diff --git a/doc/DELETE_xpub.md b/doc/DELETE_xpub.md index bb31a65..4242772 100644 --- a/doc/DELETE_xpub.md +++ b/doc/DELETE_xpub.md @@ -11,7 +11,7 @@ DELETE /xpub/:xpub ## Parameters * **address** - `string` - The first address of the internal chain for this `xpub`, derivation path `M/1/0`. Use compressed P2PHK address regardless of HD derivation scheme. * **signature** - `string` - The base64-encoded signature of the double SHA256 hash of `[varuint length of xpub string, xpub string]`. Signature scheme follows [bitcoinjs-message](https://github.com/bitcoinjs/bitcoinjs-message/blob/master/index.js) with a message prefix matching the [coin type](https://github.com/bitcoinjs/bitcoinjs-lib/blob/v3.1.1/src/networks.js). Use the ECPair associated with the `M/1/0` address to sign. -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Example diff --git a/doc/GET_fees.md b/doc/GET_fees.md index dcfb5cf..68c86ce 100644 --- a/doc/GET_fees.md +++ b/doc/GET_fees.md @@ -8,7 +8,7 @@ GET /fees ``` ## Parameters -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Examples diff --git a/doc/GET_header.md b/doc/GET_header.md index 2b9fd75..782cc3c 100644 --- a/doc/GET_header.md +++ b/doc/GET_header.md @@ -9,7 +9,7 @@ GET /header/:hash ## Parameters * **hash** - `string` - The block hash -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Examples diff --git a/doc/GET_multiaddr.md b/doc/GET_multiaddr.md index d2ae1ee..08b9a96 100644 --- a/doc/GET_multiaddr.md +++ b/doc/GET_multiaddr.md @@ -38,7 +38,7 @@ GET /multiaddr?active=...[&new=...][&bip49=...][&bip84=...][&pubkey=...] * **bip49** - `string` - A pipe-separated list of **new** extended public keys to be derived via [BIP49](https://github.com/bitcoin/bips/blob/master/bip-0049.mediawiki) and/or new P2WPKH/P2SH loose addresses * **bip84** - `string` - A pipe-separated list of **new** extended public keys to be derived via [BIP84](https://github.com/bitcoin/bips/blob/master/bip-0084.mediawiki) and/or new P2WPKH Bech32 loose addresses * **pubkey** - `string` - A pipe-separated list of **new** public keys to be derived as P2PKH, P2WPKH/P2SH, P2WPKH Bech32 addresses -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Examples diff --git a/doc/GET_tx.md b/doc/GET_tx.md index 95f2aeb..8d64f3d 100644 --- a/doc/GET_tx.md +++ b/doc/GET_tx.md @@ -11,7 +11,7 @@ GET /tx/:txid?fees=1 ## Parameters * **txid** - `string` - The transaction ID * **fees** - `string` - (optional) Scan previous outputs to compute fees -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Examples diff --git a/doc/GET_txs.md b/doc/GET_txs.md index 0c84e33..8d1337b 100644 --- a/doc/GET_txs.md +++ b/doc/GET_txs.md @@ -12,7 +12,7 @@ GET /txs?active=... * **active** - `string` - A pipe-separated list of extended public keys and/or loose addresses and/or pubkeys (`xpub1|address1|address2|pubkey1|...`) * **page** - `integer` - Index of the requested page (first page is index 0) * **count** - `integer` - Number of transactions returned per page -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Examples diff --git a/doc/GET_unspent.md b/doc/GET_unspent.md index 427960f..1e81758 100644 --- a/doc/GET_unspent.md +++ b/doc/GET_unspent.md @@ -36,7 +36,7 @@ GET /unspent?active=...&new=...&bip49=...&bip84=...&pubkey=... * **bip49** - `string` - A pipe-separated list of **new** extended public keys to be derived via [BIP49](https://github.com/bitcoin/bips/blob/master/bip-0049.mediawiki) and/or new P2WPKH/P2SH loose addresses * **bip84** - `string` - A pipe-separated list of **new** extended public keys to be derived via [BIP84](https://github.com/bitcoin/bips/blob/master/bip-0084.mediawiki) and/or new P2WPKH Bech32 loose addresses * **pubkey** - `string` - A pipe-separated list of **new** public keys to be derived as P2PKH, P2WPKH/P2SH, P2WPKH Bech32 addresses -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Examples diff --git a/doc/GET_xpub.md b/doc/GET_xpub.md index d9e1770..e8aa473 100644 --- a/doc/GET_xpub.md +++ b/doc/GET_xpub.md @@ -10,7 +10,7 @@ GET /xpub/:xpub ## Parameters * **:xpub** - `string` - The extended public key for the HD Account -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Example diff --git a/doc/POST_auth_login.md b/doc/POST_auth_login.md index 8a4e750..1899168 100644 --- a/doc/POST_auth_login.md +++ b/doc/POST_auth_login.md @@ -1,6 +1,6 @@ # Authentication -Authenticate to the backend by providing the API key expected by the server. If authentication succeeds, the endpoint returns a json embedding an access token and a refresh token (JSON Web Tokens). The access token must be passed as an argument for all later calls to the backend (account & pushtx