Merge pull request #229 from crowi/fix-auth-problem

Fix auth problem

lib/crowi/express-init.js

@@ -76,9 +76,24 @@ module.exports = function(crowi, app) {
     next();
   });
 
+  app.set('port', crowi.port);
+  app.use(express.static(crowi.publicDir));
+  app.engine('html', cons.swig);
+  app.set('view cache', false);
+  app.set('view engine', 'html');
+  app.set('views', crowi.viewsDir);
+  app.use(methodOverride());
+  app.use(bodyParser.urlencoded({ extended: true, limit: '50mb' }));
+  app.use(bodyParser.json({limit: '50mb'}));
+  app.use(cookieParser());
+  app.use(session(crowi.sessionConfig));
+
   // Set basic auth middleware
   app.use(function(req, res, next) {
     var config = crowi.getConfig();
+    if (req.query.access_token || req.body.access_token) {
+      return next();
+    }
 
     if (config.crowi['security:basicName'] && config.crowi['security:basicSecret']) {
       return basicAuth(
@@ -89,17 +104,6 @@ module.exports = function(crowi, app) {
     }
   });
 
-  app.set('port', crowi.port);
-  app.use(express.static(crowi.publicDir));
-  app.engine('html', cons.swig);
-  app.set('view cache', false);
-  app.set('view engine', 'html');
-  app.set('views', crowi.viewsDir);
-  app.use(methodOverride());
-  app.use(bodyParser.urlencoded({ extended: true, limit: '50mb' }));
-  app.use(bodyParser.json({limit: '50mb'}));
-  app.use(cookieParser());
-  app.use(session(crowi.sessionConfig));
   app.use(flash());
 
   app.use(middleware.swigFilters(app, swig));

lib/util/middlewares.js

@@ -189,7 +189,8 @@ exports.loginRequired = function(crowi, app) {
 
 exports.accessTokenParser = function(crowi, app) {
   return function(req, res, next) {
-    var accessToken = req.query.access_token || req.body.access_token || req.get('Authorization') || null;
+    // TODO: comply HTTP header of RFC6750 / Authorization: Bearer
+    var accessToken = req.query.access_token || req.body.access_token || null;
     if (!accessToken) {
       return next();
     }