Enhance JWT token retrieval in viewer and auth middleware for improved security and flexibility

2026-01-11 04:34:14 +01:00
parent f0d6d0b8e1
commit a3a9360110
2 changed files with 14 additions and 8 deletions
--- a/go_cloud/internal/middleware/middleware.go
+++ b/go_cloud/internal/middleware/middleware.go
@@ -96,12 +96,19 @@ func Auth(jwtManager *jwt.Manager, db *database.DB) func(http.Handler) http.Hand
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			authHeader := r.Header.Get("Authorization")
-			if !strings.HasPrefix(authHeader, "Bearer ") {
-				http.Error(w, "Unauthorized", http.StatusUnauthorized)
-				return
+			var tokenString string
+			if strings.HasPrefix(authHeader, "Bearer ") {
+				tokenString = strings.TrimPrefix(authHeader, "Bearer ")
+			} else {
+				// Fallback to query parameter token (for viewers that cannot set headers)
+				qToken := r.URL.Query().Get("token")
+				if qToken == "" {
+					http.Error(w, "Unauthorized", http.StatusUnauthorized)
+					return
+				}
+				tokenString = qToken
 			}

-			tokenString := strings.TrimPrefix(authHeader, "Bearer ")
 			claims, session, err := jwtManager.ValidateWithSession(r.Context(), tokenString, db)
 			if err != nil {
 				http.Error(w, "Unauthorized", http.StatusUnauthorized)