
| 28 | 28 |
func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
|
| 29 |
+ // Only accept query param auth for websocket connections |
|
| 30 |
+ if !isWebSocketRequest(req) {
|
|
| 31 |
+ return nil, false, nil |
|
| 32 |
+ } |
|
| 33 |
+ |
|
| 29 | 34 |
q := req.URL.Query() |
| 30 | 35 |
token := strings.TrimSpace(q.Get(a.param)) |
| 31 | 36 |
if token == "" {
|
| ... | ... |
@@ -38,3 +44,13 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, |
| 38 | 38 |
} |
| 39 | 39 |
return user, ok, err |
| 40 | 40 |
} |
| 41 |
+ |
|
| 42 |
+var ( |
|
| 43 |
+ // connectionUpgradeRegex matches any Connection header value that includes upgrade |
|
| 44 |
+ connectionUpgradeRegex = regexp.MustCompile("(^|.*,\\s*)upgrade($|\\s*,)")
|
|
| 45 |
+) |
|
| 46 |
+ |
|
| 47 |
+// isWebSocketRequest returns true if the incoming request contains connection upgrade headers for WebSockets. |
|
| 48 |
+func isWebSocketRequest(req *http.Request) bool {
|
|
| 49 |
+ return connectionUpgradeRegex.MatchString(strings.ToLower(req.Header.Get("Connection"))) && strings.ToLower(req.Header.Get("Upgrade")) == "websocket"
|
|
| 50 |
+} |