尝试修复正向WebSocket下的鉴权panic

2025-05-06 12:03:50 +08:00 · 2020-08-29 17:24:09 +08:00 · 2020-08-29 17:24:09 +08:00 · 9c65ff4dcd
commit 9c65ff4dcd
parent d0398f30c6
1 changed files with 21 additions and 3 deletions
--- a/server/websocket.go
+++ b/server/websocket.go
@ -206,10 +206,16 @@ func (c *websocketClient) onBotPushEvent(m coolq.MSG) {

 func (s *websocketServer) event(w http.ResponseWriter, r *http.Request) {
 	if s.token != "" {
-		if r.URL.Query().Get("access_token") != s.token && strings.SplitN(r.Header.Get("Authorization"), " ", 2)[1] != s.token {
+		if r.URL.Query().Get("access_token") != s.token {
 			log.Warnf("已拒绝 %v 的 Websocket 请求: Token错误", r.RemoteAddr)
 			w.WriteHeader(401)
 			return
+		} else if auth := r.Header.Get("Authorization"); auth != "" {
+			if strings.SplitN(auth, " ", 2)[1] != s.token {
+				log.Warnf("已拒绝 %v 的 Websocket 请求: Token错误", r.RemoteAddr)
+				w.WriteHeader(401)
+				return
+			}
 		}
 	}
 	c, err := upgrader.Upgrade(w, r, nil)
@ -235,10 +241,16 @@ func (s *websocketServer) event(w http.ResponseWriter, r *http.Request) {

 func (s *websocketServer) api(w http.ResponseWriter, r *http.Request) {
 	if s.token != "" {
-		if r.URL.Query().Get("access_token") != s.token && strings.SplitN(r.Header.Get("Authorization"), " ", 2)[1] != s.token {
+		if r.URL.Query().Get("access_token") != s.token {
 			log.Warnf("已拒绝 %v 的 Websocket 请求: Token错误", r.RemoteAddr)
 			w.WriteHeader(401)
 			return
+		} else if auth := r.Header.Get("Authorization"); auth != "" {
+			if strings.SplitN(auth, " ", 2)[1] != s.token {
+				log.Warnf("已拒绝 %v 的 Websocket 请求: Token错误", r.RemoteAddr)
+				w.WriteHeader(401)
+				return
+			}
 		}
 	}
 	c, err := upgrader.Upgrade(w, r, nil)
@ -253,10 +265,16 @@ func (s *websocketServer) api(w http.ResponseWriter, r *http.Request) {

 func (s *websocketServer) any(w http.ResponseWriter, r *http.Request) {
 	if s.token != "" {
-		if r.URL.Query().Get("access_token") != s.token && strings.SplitN(r.Header.Get("Authorization"), " ", 2)[1] != s.token {
+		if r.URL.Query().Get("access_token") != s.token {
 			log.Warnf("已拒绝 %v 的 Websocket 请求: Token错误", r.RemoteAddr)
 			w.WriteHeader(401)
 			return
+		} else if auth := r.Header.Get("Authorization"); auth != "" {
+			if strings.SplitN(auth, " ", 2)[1] != s.token {
+				log.Warnf("已拒绝 %v 的 Websocket 请求: Token错误", r.RemoteAddr)
+				w.WriteHeader(401)
+				return
+			}
 		}
 	}
 	c, err := upgrader.Upgrade(w, r, nil)