From d55dddea2e7928bd5cac2c4c02d876d6a093ed9e Mon Sep 17 00:00:00 2001
From: jj <log@riseup.net>
Date: Sun, 20 Oct 2024 10:00:00 +0000
Subject: [PATCH] core/api: normalize bearer authorization

---
 api/src/core/api.js | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/api/src/core/api.js b/api/src/core/api.js
index b11d689a..b3123033 100644
--- a/api/src/core/api.js
+++ b/api/src/core/api.js
@@ -158,19 +158,20 @@ export const runAPI = (express, app, __dirname) => {
                 return fail(res, "error.api.auth.jwt.missing");
             }
 
-            if (!authorization.startsWith("Bearer ") || authorization.length > 256) {
+            if (authorization.length >= 256) {
                 return fail(res, "error.api.auth.jwt.invalid");
             }
 
-            const verifyJwt = jwt.verify(
-                authorization.split("Bearer ", 2)[1]
-            );
-
-            if (!verifyJwt) {
+            const [ type, token, ...rest ] = authorization.split(" ");
+            if (!token || type.toLowerCase() !== 'bearer' || rest.length) {
                 return fail(res, "error.api.auth.jwt.invalid");
             }
 
-            req.rateLimitKey = generateHmac(req.header("Authorization"), ipSalt);
+            if (!jwt.verify(token)) {
+                return fail(res, "error.api.auth.jwt.invalid");
+            }
+
+            req.rateLimitKey = generateHmac(token, ipSalt);
         } catch {
             return fail(res, "error.api.generic");
         }