support URL param to token, but still restrict to APIs

modules/auth/auth.go

@@ -32,32 +32,34 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
 	}
 
 	// Check access token.
-	tokenSHA := ctx.Query("token")
+	if IsAPIPath(ctx.Req.URL.Path) {
-	if len(tokenSHA) == 0 {
+		tokenSHA := ctx.Query("token")
-		// Well, check with header again.
+		if len(tokenSHA) == 0 {
-		auHead := ctx.Req.Header.Get("Authorization")
+			// Well, check with header again.
-		if len(auHead) > 0 {
+			auHead := ctx.Req.Header.Get("Authorization")
-			auths := strings.Fields(auHead)
+			if len(auHead) > 0 {
-			if len(auths) == 2 && auths[0] == "token" {
+				auths := strings.Fields(auHead)
-				tokenSHA = auths[1]
+				if len(auths) == 2 && auths[0] == "token" {
+					tokenSHA = auths[1]
+				}
 			}
 		}
-	}
 
-	// Let's see if token is valid.
+		// Let's see if token is valid.
-	if len(tokenSHA) > 0 {
+		if len(tokenSHA) > 0 {
-		t, err := models.GetAccessTokenBySHA(tokenSHA)
+			t, err := models.GetAccessTokenBySHA(tokenSHA)
-		if err != nil {
+			if err != nil {
-			if models.IsErrAccessTokenNotExist(err) {
+				if models.IsErrAccessTokenNotExist(err) {
-				log.Error(4, "GetAccessTokenBySHA: %v", err)
+					log.Error(4, "GetAccessTokenBySHA: %v", err)
+				}
+				return 0
 			}
-			return 0
+			t.Updated = time.Now()
+			if err = models.UpdateAccessToekn(t); err != nil {
+				log.Error(4, "UpdateAccessToekn: %v", err)
+			}
+			return t.UID
 		}
-		t.Updated = time.Now()
-		if err = models.UpdateAccessToekn(t); err != nil {
-			log.Error(4, "UpdateAccessToekn: %v", err)
-		}
-		return t.UID
 	}
 
 	uid := sess.Get("uid")