X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fauthenticator.js;h=1cff2108f309e2ac51245070281e0ec346f6168c;hb=eacffdc89c204c1764c6d5944e6a554c3be3c532;hp=efa3d844e7502cd024c6c99da830342dfe04954f;hpb=1e2d8a7bdb0df28d08258ee813ee6db77168d59e;p=squeep-authentication-module diff --git a/lib/authenticator.js b/lib/authenticator.js index efa3d84..1cff210 100644 --- a/lib/authenticator.js +++ b/lib/authenticator.js @@ -338,7 +338,8 @@ class Authenticator { /** * Require auth for an API endpoint. - * Check for valid local identifier in session, or Authentication header. + * Check for valid local identifier in Authorization header; optionally + * fall back to session cookie if no header provided. * Prompts for Basic auth if not valid. * @param {http.ClientRequest} req * @param {http.ServerResponse} res @@ -346,12 +347,25 @@ class Authenticator { * @param {Boolean} sessionAlsoValid */ async apiRequiredLocal(req, res, ctx, sessionAlsoValid = true) { - const validSession = sessionAlsoValid && this.sessionCheck(req, res, ctx, undefined, false, false); + const _scope = _fileScope('apiRequiredLocal'); + this.logger.debug(_scope, 'called', { ctx, sessionAlsoValid }); + + // If a Authorization header was provided, never consider session as a fallback. const authorizationHeader = req.getHeader(Enum.Header.Authorization); - const validAuthorization = authorizationHeader && this.isValidAuthorization(authorizationHeader, ctx); - if (validSession || validAuthorization) { - return true; + if (authorizationHeader) { + if (await this.isValidAuthorization(authorizationHeader, ctx)) { + this.logger.debug(_scope, 'valid authorization', { ctx, sessionAlsoValid }); + return true; + } + } else { + if (sessionAlsoValid + && await this.sessionCheck(req, res, ctx, undefined, false, false)) { + this.logger.debug(_scope, 'valid session', { ctx, sessionAlsoValid }); + return true; + } } + + this.logger.debug(_scope, 'invalid authorization', { ctx, sessionAlsoValid }); this.requestBasic(res); }