Try http_key auth method before authorization based auth method in RPC functions. (#772)

1c48dfdc · Jason Knight · GitHub · cc5ba4d9 · 1c48dfdc
Unverified Commit 1c48dfdc authored 3 years ago by Jason Knight Committed by GitHub 3 years ago
--- a/server/api_rpc.go
+++ b/server/api_rpc.go
@@ -51,25 +51,25 @@ func (s *ApiServer) RpcFuncHttp(w http.ResponseWriter, r *http.Request) {
 	var username string
 	var vars map[string]string
 	var expiry int64
-	if auth := r.Header["Authorization"]; len(auth) >= 1 {
+	if httpKey := queryParams.Get("http_key"); httpKey != "" {
-		var token string
+		if httpKey != s.config.GetRuntime().HTTPKey {
-		userID, username, vars, expiry, token, isTokenAuth = parseBearerAuth([]byte(s.config.GetSession().EncryptionKey), auth[0])
+			// HTTP key did not match.
-		if !isTokenAuth || !s.sessionCache.IsValidSession(userID, expiry, token) {
-			// Auth token not valid or expired.
 			w.Header().Set("content-type", "application/json")
 			w.WriteHeader(http.StatusUnauthorized)
-			_, err := w.Write(authTokenInvalidBytes)
+			_, err := w.Write(httpKeyInvalidBytes)
 			if err != nil {
 				s.logger.Debug("Error writing response to client", zap.Error(err))
 			}
 			return
 		}
-	} else if httpKey := queryParams.Get("http_key"); httpKey != "" {
+	} else if auth := r.Header["Authorization"]; len(auth) >= 1 {
-		if httpKey != s.config.GetRuntime().HTTPKey {
+		var token string
-			// HTTP key did not match.
+		userID, username, vars, expiry, token, isTokenAuth = parseBearerAuth([]byte(s.config.GetSession().EncryptionKey), auth[0])
+		if !isTokenAuth || !s.sessionCache.IsValidSession(userID, expiry, token) {
+			// Auth token not valid or expired.
 			w.Header().Set("content-type", "application/json")
 			w.WriteHeader(http.StatusUnauthorized)
-			_, err := w.Write(httpKeyInvalidBytes)
+			_, err := w.Write(authTokenInvalidBytes)
 			if err != nil {
 				s.logger.Debug("Error writing response to client", zap.Error(err))
 			}