/**
* Require auth for an API endpoint.
- * Check for valid local identifier in session, or Authentication header.
+ * Check for valid local identifier in Authorization header; optionally
+ * fall back to session cookie if no header provided.
* Prompts for Basic auth if not valid.
* @param {http.ClientRequest} req
* @param {http.ServerResponse} res
* @param {Boolean} sessionAlsoValid
*/
async apiRequiredLocal(req, res, ctx, sessionAlsoValid = true) {
- const validSession = sessionAlsoValid && this.sessionCheck(req, res, ctx, undefined, false, false);
+ const _scope = _fileScope('apiRequiredLocal');
+ this.logger.debug(_scope, 'called', { ctx, sessionAlsoValid });
+
+ // If a Authorization header was provided, never consider session as a fallback.
const authorizationHeader = req.getHeader(Enum.Header.Authorization);
- const validAuthorization = authorizationHeader && this.isValidAuthorization(authorizationHeader, ctx);
- if (validSession || validAuthorization) {
- return true;
+ if (authorizationHeader) {
+ if (await this.isValidAuthorization(authorizationHeader, ctx)) {
+ this.logger.debug(_scope, 'valid authorization', { ctx, sessionAlsoValid });
+ return true;
+ }
+ } else {
+ if (sessionAlsoValid
+ && await this.sessionCheck(req, res, ctx, undefined, false, false)) {
+ this.logger.debug(_scope, 'valid session', { ctx, sessionAlsoValid });
+ return true;
+ }
}
+
+ this.logger.debug(_scope, 'invalid authorization', { ctx, sessionAlsoValid });
this.requestBasic(res);
}
projects / squeep-authentication-module / blobdiff