Prioritize auth header compared to auth cookie

2025-05-24 02:02:36 -04:00 · 2024-03-09 15:40:55 +01:00 · 2024-03-09 15:40:55 +01:00 · 8f7320c298
commit 8f7320c298
parent 92bfbf662b
3 changed files with 18 additions and 10 deletions
--- a/back/src/Kyoo.Authentication/AuthenticationModule.cs
+++ b/back/src/Kyoo.Authentication/AuthenticationModule.cs
@ -29,6 +29,7 @@ using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
 using Microsoft.IdentityModel.Tokens;

 namespace Kyoo.Authentication
@ -69,12 +70,8 @@ namespace Kyoo.Authentication
 			PermissionOption options =
 				new()
 				{
-					Default = _configuration
-						.GetValue("UNLOGGED_PERMISSIONS", "overall.read,overall.play")!
-						.Split(','),
-					NewUser = _configuration
-						.GetValue("DEFAULT_PERMISSIONS", "overall.read,overall.play")!
-						.Split(','),
+					Default = _configuration.GetValue("UNLOGGED_PERMISSIONS", "")!.Split(',').Where(x => x.Length > 0).ToArray(),
+					NewUser = _configuration.GetValue("DEFAULT_PERMISSIONS", "overall.read,overall.play")!.Split(','),
 					RequireVerification = _configuration.GetValue(
 						"REQUIRE_ACCOUNT_VERIFICATION",
 						true
@ -141,7 +138,6 @@ namespace Kyoo.Authentication
 				new AuthenticationOption() { Secret = secret, Permissions = options, }
 			);

-			// TODO handle direct-videos with bearers (probably add a cookie and a app.Use to translate that for videos)
 			services
 				.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 				.AddJwtBearer(options =>
@ -150,6 +146,18 @@ namespace Kyoo.Authentication
 					{
 						OnMessageReceived = (ctx) =>
 						{
+							string prefix = "Bearer ";
+							if (
+								ctx.Request.Headers.TryGetValue(
+									"Authorization",
+									out StringValues val
+								)
+								&& val.ToString() is string auth
+								&& auth.StartsWith(prefix)
+							)
+							{
+								ctx.Token ??= auth[prefix.Length..];
+							}
 							ctx.Token ??= ctx.Request.Cookies["X-Bearer"];
 							return Task.CompletedTask;
 						}
--- a/front/packages/models/src/login.ts
+++ b/front/packages/models/src/login.ts
@ -33,7 +33,7 @@ export const login = async (
 	action: "register" | "login",
 	{ apiUrl, ...body }: { username: string; password: string; email?: string; apiUrl?: string },
 ): Promise<Result<Account, string>> => {
-	apiUrl ??= getCurrentApiUrl()!;
+	if (!apiUrl || apiUrl.length === 0) apiUrl = getCurrentApiUrl()!;
 	try {
 		const controller = new AbortController();
 		setTimeout(() => controller.abort(), 5_000);
@ -63,7 +63,7 @@ export const login = async (
 };

 export const oidcLogin = async (provider: string, code: string, apiUrl?: string) => {
-	apiUrl ??= getCurrentApiUrl()!;
+	if (!apiUrl || apiUrl.length === 0) apiUrl = getCurrentApiUrl()!;
 	try {
 		const token = await queryFn(
 			{
--- a/front/packages/models/src/query.tsx
+++ b/front/packages/models/src/query.tsx
@ -50,7 +50,7 @@ export const queryFn = async <Parser extends z.ZodTypeAny>(
 	type?: Parser,
 	token?: string | null,
 ): Promise<z.infer<Parser>> => {
-	const url = context.apiUrl ?? getCurrentApiUrl();
+	const url = context.apiUrl && context.apiUrl.length > 0 ? context.apiUrl : getCurrentApiUrl();
 	lastUsedUrl = url!;

 	if (token === undefined && context.authenticated !== false) token = await getToken();