diff --git a/CHANGELOG.md b/CHANGELOG.md index ee04c11b35c89018d8f6c0df760081bd3c411b6f..ef709603373e63560aa9ecf93c7ff1f3c57f2dd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ All notable changes to this project are documented below. The format is based on [keep a changelog](http://keepachangelog.com) and this project uses [semantic versioning](http://semver.org). ## [Unreleased] +### Added +- Allow the socket acceptor to read session tokens from request headers. + ### Changed - Stricter validation of limit in runtime storage list operations. - Allow subdomain variance in Facebook Limited Login token issuer field. diff --git a/server/matchmaker.go b/server/matchmaker.go index f86d6cd042b54bc2f7ac0247423d3a4001979e47..cef50ed22b7746415f230e7843b054778e3df2dd 100644 --- a/server/matchmaker.go +++ b/server/matchmaker.go @@ -550,7 +550,7 @@ func (m *LocalMatchmaker) Process() { // We've removed something, update the known size of the currently considered combo. l = len(foundCombo) + index.Count - if (len(foundCombo)+index.Count)%index.CountMultiple != 0 { + if l%index.CountMultiple != 0 { // Removal was insufficient, the combo is still not valid for the required multiple. continue } diff --git a/server/socket_ws.go b/server/socket_ws.go index 2a2396e1b229ad752370a8e33b23e6f5a9fff3e2..40ed50eab7dbbed30958daf6b2310fc1ac94137c 100644 --- a/server/socket_ws.go +++ b/server/socket_ws.go @@ -18,6 +18,7 @@ import ( "net" "net/http" "strconv" + "strings" "github.com/gofrs/uuid" "github.com/gorilla/websocket" @@ -55,7 +56,19 @@ func NewSocketWsAcceptor(logger *zap.Logger, config Config, sessionRegistry Sess } // Check authentication. - token := r.URL.Query().Get("token") + var token string + if auth := r.Header["Authorization"]; len(auth) >= 1 { + // Attempt header based authentication. + const prefix = "Bearer " + if !strings.HasPrefix(auth[0], prefix) { + http.Error(w, "Missing or invalid token", 401) + return + } + token = auth[0][len(prefix):] + } else { + // Attempt query parameter based authentication. + token = r.URL.Query().Get("token") + } if token == "" { http.Error(w, "Missing or invalid token", 401) return