Require Authorization header for broadcaster
As opposed to just the broadcaster token. This makes the broadcaster username/password login mandatory, which previously was only mandatory in the `auth_required` wrapper, but not elsewhere (so for example leaving comments as the broadcaster was possible with the token only). A less safe alternative to this would be to compare tokens in `check_auth` once the Authorization header didn't match.
このコミットが含まれているのは:
コミット
03acd14b77
|
@ -2,6 +2,7 @@
|
|||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
import hashlib
|
||||
import hmac
|
||||
import re
|
||||
import string
|
||||
import time
|
||||
|
@ -79,6 +80,8 @@ def with_user_from(context):
|
|||
or context.cookies.get('token')
|
||||
or generate_token()
|
||||
)
|
||||
if hmac.compare_digest(token, CONFIG['AUTH_TOKEN']):
|
||||
raise abort(401)
|
||||
|
||||
# Reject invalid tokens
|
||||
if not RE_TOKEN.fullmatch(token):
|
||||
|
|
読み込み中…
新しいイシューから参照