From 5409a281162959b38f3ba3baae7ce177c4a8658b Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Sun, 12 Apr 2020 13:34:14 -0400
Subject: [PATCH] api/auth: validate bearer token format

---
 graphql/auth/auth.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/graphql/auth/auth.go b/graphql/auth/auth.go
index 7c569ea..c7abd3b 100644
--- a/graphql/auth/auth.go
+++ b/graphql/auth/auth.go
@@ -3,11 +3,12 @@ package auth
 import (
 	"context"
 	"crypto/sha512"
+	"database/sql"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
-	"database/sql"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"
 
@@ -19,6 +20,8 @@ type contextKey struct {
 	name string
 }
 
+var bearerRegex = regexp.MustCompile(`^[0-9a-f]{32}$`)
+
 const (
     USER_UNCONFIRMED = "unconfirmed"
     USER_ACTIVE_NON_PAYING = "active_non_paying"
@@ -89,7 +92,12 @@ Expected 'Authentication: Bearer <token>'`, http.StatusForbidden)
 			var bearer string
 			switch (z[0]) {
 			case "Bearer":
-				hash := sha512.Sum512([]byte(z[1]))
+				token := []byte(z[1])
+				if !bearerRegex.Match(token) {
+					authError(w, "Invalid bearer token, expected 32-character haxadecimal string", http.StatusBadRequest)
+					return
+				}
+				hash := sha512.Sum512(token)
 				bearer = hex.EncodeToString(hash[:])
 			case "Internal":
 				panic(errors.New("TODO"))
-- 
2.38.4