Quill icon indicating copy to clipboard operation
Quill copied to clipboard

Published 20 hours ago • verified publisher icon aaronpk

[Bug] Quill sends multiple access tokens in a request

Open jamietanna opened this issue 5 years ago • 2 comments

While looking at https://github.com/aaronpk/micropub.rocks/issues/84 it was noticed that requests to my Micropub endpoint were failing due to the inclusion of the Bearer token in both the Authorization header and the request body:

{
	"url" : "/micropub",
	"absoluteUrl" : "http://localhost:8085/micropub",
	"method" : "POST",
	"clientIp" : "173.230.197",
	"headers" : {
		"Authorization" : "Bearer ...",
		"Accept" : "application/json",
		"User-Agent" : "Go-http-client/1.1",
		"X-Forwarded-For" : "173.230.155.197",
		"Host" : "localhost:8085",
		"Accept-Encoding" : "gzip",
		"Content-Length" : "382",
		"Content-Type" : "application/x-www-form-urlencoded"
	},
	"cookies" : { },
	"browserProxyRequest" : false,
	"loggedDate" : 1577382107235,
	"body" : "h=entry&access_token=...&content=jjj",
	"scheme" : "http",
	"host" : "localhost",
	"port" : 8085,
	"loggedDateString" : "2019-12-26T17:41:47Z",
	"queryParams" : { }
}

This needs to be corrected to be fully OAuth2 compliant.

jamietanna avatar Dec 26 '19 17:12 jamietanna

Looks like this was first implemented in https://github.com/aaronpk/Quill/issues/4

jamietanna avatar Dec 30 '19 20:12 jamietanna

I've seen this cause more confusion than it has helped, so I'm in favor of changing this. I'll add a new setting which lets you choose whether you want the access token in the header or the post body.

aaronpk avatar Dec 31 '19 16:12 aaronpk