From e045d0700ee3c2818d2d254c2de3a52bab0120ef Mon Sep 17 00:00:00 2001
From: Tim Marx <t.marx@proxmox.com>
Date: Tue, 21 Jan 2020 13:54:19 +0100
Subject: [PATCH] allow ticket in auth header as fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

based on idea & RFC by Tim Marx, incorporating feedback by Thomas
Lamprecht. this will be extended to support API tokens in the
Authorization header as well, so make it generic.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 PVE/APIServer/AnyEvent.pm  |  9 ++++++++-
 PVE/APIServer/Formatter.pm | 12 ++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index 539a156..1e5c180 100644
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -1229,7 +1229,14 @@ sub unshift_read_header {
 		} elsif ($path =~ m/^\Q$base_uri\E/) {
 		    my $token = $r->header('CSRFPreventionToken');
 		    my $cookie = $r->header('Cookie');
-		    my $ticket = PVE::APIServer::Formatter::extract_auth_cookie($cookie, $self->{cookie_name});
+		    my $auth_header = $r->header('Authorization');
+
+		    # prefer actual cookie
+		    my $ticket = PVE::APIServer::Formatter::extract_auth_value($cookie, $self->{cookie_name});
+
+		    # fallback to cookie in 'Authorization' header
+		    $ticket = PVE::APIServer::Formatter::extract_auth_value($auth_header, $self->{cookie_name})
+			if !$ticket;
 
 		    my ($rel_uri, $format) = &$split_abs_uri($path, $self->{base_uri});
 		    if (!$format) {
diff --git a/PVE/APIServer/Formatter.pm b/PVE/APIServer/Formatter.pm
index 0c459bd..def1932 100644
--- a/PVE/APIServer/Formatter.pm
+++ b/PVE/APIServer/Formatter.pm
@@ -75,16 +75,16 @@ sub get_login_formatter {
 
 # some helper functions
 
-sub extract_auth_cookie {
-    my ($cookie, $cookie_name) = @_;
+sub extract_auth_value {
+    my ($header, $key) = @_;
 
-    return undef if !$cookie;
+    return undef if !$header;
 
-    my $ticket = ($cookie =~ /(?:^|\s)\Q$cookie_name\E=([^;]*)/)[0];
+    my $value = ($header =~ /(?:^|\s)\Q$key\E(?:=| )([^;]*)/)[0];
 
-    $ticket = uri_unescape($ticket) if $ticket;
+    $value = uri_unescape($value) if $value;
 
-    return $ticket;
+    return $value;
 }
 
 sub create_auth_cookie {
-- 
2.39.5