From 53bc4d945a134e20d3957ba71cf2495525f85b03 Mon Sep 17 00:00:00 2001
From: Andre Medeiros <me@andremedeiros.info>
Date: Wed, 17 Oct 2018 12:26:53 -0400
Subject: [PATCH] Change back how auth works for websockets.

As it turns out, a websocket request doesn't contain some of the
hashable properties in order to be validated. Because of that, we'll
still use tokens here until we find a better way to do it.
---
 lib/modules/authenticator/index.js | 15 ++++++++++-----
 lib/modules/webserver/server.js    |  5 ++---
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/lib/modules/authenticator/index.js b/lib/modules/authenticator/index.js
index 0786174d1..44046625c 100644
--- a/lib/modules/authenticator/index.js
+++ b/lib/modules/authenticator/index.js
@@ -73,12 +73,17 @@ class Authenticator {
         (`http://${host}:${port}/embark?token=${this.authToken}`.underline)));
     });
 
-    this.events.setCommandHandler('authenticator:authorize', (req, cb) => {
-      let hash = self.generateRequestHash(req);
-      if(hash !== req.headers['x-embark-request-hash']) {
-        return cb(ERROR_OBJ);
+    this.events.setCommandHandler('authenticator:authorize', (req, res, cb) => {
+      let authenticated = false;
+      if(!res.send) {
+        authenticated = (this.authToken === req.protocol);
+      } else {
+        let hash = self.generateRequestHash(req);
+        authenticated = (hash === req.headers['x-embark-request-hash']);
       }
-      cb();
+
+      if(authenticated) return cb();
+      cb(ERROR_OBJ);
     });
   }
 }
diff --git a/lib/modules/webserver/server.js b/lib/modules/webserver/server.js
index 2ec69af0a..9d1d72cf5 100644
--- a/lib/modules/webserver/server.js
+++ b/lib/modules/webserver/server.js
@@ -161,9 +161,8 @@ class Server {
     ('http://' + canonicalHost(this.hostname) + ':' + this.port).bold.underline.green;
   }
 
-   applyAPIFunction (cb, req, res) {
-     const authToken = (!res.send) ? req.protocol : req.headers.authorization;
-    this.events.request('authenticator:authorize', authToken, (err) => {
+  applyAPIFunction(cb, req, res) {
+    this.events.request('authenticator:authorize', req, res, (err) => {
       if (err) {
         const send = res.send ? res.send.bind(res) : req.send.bind(req); // WS only has the first params
         return send(err);