Merge pull request #3982 from SleeplessOne1917/bearer-token

feat: Replace ad hoc auth header with internet standard bearer token auth header

Cargo.lock

@@ -314,6 +314,21 @@ dependencies = [
  "syn 1.0.103",
 ]
 
+[[package]]
+name = "actix-web-httpauth"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d613edf08a42ccc6864c941d30fe14e1b676a77d16f1dbadc1174d065a0a775"
+dependencies = [
+ "actix-utils",
+ "actix-web",
+ "base64 0.21.2",
+ "futures-core",
+ "futures-util",
+ "log",
+ "pin-project-lite",
+]
+
 [[package]]
 name = "actix-web-prom"
 version = "0.6.0"
@@ -2867,6 +2882,7 @@ dependencies = [
  "activitypub_federation",
  "actix-cors",
  "actix-web",
+ "actix-web-httpauth",
  "actix-web-prom",
  "chrono",
  "clap",

Cargo.toml

@@ -168,4 +168,5 @@ prometheus = { version = "0.13.3", features = ["process"], optional = true }
 actix-web-prom = { version = "0.6.0", optional = true }
 serial_test = { workspace = true }
 clap = { version = "4.3.19", features = ["derive"] }
+actix-web-httpauth = "0.8.1"
 lemmy_federate = { version = "0.18.4", path = "crates/federate" }

api_tests/src/comment.spec.ts

@@ -229,7 +229,7 @@ test.skip("Remove a comment from admin and community on the same instance", asyn
 test("Remove a comment from admin and community on different instance", async () => {
   let alpha_user = await registerUser(alpha);
   let newAlphaApi = new LemmyHttp(alphaUrl, {
-    headers: { auth: alpha_user.jwt ?? "" },
+    headers: { Authorization: `Bearer ${alpha_user.jwt ?? ""}` },
   });
 
   // New alpha user creates a community, post, and comment.

api_tests/src/community.spec.ts

@@ -252,7 +252,7 @@ test("moderator view", async () => {
   // register a new user with their own community on alpha and post to it
   let registerUserRes = await registerUser(alpha);
   let otherUser = new LemmyHttp(alphaUrl, {
-    headers: { auth: registerUserRes.jwt ?? "" },
+    headers: { Authorization: `Bearer ${registerUserRes.jwt ?? ""}` },
   });
 
   let otherCommunity = (await createCommunity(otherUser)).community_view;

api_tests/src/post.spec.ts

@@ -382,7 +382,7 @@ test("Enforce site ban for federated user", async () => {
   let alphaUserJwt = await registerUser(alpha);
   expect(alphaUserJwt).toBeDefined();
   let alpha_user = new LemmyHttp(alphaUrl, {
-    headers: { auth: alphaUserJwt.jwt ?? "" },
+    headers: { Authorization: `Bearer ${alphaUserJwt.jwt ?? ""}` },
   });
   let alphaUserActorId = (await getSite(alpha_user)).my_user?.local_user_view
     .person.actor_id;

api_tests/src/shared.ts

@@ -124,11 +124,11 @@ export async function setupLogins() {
     resDelta,
     resEpsilon,
   ]);
-  alpha.setHeaders({ auth: res[0].jwt ?? "" });
+  alpha.setHeaders({ Authorization: `Bearer ${res[0].jwt ?? ""}` });
-  beta.setHeaders({ auth: res[1].jwt ?? "" });
+  beta.setHeaders({ Authorization: `Bearer ${res[1].jwt ?? ""}` });
-  gamma.setHeaders({ auth: res[2].jwt ?? "" });
+  gamma.setHeaders({ Authorization: `Bearer ${res[2].jwt ?? ""}` });
-  delta.setHeaders({ auth: res[3].jwt ?? "" });
+  delta.setHeaders({ Authorization: `Bearer ${res[3].jwt ?? ""}` });
-  epsilon.setHeaders({ auth: res[4].jwt ?? "" });
+  epsilon.setHeaders({ Authorization: `Bearer ${res[4].jwt ?? ""}` });
 
   // Registration applications are now enabled by default, need to disable them
   let editSiteForm: EditSite = {

api_tests/src/user.spec.ts

@@ -41,7 +41,7 @@ test("Create user", async () => {
   let userRes = await registerUser(alpha);
   expect(userRes.jwt).toBeDefined();
   let user = new LemmyHttp(alphaUrl, {
-    headers: { auth: userRes.jwt ?? "" },
+    headers: { Authorization: `Bearer ${userRes.jwt ?? ""}` },
   });
 
   let site = await getSite(user);
@@ -63,7 +63,7 @@ test("Delete user", async () => {
   let userRes = await registerUser(alpha);
   expect(userRes.jwt).toBeDefined();
   let user = new LemmyHttp(alphaUrl, {
-    headers: { auth: userRes.jwt ?? "" },
+    headers: { Authorization: `Bearer ${userRes.jwt ?? ""}` },
   });
 
   // make a local post and comment
@@ -109,7 +109,7 @@ test("Delete user", async () => {
 
 test("Requests with invalid auth should be treated as unauthenticated", async () => {
   let invalid_auth = new LemmyHttp(alphaUrl, {
-    headers: { auth: "" },
+    headers: { Authorization: "Bearer foobar" },
   });
   let site = await getSite(invalid_auth);
   expect(site.my_user).toBeUndefined();

crates/utils/translations

@@ -1 +1 @@
-Subproject commit 839f1097d07ba9d730e31f58c892de491442e490
+Subproject commit de9de2c53bee034d3824ecaa9a2104f8f341332e

src/session_middleware.rs

@@ -2,10 +2,11 @@ use actix_web::{
   body::MessageBody,
   cookie::SameSite,
   dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
-  http::header::CACHE_CONTROL,
+  http::header::{Header, CACHE_CONTROL},
   Error,
   HttpMessage,
 };
+use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
 use chrono::{DateTime, Utc};
 use core::future::Ready;
 use futures_util::future::LocalBoxFuture;
@@ -76,13 +77,9 @@ where
     let context = self.context.clone();
 
     Box::pin(async move {
-      // Try reading jwt from auth header
+      let auth_header = Authorization::<Bearer>::parse(&req).ok();
-      let auth_header = req
-        .headers()
-        .get(AUTH_COOKIE_NAME)
-        .and_then(|h| h.to_str().ok());
       let jwt = if let Some(a) = auth_header {
-        Some(a.to_string())
+        Some(a.as_ref().token().to_string())
       }
       // If that fails, try auth cookie. Dont use the `jwt` cookie from lemmy-ui because
       // its not http-only.