basic auth etapi should require "etapi" username

2025-11-04 15:11:31 +08:00 · 2022-10-09 21:33:32 +02:00 · 2022-10-09 21:33:32 +02:00 · 3e07c08043
commit 3e07c08043
parent 5a3c50d9fb
2 changed files with 16 additions and 5 deletions
--- a/src/services/etapi_tokens.js
+++ b/src/services/etapi_tokens.js
@ -37,11 +37,15 @@ function parseAuthToken(auth) {
        const basicAuthStr = utils.fromBase64(auth.substring(6)).toString("UTF-8");
        const basicAuthChunks = basicAuthStr.split(":");

-        if (basicAuthChunks.length === 2) {
-            auth = basicAuthChunks[1];
-        } else {
+        if (basicAuthChunks.length !== 2) {
            return null;
        }
+
+        if (basicAuthChunks[0] !== "etapi") {
+            return null;
+        }
+
+        auth = basicAuthChunks[1];
    }

    const chunks = auth.split("_");
--- a/test-etapi/basic-auth.http
+++ b/test-etapi/basic-auth.http
@ -1,5 +1,5 @@
 GET {{triliumHost}}/etapi/app-info
-Authorization: Basic whatever {{authToken}}
+Authorization: Basic etapi {{authToken}}

 > {%
    client.assert(response.status === 200);
@ -9,6 +9,13 @@ Authorization: Basic whatever {{authToken}}
 ###

 GET {{triliumHost}}/etapi/app-info
-Authorization: Basic whatever wrong pass
+Authorization: Basic etapi wrong
+
+> {% client.assert(response.status === 401); %}
+
+###
+
+GET {{triliumHost}}/etapi/app-info
+Authorization: Basic wrong {{authToken}}

 > {% client.assert(response.status === 401); %}