postgres/typesense
1
0
Fork 0
mirror of https://github.com/typesense/typesense.git synced 2025-05-18 12:42:50 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Auth multi_search only when whole body is available.

Browse Source
This commit is contained in:
Kishore Nallan 2022-04-27 13:03:57 +05:30
parent 8104ffb583
commit 9cfe72da7e
2 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/http_server.h
View File

@ -22,6 +22,7 @@ class HttpServer;
struct h2o_custom_req_handler_t {
h2o_handler_t super;
HttpServer* http_server;
std::string api_auth_key_sent;
};
struct h2o_custom_generator_t {

39
src/http_server.cpp
View File

@ -376,14 +376,12 @@ int HttpServer::catch_all_handler(h2o_handler_t *_h2o_handler, h2o_req_t *req) {
query_map.erase("cache_ttl");
// Extract auth key from header. If that does not exist, look for a GET parameter.
std::string api_auth_key_sent = "";
ssize_t auth_header_cursor = h2o_find_header_by_str(&req->headers, http_req::AUTH_HEADER, strlen(http_req::AUTH_HEADER), -1);
if(auth_header_cursor != -1) {
h2o_iovec_t & slot = req->headers.entries[auth_header_cursor].value;
api_auth_key_sent = std::string(slot.base, slot.len);
h2o_handler->api_auth_key_sent = std::string(slot.base, slot.len);
} else if(query_map.count(http_req::AUTH_HEADER) != 0) {
api_auth_key_sent = query_map[http_req::AUTH_HEADER];
h2o_handler->api_auth_key_sent = query_map[http_req::AUTH_HEADER];
}
route_path *rpath = nullptr;
@ -431,12 +429,16 @@ int HttpServer::catch_all_handler(h2o_handler_t *_h2o_handler, h2o_req_t *req) {
const std::string & body = std::string(req->entity.base, req->entity.len);
std::vector<nlohmann::json> embedded_params_vec;
bool authenticated = h2o_handler->http_server->auth_handler(query_map, embedded_params_vec, body, *rpath,
api_auth_key_sent);
if(!authenticated) {
std::string message = std::string("{\"message\": \"Forbidden - a valid `") + http_req::AUTH_HEADER +
"` header must be sent.\"}";
return send_response(req, 401, message);
if(root_resource != "multi_search") {
// multi_search needs to be handled later because the API key could be part of request body and
// the whole request body might not be available right now.
bool authenticated = h2o_handler->http_server->auth_handler(query_map, embedded_params_vec, body, *rpath,
h2o_handler->api_auth_key_sent);
if(!authenticated) {
std::string message = std::string("{\"message\": \"Forbidden - a valid `") + http_req::AUTH_HEADER +
"` header must be sent.\"}";
return send_response(req, 401, message);
}
}
std::shared_ptr<http_req> request = std::make_shared<http_req>(req, rpath->http_method, path_without_query,
@ -616,12 +618,23 @@ int HttpServer::async_req_cb(void *ctx, h2o_iovec_t chunk, int is_end_stream) {
return 0;
}
int HttpServer::process_request(const std::shared_ptr<http_req>& request, const std::shared_ptr<http_res>& response, route_path *rpath,
const h2o_custom_req_handler_t *handler) {
int HttpServer::process_request(const std::shared_ptr<http_req>& request, const std::shared_ptr<http_res>& response,
route_path *rpath, const h2o_custom_req_handler_t *handler) {
//LOG(INFO) << "process_request called";
const std::string& root_resource = (rpath->path_parts.empty()) ? "" : rpath->path_parts[0];
if(root_resource == "multi_search") {
// We can authenticate only when the full request body is available
bool authenticated = handler->http_server->auth_handler(request->params, request->embedded_params_vec,
request->body, *rpath, handler->api_auth_key_sent);
if(!authenticated) {
std::string message = std::string("{\"message\": \"Forbidden - a valid `") + http_req::AUTH_HEADER +
"` header must be sent.\"}";
return send_response(request->_req, 401, message);
}
}
bool is_write = is_write_request(root_resource, rpath->http_method);
if(is_write) {