diff --git a/project_amber/const.py b/project_amber/const.py index bffbadb..cbe1f6d 100644 --- a/project_amber/const.py +++ b/project_amber/const.py @@ -2,7 +2,8 @@ EMPTY_RESP = dumps({}) # Empty response, to be used in requests. -AUTH_TOKEN_HEADER = "X-Auth-Token" +AUTH_TOKEN_HEADER = "Authorization" +AUTH_TOKEN_SCHEME = "Bearer" DAY_SECONDS = 60 * 60 * 24 MATURE_SESSION = DAY_SECONDS * 2 # The difference in times between the login @@ -11,7 +12,7 @@ MSG_INVALID_JSON = "Payload needs to contain valid JSON" MSG_MISSING_AUTH_INFO = "Missing 'username' or 'password'" -MSG_NO_TOKEN = f"No {AUTH_TOKEN_HEADER} present" +MSG_NO_TOKEN = f"No {AUTH_TOKEN_HEADER} header present" MSG_INVALID_TOKEN = "Invalid token" MSG_USER_NOT_FOUND = "This user does not exist" MSG_USER_EXISTS = "The user with this name already exists" diff --git a/project_amber/handlers/__init__.py b/project_amber/handlers/__init__.py index 372228d..358433d 100644 --- a/project_amber/handlers/__init__.py +++ b/project_amber/handlers/__init__.py @@ -5,7 +5,7 @@ from project_amber.db import db from project_amber.const import MSG_NO_TOKEN, MSG_INVALID_TOKEN, MSG_USER_NOT_FOUND, \ - MSG_USER_EXISTS, MSG_INVALID_JSON, AUTH_TOKEN_HEADER + MSG_USER_EXISTS, MSG_INVALID_JSON, AUTH_TOKEN_HEADER, AUTH_TOKEN_SCHEME from project_amber.errors import Unauthorized, BadRequest, InternalServerError from project_amber.models.auth import User, Session @@ -46,9 +46,15 @@ def login_required(f): """ @wraps(f) def decorated_login_function(*args, **kwargs): - token = request.headers.get(AUTH_TOKEN_HEADER) - if token is None: + token_header = request.headers.get(AUTH_TOKEN_HEADER) + if token_header is None: raise Unauthorized(MSG_NO_TOKEN) + token_data = token_header.split(" ") + if len(token_data) < 2: + raise Unauthorized(MSG_INVALID_TOKEN) + if token_data[0] != AUTH_TOKEN_SCHEME: + raise Unauthorized(MSG_INVALID_TOKEN) + token = token_data[1] user_s = db.session.query(Session).filter_by(token=token).one_or_none() if user_s is None: raise Unauthorized(MSG_INVALID_TOKEN)