From 8325056061fa4dae7134ab91e7ee8606acc8d008 Mon Sep 17 00:00:00 2001
From: Feng Lee <feng@emqtt.io>
Date: Wed, 26 Jul 2017 13:16:46 +0800
Subject: [PATCH] Authorize HTTP Publish API with clientId

---
 src/emqttd_http.erl | 43 ++++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/src/emqttd_http.erl b/src/emqttd_http.erl
index 36323406a..0ae07a6f7 100644
--- a/src/emqttd_http.erl
+++ b/src/emqttd_http.erl
@@ -47,8 +47,9 @@ handle_request(Method, "/status", Req) when Method =:= 'HEAD'; Method =:= 'GET'
 %%--------------------------------------------------------------------
 
 handle_request('POST', "/mqtt/publish", Req) ->
-    case authorized(Req) of
-        true  -> http_publish(Req);
+    Params = parse_params(Req),
+    case authorized(Req, Params) of
+        true  -> http_publish(Req, Params);
         false -> Req:respond({401, [], <<"Unauthorized">>})
     end;
 
@@ -68,8 +69,7 @@ handle_request(Method, Path, Req) ->
 %% HTTP Publish
 %%--------------------------------------------------------------------
 
-http_publish(Req) ->
-    Params = [{iolist_to_binary(Key), Val} || {Key, Val} <- mochiweb_request:parse_post(Req)],
+http_publish(Req, Params) ->
     lager:debug("HTTP Publish: ~p", [Params]),
     Topics   = topics(Params),
     ClientId = get_value(<<"client">>, Params, http),
@@ -89,6 +89,9 @@ http_publish(Req) ->
             Req:respond({400, [], <<"Bad Topics">>})
     end.
 
+parse_params(Req) ->
+    [{iolist_to_binary(K), V} || {K, V} <- mochiweb_request:parse_post(Req)].
+
 topics(Params) ->
     Tokens = [get_value(<<"topic">>, Params) | string:tokens(get_value(<<"topics">>, Params, ""), ",")],
     [iolist_to_binary(Token) || Token <- Tokens, Token =/= undefined].
@@ -111,24 +114,22 @@ validate(topic, Topic) ->
 %% basic authorization
 %%--------------------------------------------------------------------
 
-authorized(Req) ->
-    Params = mochiweb_request:parse_post(Req),
-    ClientId = get_value("client", Params, http),
+authorized(Req, Params) ->
+    ClientId = get_value(<<"client">>, Params, http),
     case Req:get_header_value("Authorization") of
-    undefined ->
-        false;
-    "Basic " ++ BasicAuth ->
-        {Username, Password} = user_passwd(BasicAuth),
-        {ok, Peer} = Req:get(peername),
-        case emqttd_access_control:auth(#mqtt_client{client_id = ClientId, username = Username, peername = Peer}, Password) of
-            ok ->
-                true;
-            {ok, _IsSuper} -> 
-                true;
-            {error, Reason} ->
-                lager:error("HTTP Auth failure: username=~s, reason=~p", [Username, Reason]),
-                false
-        end
+        undefined ->
+            false;
+        "Basic " ++ BasicAuth ->
+            {Username, Password} = user_passwd(BasicAuth),
+            {ok, Peer} = Req:get(peername),
+            case emqttd_access_control:auth(#mqtt_client{client_id = ClientId, username = Username, peername = Peer}, Password) of
+                ok -> true;
+                {ok, _IsSuper} -> 
+                    true;
+                {error, Reason} ->
+                    lager:error("HTTP Auth failure: username=~s, reason=~p", [Username, Reason]),
+                    false
+            end
     end.
 
 user_passwd(BasicAuth) ->