based on idea & RFC by Tim Marx, incorporating feedback by Thomas
Lamprecht. this will be extended to support API tokens in the
Authorization header as well, so make it generic.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
} elsif ($path =~ m/^\Q$base_uri\E/) {
my $token = $r->header('CSRFPreventionToken');
my $cookie = $r->header('Cookie');
- my $ticket = PVE::APIServer::Formatter::extract_auth_cookie($cookie, $self->{cookie_name});
+ my $auth_header = $r->header('Authorization');
+
+ # prefer actual cookie
+ my $ticket = PVE::APIServer::Formatter::extract_auth_value($cookie, $self->{cookie_name});
+
+ # fallback to cookie in 'Authorization' header
+ $ticket = PVE::APIServer::Formatter::extract_auth_value($auth_header, $self->{cookie_name})
+ if !$ticket;
my ($rel_uri, $format) = &$split_abs_uri($path, $self->{base_uri});
if (!$format) {
# some helper functions
-sub extract_auth_cookie {
- my ($cookie, $cookie_name) = @_;
+sub extract_auth_value {
+ my ($header, $key) = @_;
- return undef if !$cookie;
+ return undef if !$header;
- my $ticket = ($cookie =~ /(?:^|\s)\Q$cookie_name\E=([^;]*)/)[0];
+ my $value = ($header =~ /(?:^|\s)\Q$key\E(?:=| )([^;]*)/)[0];
- $ticket = uri_unescape($ticket) if $ticket;
+ $value = uri_unescape($value) if $value;
- return $ticket;
+ return $value;
}
sub create_auth_cookie {