From 03acd14b7709ca4c19828b2a5b772dd9c4107e1d Mon Sep 17 00:00:00 2001
From: n9k <originalcocaineninja@protonmail.com>
Date: Tue, 14 Jun 2022 04:57:54 +0000
Subject: [PATCH] Require Authorization header for broadcaster

As opposed to just the broadcaster token. This makes the broadcaster
username/password login mandatory, which previously was only mandatory
in the `auth_required` wrapper, but not elsewhere (so for example
leaving comments as the broadcaster was possible with the token only). A
less safe alternative to this would be to compare tokens in `check_auth`
once the Authorization header didn't match.
---
 anonstream/routes/wrappers.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/anonstream/routes/wrappers.py b/anonstream/routes/wrappers.py
index 904959d..f191166 100644
--- a/anonstream/routes/wrappers.py
+++ b/anonstream/routes/wrappers.py
@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 import hashlib
+import hmac
 import re
 import string
 import time
@@ -79,6 +80,8 @@ def with_user_from(context):
                     or context.cookies.get('token')
                     or generate_token()
                 )
+                if hmac.compare_digest(token, CONFIG['AUTH_TOKEN']):
+                    raise abort(401)
 
             # Reject invalid tokens
             if not RE_TOKEN.fullmatch(token):