fix: ignore basic auth header (#13473)

evcc-io · Apr 18, 2024 · 54c7440 · 54c7440
1 parent f483f2c
commit 54c7440
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/server/http_auth.go b/server/http_auth.go
@@ -3,6 +3,7 @@ package server
 import (
 	"encoding/json"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/evcc-io/evcc/util/auth"
@@ -55,14 +56,19 @@ func updatePasswordHandler(auth auth.Auth) http.HandlerFunc {
 
 // read jwt from header and cookie
 func jwtFromRequest(r *http.Request) string {
-	tokenString := r.Header.Get("Authorization")
-	if tokenString == "" {
-		if cookie, _ := r.Cookie(authCookieName); cookie != nil {
-			tokenString = cookie.Value
-		}
+	// read from header
+	authHeader := r.Header.Get("Authorization")
+	splitToken := strings.Split(authHeader, "Bearer ")
+	if len(splitToken) == 2 {
+		return splitToken[1]
+	}
+
+	// read from cookie
+	if cookie, _ := r.Cookie(authCookieName); cookie != nil {
+		return cookie.Value
 	}
 
-	return tokenString
+	return ""
 }
 
 // authStatusHandler login status (true/false) based on jwt token. Error if admin password is not configured