extractKey extracts an API key from the request (all sources).
(c echo.Context)
| 508 | |
| 509 | // extractKey extracts an API key from the request (all sources). |
| 510 | func extractKey(c echo.Context) string { |
| 511 | // Authorization header |
| 512 | auth := c.Request().Header.Get("Authorization") |
| 513 | if strings.HasPrefix(auth, "Bearer ") { |
| 514 | return strings.TrimPrefix(auth, "Bearer ") |
| 515 | } |
| 516 | if auth != "" { |
| 517 | return auth |
| 518 | } |
| 519 | |
| 520 | // x-api-key |
| 521 | if key := c.Request().Header.Get("x-api-key"); key != "" { |
| 522 | return key |
| 523 | } |
| 524 | |
| 525 | // xi-api-key |
| 526 | if key := c.Request().Header.Get("xi-api-key"); key != "" { |
| 527 | return key |
| 528 | } |
| 529 | |
| 530 | // token cookie |
| 531 | if cookie, err := c.Cookie("token"); err == nil && cookie.Value != "" { |
| 532 | return cookie.Value |
| 533 | } |
| 534 | |
| 535 | return "" |
| 536 | } |
| 537 | |
| 538 | // isValidLegacyKey checks if the key matches any configured API key |
| 539 | // using constant-time comparison to prevent timing attacks. |
no test coverage detected