1 files changed, 10 insertions(+), 2 deletions(-)

M graphql/auth/auth.go

@@ 3,11 3,12 @@ package auth
 import (
 	"context"
 	"crypto/sha512"
+	"database/sql"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
-	"database/sql"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"
 


@@ 19,6 20,8 @@ type contextKey struct {
 	name string
 }
 
+var bearerRegex = regexp.MustCompile(`^[0-9a-f]{32}$`)
+
 const (
     USER_UNCONFIRMED = "unconfirmed"
     USER_ACTIVE_NON_PAYING = "active_non_paying"


@@ 89,7 92,12 @@ Expected 'Authentication: Bearer <token>'`, http.StatusForbidden)
 			var bearer string
 			switch (z[0]) {
 			case "Bearer":
-				hash := sha512.Sum512([]byte(z[1]))
+				token := []byte(z[1])
+				if !bearerRegex.Match(token) {
+					authError(w, "Invalid bearer token, expected 32-character haxadecimal string", http.StatusBadRequest)
+					return
+				}
+				hash := sha512.Sum512(token)
 				bearer = hex.EncodeToString(hash[:])
 			case "Internal":
 				panic(errors.New("TODO"))