kenzuya/unshackle
1
0
Fork 2
mirror of https://github.com/unshackle-dl/unshackle.git synced 2026-03-10 00:19:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(api): validate Bearer prefix before extracting API key

Browse Source 
The replace("Bearer ", "") approach returned the full Authorization header value when the prefix was not present, incorrectly treating other auth schemes (e.g., "Basic xyz") as API keys.
This commit is contained in:
Andy
2026-01-23 17:20:22 -07:00
parent 6b90a19632
commit 0c7d20c943
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
unshackle/core/api/api_keys.py
View File

@@ -18,7 +18,15 @@ def get_api_key_from_request(request: web.Request) -> Optional[str]:
Returns:
API key string or None
"""
return request.headers.get("X-API-Key") or request.headers.get("Authorization", "").replace("Bearer ", "")
api_key = request.headers.get("X-API-Key")
if api_key:
return api_key
auth_header = request.headers.get("Authorization", "")
if auth_header.startswith("Bearer "):
return auth_header[7:] # len("Bearer ") == 7
return None
def get_api_key_config(app: web.Application, api_key: str) -> Optional[Dict[str, Any]]: