The semantics of the Authorization header are defined by RFC 9110, which says:
> It uses a case-insensitive token to identify the authentication scheme:
Therefore, "bearer", "Bearer", and "bEARER" are equivalent. This patch fixes
the parsing of the Authorization header to check for the Bearer authentication
scheme case insensitively.
I've modified one of the test cases to use lowercase "bearer", so there's test
coverage for this.
* mv automated test cleanup to tools.sh
check media file exists before streaming in test/ocTestStream.sh
fix automatic test ffmpeg detection
mv trap to tools
mv update_storage_config() to tools
enable S3 test
* fix video file check in test/ocTestStream.sh
* cleanup ci
* mv auto test owncast build-run to start_owncast()
* suppress cleanup errors
* fix style
* fix Browser Test paths
* use pull_request event for Browser Tests
* explicitly mention when test is skipped
* refactor shell scripts
* merge testContent.sh into ocContent.sh
* detect ffmpeg
ffmpeg or ffmpeg.exe in path, current dir, or parent dir
* use ocTestStream in api test
* enable verbose logging for api tests
* log ffmpeg version
* change ffmpeg lookup order
* set path properly for using the local ffmpeg
* rm double space from transcoder error logs
* update tests for new video stream
do not test bitrate
* set test stream target to 127.0.0.1
* log ffmpeg path
* update ffmpeg to v4.4.1
* improve logs
* fix ffmpeg installer script
* fix api test runner
* fix logs
* install fonts
* cleanup
* use ocTestStream.sh for all automated tests
* cleanup ocTestStream.sh
* cleanup test/automated/hls/run.sh
* Fix misspell
* fix ffmpeg installer in automated test runners
* spell fix
* cleanup script
* rev quick api tests
* cleanup tmp paths properly in automated tests
* rm unused ffmpeg package
* cleanup
* fix s3 test
* cache ffmpeg bin for automated tests
* shellcheck allow source
* rm missplaced file if backup fails
* use ffmpeg full path
* set lookup path for shellcheck
* merge testContent.sh into ocContent.sh
* detect ffmpeg
ffmpeg or ffmpeg.exe in path, current dir, or parent dir
* use ocTestStream in api test
* enable verbose logging for api tests
* log ffmpeg version
* change ffmpeg lookup order
* set path properly for using the local ffmpeg
* rm double space from transcoder error logs
* update tests for new video stream
do not test bitrate
* set test stream target to 127.0.0.1
* log ffmpeg path
* update ffmpeg to v4.4.1
* improve logs
* fix ffmpeg installer script
* fix api test runner
* fix logs
* install fonts
* cleanup
* use ocTestStream.sh for all automated tests
* cleanup ocTestStream.sh
* cleanup test/automated/hls/run.sh
* Fix misspell
* fix ffmpeg installer in automated test runners
* spell fix
* cleanup script
* rev quick api tests
* cleanup tmp paths properly in automated tests
* rm unused ffmpeg package
* cleanup
* add shellcheck to ci
* test ci
* install bash for shellcheck
* set globstar for bash
* cleanup shell scripts
* do not ignore automated hls tests
* rm legacy build script
* update shell scripts
* cleanup ci
* Fix misspell
* cleanup ci
* fail on curl error in ci
* validate json responses
* update deps
* tmp disable header check
* log all the webfinger fails
refactor and filter more malformed requests
* don't set incorrect serverURL strings
* test failing through admin api
* fix server url in fedi tests
* check response.text
* validate json/xml response of all apis
test Content-Type of api response and cleanup
* improve logs
* fix rebase
* cleanup json parser in api tests
* mark the api tests performed by admin
* Separate check for reading and format of serverURL
* test /federation/user/ with wrong username in ci
* block and unblock ipv6 explicitly
* refactor admin api tests
* use sendAdminPayload() for chatuser tests
* fix sendAdminRequests
* add getAdminResponse() to api test lib/admin.js
* some admin apis don't have response body
* cleanup test/automated/api/chatusers.test.js
* cleanup test/automated/api/chatusers.test.js
use getAdminResponse() to access admin apis
* webfinger query with no resource should get 400
* check valid webfinger query
* test webfinger query
... without acct: or with wrong server
* add test for invalid user query from webfinger
* reorder the tests to decouple from state
cleanup
* rm stable: 'false' from actions/setup-go@v3
* adapt tests from #2369
* set undefined as defaultStreamKey
pass adminpass to sendConfigChangeRequest()
* mv getAdminConfig to api/lib/config.js
* npm install --quiet for automated tests
* refactor tests
separate default values from new ones
* test adminpass change
fix defaultStreamKeys test
* fix defaultStreamKeys
* use getAdminStatus
* mv test/automated/lib/config.js to admin.js
* check default hideViewerCount
cleanup
* test more default options in api
erverName
SServerSummary
yp.instanceUrl
FederationConfig.username
* more testing of default config params
* update reference values for api test
* Able to authenticate user against IndieAuth. For #1273
* WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272
* Add migration to remove access tokens from user
* Add authenticated bool to user for display purposes
* Add indieauth modal and auth flair to display names. For #1273
* Validate URLs and display errors
* Renames, cleanups
* Handle relative auth endpoint paths. Add error handling for missing redirects.
* Disallow using display names in use by registered users. Closes#1810
* Verify code verifier via code challenge on callback
* Use relative path to authorization_endpoint
* Post-rebase fixes
* Use a timestamp instead of a bool for authenticated
* Propertly handle and display error in modal
* Use auth'ed timestamp to derive authenticated flag to display in chat
* don't redirect unless a URL is present
avoids redirecting to `undefined` if there was an error
* improve error message if owncast server URL isn't set
* fix IndieAuth PKCE implementation
use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding
* return real profile data for IndieAuth response
* check the code verifier in the IndieAuth server
* Linting
* Add new chat settings modal anad split up indieauth ui
* Remove logging error
* Update the IndieAuth modal UI. For #1273
* Add IndieAuth repsonse error checking
* Disable IndieAuth client if server URL is not set.
* Add explicit error messages for specific error types
* Fix bad logic
* Return OAuth-keyed error responses for indieauth server
* Display IndieAuth error in plain text with link to return to main page
* Remove redundant check
* Add additional detail to error
* Hide IndieAuth details behind disclosure details
* Break out migration into two steps because some people have been runing dev in production
* Add auth option to user dropdown
Co-authored-by: Aaron Parecki <aaron@parecki.com>
Alyssa Ross
dependabot[bot]
Gabe Kangas
Meisam
gabek