From 80445916970ce9cd6835d0750cbdeb82f9ab8a62 Mon Sep 17 00:00:00 2001
From: Derrick Hammer <derrick@derrickhammer.com>
Date: Thu, 18 Jan 2024 20:56:49 -0500
Subject: [PATCH] feat: support auth in header, cookie, and query arg

---
 api/s5/middleware.go | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/api/s5/middleware.go b/api/s5/middleware.go
index 87257f3..3e24727 100644
--- a/api/s5/middleware.go
+++ b/api/s5/middleware.go
@@ -11,21 +11,43 @@ import (
 )
 
 const (
-	AuthUserIDKey = "userID"
+	AuthUserIDKey  = "userID"
+	AuthCookieName = "s5-auth-token"
+	AuthQueryParam = "auth_token"
 )
 
+func findAuthToken(r *http.Request) string {
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		return ""
+	}
+
+	authHeader = strings.TrimPrefix(authHeader, "Bearer ")
+
+	if authHeader != "" {
+		return authHeader
+	}
+
+	for _, cookie := range r.Cookies() {
+		if cookie.Name == AuthCookieName {
+			return cookie.Value
+		}
+	}
+
+	return r.FormValue(AuthQueryParam)
+}
+
 func AuthMiddleware(handler jape.Handler, portal interfaces.Portal) jape.Handler {
 	return jape.Adapt(func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			authHeader := r.Header.Get("Authorization")
-			if authHeader == "" {
-				http.Error(w, "Authorization header is required", http.StatusBadRequest)
+			authToken := findAuthToken(r)
+
+			if authToken == "" {
+				http.Error(w, "Invalid JWT", http.StatusUnauthorized)
 				return
 			}
 
-			tokenString := strings.TrimPrefix(authHeader, "Bearer ")
-
-			token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+			token, err := jwt.Parse(authToken, func(token *jwt.Token) (interface{}, error) {
 				if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
 					return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 				}