Fix: API auth bypass

2025-01-07 09:53:58 +08:00 · 2020-04-24 23:49:35 +08:00 · 2020-04-24 23:49:35 +08:00 · 2b33bfae6b
commit 2b33bfae6b
parent 3fc6d55003
1 changed files with 3 additions and 3 deletions
--- a/hub/route/server.go
+++ b/hub/route/server.go
@ -110,9 +110,9 @@ func authentication(next http.Handler) http.Handler {
 		header := r.Header.Get("Authorization")
 		text := strings.SplitN(header, " ", 2)
-		hasUnvalidHeader := text[0] != "Bearer"
+		hasInvalidHeader := text[0] != "Bearer"
-		hasUnvalidSecret := len(text) == 2 && text[1] != serverSecret
+		hasInvalidSecret := len(text) != 2 || text[1] != serverSecret
-		if hasUnvalidHeader || hasUnvalidSecret {
+		if hasInvalidHeader || hasInvalidSecret {
 			render.Status(r, http.StatusUnauthorized)
 			render.JSON(w, r, ErrUnauthorized)
 			return