Enhance token checking (#3842)

server/api/hook.go

@@ -178,7 +178,7 @@ func PostHook(c *gin.Context) {
 	//
 
 	// get the token and verify the hook is authorized
-	parsedToken, err := token.ParseRequest(c.Request, func(_ *token.Token) (string, error) {
+	parsedToken, err := token.ParseRequest([]token.Type{token.HookToken}, c.Request, func(_ *token.Token) (string, error) {
 		return repo.Hash, nil
 	})
 	if err != nil {

server/router/middleware/session/agent.go

@@ -31,17 +31,14 @@ func AuthorizeAgent(c *gin.Context) {
 		return
 	}
 
-	parsed, err := token.ParseRequest(c.Request, func(_ *token.Token) (string, error) {
+	_, err := token.ParseRequest([]token.Type{token.AgentToken}, c.Request, func(_ *token.Token) (string, error) {
 		return secret, nil
 	})
-	switch {
-	case err != nil:
+	if err != nil {
 		c.String(http.StatusInternalServerError, "invalid or empty token. %s", err)
 		c.Abort()
-	case parsed.Kind != token.AgentToken:
-		c.String(http.StatusForbidden, "invalid token. please use an agent token")
-		c.Abort()
-	default:
-		c.Next()
+		return
 	}
+
+	c.Next()
 }

server/router/middleware/session/user.go

@@ -43,7 +43,7 @@ func SetUser() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		var user *model.User
 
-		t, err := token.ParseRequest(c.Request, func(t *token.Token) (string, error) {
+		t, err := token.ParseRequest([]token.Type{token.UserToken, token.SessToken}, c.Request, func(t *token.Token) (string, error) {
 			var err error
 			userID, err := strconv.ParseInt(t.Get("user-id"), 10, 64)
 			if err != nil {
@@ -58,7 +58,7 @@ func SetUser() gin.HandlerFunc {
 			// if this is a session token (ie not the API token)
 			// this means the user is accessing with a web browser,
 			// so we should implement CSRF protection measures.
-			if t.Kind == token.SessToken {
+			if t.Type == token.SessToken {
 				err = token.CheckCsrf(c.Request, func(_ *token.Token) (string, error) {
 					return user.Hash, nil
 				})