From 29f7eb4482354d85656f3b5fc016f0a70486330e Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Mon, 18 Jul 2022 17:41:08 +0200
Subject: [PATCH] add OAuth 2.0 Bearer Token authentication

---
 .../backend/src/server/api/api-handler.ts     |  3 ++-
 .../backend/src/server/api/authenticate.ts    | 21 +++++++++++++++++--
 packages/backend/src/server/api/streaming.ts  |  2 +-
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/server/api/api-handler.ts b/packages/backend/src/server/api/api-handler.ts
index ec71ddd2c..3fecea3fd 100644
--- a/packages/backend/src/server/api/api-handler.ts
+++ b/packages/backend/src/server/api/api-handler.ts
@@ -43,7 +43,8 @@ export default (endpoint: IEndpoint, ctx: Koa.Context) => new Promise<void>((res
 	};
 
 	// Authentication
-	authenticate(body['i']).then(([user, app]) => {
+	// for GET requests, do not even pass on the body parameter as it is considered unsafe
+	authenticate(ctx.headers.authorization, ctx.method === 'GET' ? null : body['i']).then(([user, app]) => {
 		// API invoking
 		call(endpoint.name, user, app, body, ctx).then((res: any) => {
 			if (ctx.method === 'GET' && endpoint.meta.cacheSec && !body['i'] && !user) {
diff --git a/packages/backend/src/server/api/authenticate.ts b/packages/backend/src/server/api/authenticate.ts
index 65ccfcf55..192f20ebc 100644
--- a/packages/backend/src/server/api/authenticate.ts
+++ b/packages/backend/src/server/api/authenticate.ts
@@ -15,8 +15,25 @@ export class AuthenticationError extends Error {
 	}
 }
 
-export default async (token: string | null): Promise<[CacheableLocalUser | null | undefined, AccessToken | null | undefined]> => {
-	if (token == null) {
+export default async (authorization: string | null | undefined, bodyToken: string | null): Promise<[CacheableLocalUser | null | undefined, AccessToken | null | undefined]> => {
+	let token: string | null = null;
+
+	// check if there is an authorization header set
+	if (authorization != null) {
+		if (bodyToken != null) {
+			throw new AuthenticationError('using multiple authorization schemes');
+		}
+
+		// check if OAuth 2.0 Bearer tokens are being used
+		// Authorization schemes are case insensitive
+		if (authorization.substring(0, 7).toLowerCase() === 'bearer ') {
+			token = authorization.substring(7);
+		} else {
+			throw new AuthenticationError('unsupported authentication scheme');
+		}
+	} else if (bodyToken != null) {
+		token = bodyToken;
+	} else {
 		return [null, null];
 	}
 
diff --git a/packages/backend/src/server/api/streaming.ts b/packages/backend/src/server/api/streaming.ts
index f8e42d27f..35d0c0fc0 100644
--- a/packages/backend/src/server/api/streaming.ts
+++ b/packages/backend/src/server/api/streaming.ts
@@ -20,7 +20,7 @@ export const initializeStreamingServer = (server: http.Server) => {
 		// TODO: トークンが間違ってるなどしてauthenticateに失敗したら
 		// コネクション切断するなりエラーメッセージ返すなりする
 		// (現状はエラーがキャッチされておらずサーバーのログに流れて邪魔なので)
-		const [user, app] = await authenticate(q.i as string);
+		const [user, app] = await authenticate(request.httpRequest.headers.authorization, q.i);
 
 		if (user?.isSuspended) {
 			request.reject(400);