Don't send access_token in request params
Always send the access_token in the X-Atlas-Token header.
This commit is contained in:
parent
00effbe57b
commit
0a3714eaac
|
@ -23,6 +23,7 @@ import (
|
|||
const (
|
||||
// defaultAtlasServer is used when no address is given
|
||||
defaultAtlasServer = "https://atlas.hashicorp.com/"
|
||||
atlasTokenHeader = "X-Atlas-Token"
|
||||
)
|
||||
|
||||
func atlasFactory(conf map[string]string) (Client, error) {
|
||||
|
@ -92,6 +93,8 @@ func (c *AtlasClient) Get() (*Payload, error) {
|
|||
return nil, fmt.Errorf("Failed to make HTTP request: %v", err)
|
||||
}
|
||||
|
||||
req.Header.Set(atlasTokenHeader, c.AccessToken)
|
||||
|
||||
// Request the url
|
||||
client, err := c.http()
|
||||
if err != nil {
|
||||
|
@ -170,6 +173,7 @@ func (c *AtlasClient) Put(state []byte) error {
|
|||
}
|
||||
|
||||
// Prepare the request
|
||||
req.Header.Set(atlasTokenHeader, c.AccessToken)
|
||||
req.Header.Set("Content-MD5", b64)
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
req.ContentLength = int64(len(state))
|
||||
|
@ -204,6 +208,7 @@ func (c *AtlasClient) Delete() error {
|
|||
if err != nil {
|
||||
return fmt.Errorf("Failed to make HTTP request: %v", err)
|
||||
}
|
||||
req.Header.Set(atlasTokenHeader, c.AccessToken)
|
||||
|
||||
// Make the request
|
||||
client, err := c.http()
|
||||
|
@ -249,7 +254,6 @@ func (c *AtlasClient) url() *url.URL {
|
|||
values := url.Values{}
|
||||
|
||||
values.Add("atlas_run_id", c.RunId)
|
||||
values.Add("access_token", c.AccessToken)
|
||||
|
||||
return &url.URL{
|
||||
Scheme: c.ServerURL.Scheme,
|
||||
|
|
|
@ -218,6 +218,17 @@ func (f *fakeAtlas) NoConflictAllowed(b bool) {
|
|||
}
|
||||
|
||||
func (f *fakeAtlas) handler(resp http.ResponseWriter, req *http.Request) {
|
||||
// access tokens should only be sent as a header
|
||||
if req.FormValue("access_token") != "" {
|
||||
http.Error(resp, "access_token in request params", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if req.Header.Get(atlasTokenHeader) == "" {
|
||||
http.Error(resp, "missing access token", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
switch req.Method {
|
||||
case "GET":
|
||||
// Respond with the current stored state.
|
||||
|
|
Loading…
Reference in New Issue