merchant

Merchant backend to process payments, run by merchants
Log | Files | Refs | Submodules | README | LICENSE
commit c1fdd363f635d944aa25ef338c5d6caf09b00213
parent fd09c7480fbdd20065c2373f1a3d677c41ecfde9
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date:   Mon, 24 Mar 2025 12:04:20 +0100

Simplify authorization code path

Diffstat:

Msrc/backend/taler-merchant-httpd.c | 32+++++++++++++-------------------


1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c
@@ -1893,7 +1893,6 @@ url_handler (void *cls,
   if (public_handlers != handlers)
   {
     const char *auth;
-    bool auth_ok;
     bool is_basic_auth = false;
     bool auth_malformed = false;
 
@@ -1932,8 +1931,7 @@ url_handler (void *cls,
     else if (is_basic_auth)
     {
       /* Handle token endpoint slightly differently: Only allow
-       * instance password (Basic auth) OR
-       * refresh token (Bearer auth) to retrieve access token.
+       * instance password (Basic auth) to retrieve access token.
        * We need to handle authorization with Basic auth here first
        * The only time we need to handle authentication like this is
        * for the token endpoint!
@@ -1941,27 +1939,23 @@ url_handler (void *cls,
       if ((0 != strncmp (hc->rh->url_prefix, "/token", strlen ("/token"))) ||
           (0 != strncmp (MHD_HTTP_METHOD_POST,
                          hc->rh->method,
-                         strlen (MHD_HTTP_METHOD_POST))))
+                         strlen (MHD_HTTP_METHOD_POST))) ||
+          (NULL == hc->instance))
       {
         // FIXME this should never happen, but according to the comment below,
         // We must not error out here for some reason that has to do with
-        // disabled authZ behind reverse proxy...
+        // disabled authZ behind reverse proxy...?
+        hc->auth_scope = TMH_AS_NONE;
       }
-      /* Check against selected instance, if we have one */
-      if (NULL != hc->instance)
-        auth_ok = (GNUNET_OK ==
-                   TMH_check_auth_instance (auth,
-                                            hc->instance));
-      else /* Are the credentials provided OK for CLI override? */
-        auth_ok = (use_default &&
-                   (NULL != TMH_default_auth) &&
-                   (NULL != auth) &&
-                   (! auth_malformed) &&
-                   (0 == strcmp (auth,
-                                 TMH_default_auth)) );
-      if (auth_ok)
+      else
       {
-        hc->auth_scope = TMH_AS_ALL;
+        // FIXME: Do we want to check CLI provided credentials here?
+        if (GNUNET_OK ==
+            TMH_check_auth_instance (auth,
+                                     hc->instance))
+          hc->auth_scope = TMH_AS_ALL;
+        else
+          hc->auth_scope = TMH_AS_NONE;
       }
     }
     else /* Check bearer token */