From 1c48dfdc9cf53e9f8d24fba90617c0d795de58de Mon Sep 17 00:00:00 2001
From: Jason Knight <78934401+jasonwinterpixel@users.noreply.github.com>
Date: Sat, 23 Apr 2022 07:06:38 -0600
Subject: [PATCH] Try http_key auth method before authorization based auth
 method in RPC functions. (#772)

---
 server/api_rpc.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/server/api_rpc.go b/server/api_rpc.go
index 37c98b0d9..c54dcc010 100644
--- a/server/api_rpc.go
+++ b/server/api_rpc.go
@@ -51,25 +51,25 @@ func (s *ApiServer) RpcFuncHttp(w http.ResponseWriter, r *http.Request) {
 	var username string
 	var vars map[string]string
 	var expiry int64
-	if auth := r.Header["Authorization"]; len(auth) >= 1 {
-		var token string
-		userID, username, vars, expiry, token, isTokenAuth = parseBearerAuth([]byte(s.config.GetSession().EncryptionKey), auth[0])
-		if !isTokenAuth || !s.sessionCache.IsValidSession(userID, expiry, token) {
-			// Auth token not valid or expired.
+	if httpKey := queryParams.Get("http_key"); httpKey != "" {
+		if httpKey != s.config.GetRuntime().HTTPKey {
+			// HTTP key did not match.
 			w.Header().Set("content-type", "application/json")
 			w.WriteHeader(http.StatusUnauthorized)
-			_, err := w.Write(authTokenInvalidBytes)
+			_, err := w.Write(httpKeyInvalidBytes)
 			if err != nil {
 				s.logger.Debug("Error writing response to client", zap.Error(err))
 			}
 			return
 		}
-	} else if httpKey := queryParams.Get("http_key"); httpKey != "" {
-		if httpKey != s.config.GetRuntime().HTTPKey {
-			// HTTP key did not match.
+	} else if auth := r.Header["Authorization"]; len(auth) >= 1 {
+		var token string
+		userID, username, vars, expiry, token, isTokenAuth = parseBearerAuth([]byte(s.config.GetSession().EncryptionKey), auth[0])
+		if !isTokenAuth || !s.sessionCache.IsValidSession(userID, expiry, token) {
+			// Auth token not valid or expired.
 			w.Header().Set("content-type", "application/json")
 			w.WriteHeader(http.StatusUnauthorized)
-			_, err := w.Write(httpKeyInvalidBytes)
+			_, err := w.Write(authTokenInvalidBytes)
 			if err != nil {
 				s.logger.Debug("Error writing response to client", zap.Error(err))
 			}
-- 
GitLab