Correctly detect Authorization header from appservice API requests (#309

) * Correctly detect Authorization header from appservice API requests * remove spaces * Stop the appservice at the end of the test
turt2live · Mar 24, 2023 · 34ee889 · 34ee889
1 parent fb121c2
commit 34ee889
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 2 deletions.
diff --git a/src/appservice/Appservice.ts b/src/appservice/Appservice.ts
@@ -639,8 +639,8 @@ export class Appservice extends EventEmitter {
 
  private isAuthed(req: any): boolean {
  let providedToken = req.query ? req.query["access_token"] : null;
- if (req.headers && req.headers["Authorization"]) {
- const authHeader = req.headers["Authorization"];
+ if (req.headers && req.headers["authorization"]) {
+ const authHeader = req.headers["authorization"];
  if (!authHeader.startsWith("Bearer ")) providedToken = null;
  else providedToken = authHeader.substring("Bearer ".length);
  }

diff --git a/test/appservice/AppserviceTest.ts b/test/appservice/AppserviceTest.ts
@@ -809,6 +809,67 @@ describe('Appservice', () => {
  }
  });
 
+ it('should support using the Authorization header for auth', async () => {
+ const port = await getPort();
+ const hsToken = "s3cret_token";
+ const appservice = new Appservice({
+ port: port,
+ bindAddress: '',
+ homeserverName: 'example.org',
+ homeserverUrl: 'https://localhost',
+ registration: {
+ as_token: "",
+ hs_token: hsToken,
+ sender_localpart: "_bot_",
+ namespaces: {
+ users: [{ exclusive: true, regex: "@_prefix_.*:.+" }],
+ rooms: [],
+ aliases: [],
+ },
+ },
+ });
+ appservice.botIntent.ensureRegistered = () => {
+ return null;
+ };
+
+ await appservice.begin();
+
+ try {
+ // Should return 200 OK
+ await requestPromise({
+ uri: `http://localhost:${port}/_matrix/app/v1/transactions/1`,
+ method: "PUT",
+ json: { events: [] },
+ headers: {
+ Authorization: `Bearer ${hsToken}`,
+ },
+ });
+
+ try {
+ // Should not be 200 OK
+ await requestPromise({
+ uri: `http://localhost:${port}/_matrix/app/v1/transactions/1`,
+ method: "PUT",
+ json: { events: [] },
+ headers: {
+ Authorization: `IMPROPER_AUTH ${hsToken}`,
+ },
+ });
+
+ // noinspection ExceptionCaughtLocallyJS
+ throw new Error("Authentication passed when it shouldn't have");
+ } catch (e) {
+ expect(e.error).toMatchObject({
+ errcode: "AUTH_FAILED",
+ error: "Authentication failed",
+ });
+ expect(e.statusCode).toBe(401);
+ }
+ } finally {
+ appservice.stop();
+ }
+ });
+
  it('should validate inputs for transactions', async () => {
  const port = await getPort();
  const hsToken = "s3cret_token";