diff options
author | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-06-18 19:43:44 +0300 |
---|---|---|
committer | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-06-30 22:51:43 +0300 |
commit | 1b2c9bec53272e1f757015dcb28c835492b25ad0 (patch) | |
tree | 1865707567487d4eb716128c2010a0be83d0a03e /internal | |
parent | 5828ffbece3a751198a2f9a0c7c8b144d13179c4 (diff) |
Use header authentication instead of query parameter
Diffstat (limited to 'internal')
-rw-r--r-- | internal/auth/auth.go | 14 | ||||
-rw-r--r-- | internal/auth/auth_test.go | 8 |
2 files changed, 15 insertions, 7 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index a3d44dc6..407de0c3 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -16,7 +16,7 @@ import ( ) const ( - apiURLTemplate = "%s/api/v4/projects/%d?access_token=%s" + apiURLTemplate = "%s/api/v4/projects/%d" authorizeURLTemplate = "%s/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code&state=%s" tokenURLTemplate = "%s/oauth/token" tokenContentTemplate = "client_id=%s&client_secret=%s&code=%s&grant_type=authorization_code&redirect_uri=%s" @@ -214,8 +214,16 @@ func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, proje } // Access token exists, authorize request - url := fmt.Sprintf(apiURLTemplate, a.gitLabServer, projectID, session.Values["access_token"].(string)) - resp, err := a.apiClient.Get(url) + url := fmt.Sprintf(apiURLTemplate, a.gitLabServer, projectID) + req, err := http.NewRequest("GET", url, nil) + + if err != nil { + httperrors.Serve500(w) + return true + } + + req.Header.Add("Authorization", "Bearer "+session.Values["access_token"].(string)) + resp, err := a.apiClient.Do(req) if checkResponseForInvalidToken(resp, err) { diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index e8a95662..60ff6223 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go @@ -76,7 +76,7 @@ func TestTryAuthenticateWithCodeAndState(t *testing.T) { w.WriteHeader(http.StatusOK) fmt.Fprint(w, "{\"access_token\":\"abc\"}") case "/api/v4/projects/1000": - assert.Equal(t, "abc", r.URL.Query().Get("access_token")) + assert.Equal(t, "Bearer abc", r.Header.Get("Authorization")) w.WriteHeader(http.StatusOK) default: t.Logf("Unexpected r.URL.RawPath: %q", r.URL.Path) @@ -115,7 +115,7 @@ func TestCheckAuthenticationWhenAccess(t *testing.T) { apiServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case "/api/v4/projects/1000": - assert.Equal(t, "abc", r.URL.Query().Get("access_token")) + assert.Equal(t, "Bearer abc", r.Header.Get("Authorization")) w.WriteHeader(http.StatusOK) default: t.Logf("Unexpected r.URL.RawPath: %q", r.URL.Path) @@ -152,7 +152,7 @@ func TestCheckAuthenticationWhenNoAccess(t *testing.T) { apiServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case "/api/v4/projects/1000": - assert.Equal(t, "abc", r.URL.Query().Get("access_token")) + assert.Equal(t, "Bearer abc", r.Header.Get("Authorization")) w.WriteHeader(http.StatusUnauthorized) default: t.Logf("Unexpected r.URL.RawPath: %q", r.URL.Path) @@ -189,7 +189,7 @@ func TestCheckAuthenticationWhenInvalidToken(t *testing.T) { apiServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case "/api/v4/projects/1000": - assert.Equal(t, "abc", r.URL.Query().Get("access_token")) + assert.Equal(t, "Bearer abc", r.Header.Get("Authorization")) w.WriteHeader(http.StatusUnauthorized) fmt.Fprint(w, "{\"error\":\"invalid_token\"}") default: |