REST API + websockets). The refresh token must be passed as an argument for later calls to /auth/refresh allowing to generate a new access token. +Authenticate to the backend by providing the API key expected by the server. If authentication succeeds, the endpoint returns a json embedding an access token and a refresh token (JSON Web Tokens). The access token must be passed as an argument or in the `Authorization` HTTP header for all later calls to the backend (account & pushtx REST API + websockets). The refresh token must be passed as an argument or in the `Authorization` HTTP header for later calls to /auth/refresh allowing to generate a new access token. Authentication is activated in /keys/inndex.js configuration file diff --git a/doc/POST_auth_refresh.md b/doc/POST_auth_refresh.md index 7c86189..62ca803 100644 --- a/doc/POST_auth_refresh.md +++ b/doc/POST_auth_refresh.md @@ -1,6 +1,6 @@ # Refresh the access token -Request a new access token from the backend. A valid refresh token must be passed as an argument. +Request a new access token from the backend. A valid refresh token must be passed as an argument or through the `Authorization` HTTP header (with the `Bearer` scheme). ``` diff --git a/doc/POST_pushtx.md b/doc/POST_pushtx.md index b5c6f54..0ead767 100644 --- a/doc/POST_pushtx.md +++ b/doc/POST_pushtx.md @@ -8,7 +8,7 @@ POST /pushtx/ ## Parameters * **tx** - `hex string` - The raw transaction hex -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Example diff --git a/doc/POST_xpub.md b/doc/POST_xpub.md index 8a1afc8..2d900a6 100644 --- a/doc/POST_xpub.md +++ b/doc/POST_xpub.md @@ -13,7 +13,7 @@ POST /xpub * **type** - `string` - Whether this is a newly-created account or one being restored. Recognized values are `'new'` and `'restore'`. * **segwit** - `string` (optional) - What type of SegWit support for this xpub, if any. Valid values: `'bip49'` and `'bip84'` * **force** - `boolean` (optional) - Force an override of derivation scheme even if xpub is locked. Used for `'restore'` operation. -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Example diff --git a/doc/POST_xpub_lock.md b/doc/POST_xpub_lock.md index b74219a..8a61a05 100644 --- a/doc/POST_xpub_lock.md +++ b/doc/POST_xpub_lock.md @@ -10,7 +10,7 @@ POST /xpub/:xpub/lock * **address** - `string` - The first address of the internal chain for this `xpub`, derivation path `M/1/0`. Use compressed P2PHK address regardless of HD derivation scheme. * **message** - `string` - Either `"lock"` or `"unlock"` * **signature** - `string` - The base64-encoded signature of the double SHA256 hash of `[varuint length of message string, message string]`. Signature scheme follows [bitcoinjs-message](https://github.com/bitcoinjs/bitcoinjs-message/blob/master/index.js) with a message prefix matching the [coin type](https://github.com/bitcoinjs/bitcoinjs-lib/blob/v3.1.1/src/networks.js). Use the ECPair associated with the `M/1/0` address to sign. -* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. +* **at** - `string` (optional) - Access Token (json web token). Required if authentication is activated. Alternatively, the access token can be passed through the `Authorization` HTTP header (with the `Bearer` scheme). ### Example diff --git a/lib/auth/authorizations-manager.js b/lib/auth/authorizations-manager.js index c3e1f71..82cbc41 100644 --- a/lib/auth/authorizations-manager.js +++ b/lib/auth/authorizations-manager.js @@ -220,6 +220,10 @@ class AuthorizationsManager { * @returns {Object} returns the json web token */ _extractAccessToken(req) { + const token = this._extractBearerAuthorizationHeader(req) + if (token) + return token + if (req.body && req.body.at && validator.isJWT(req.body.at)) return req.body.at @@ -269,6 +273,10 @@ class AuthorizationsManager { * @returns {Object} returns the json web token */ _extractRefreshToken(req) { + const token = this._extractBearerAuthorizationHeader(req) + if (token) + return token + if (req.body && req.body.rt && validator.isJWT(req.body.rt)) return req.body.rt @@ -291,6 +299,25 @@ class AuthorizationsManager { return payload } + + /** + * Extract a bearer JWT auth token + * from the Authorization HTTP header + * Returns null if it doesn't exist or is an onvalid JWT + * @param {Object} req - http request object + * @returns {Object} returns the json web token + */ + _extractBearerAuthorizationHeader(req) { + if (req.get('Authorization')) { + const authHeader = req.get('Authorization') + if (authHeader.startsWith('Bearer ')) { + const token = authHeader.substring(7) + if (validator.isJWT(token)) + return token + } + } + return null + } } module.exports = new AuthorizationsManager()