From 0718a090e1b008b53da0d8a97854ff531f5248dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Garc=C3=ADa?=
 <dani-garcia@users.noreply.github.com>
Date: Thu, 7 Mar 2019 20:21:50 +0100
Subject: [PATCH] Trim spaces from admin token during authentication and
 validate that the admin panel token is not empty

---
 src/api/admin.rs | 2 +-
 src/config.rs    | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/api/admin.rs b/src/api/admin.rs
index fbf02928..8b84d09e 100644
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -89,7 +89,7 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
 fn _validate_token(token: &str) -> bool {
     match CONFIG.admin_token().as_ref() {
         None => false,
-        Some(t) => crate::crypto::ct_eq(t, token),
+        Some(t) => crate::crypto::ct_eq(t.trim(), token.trim()),
     }
 }
 
diff --git a/src/config.rs b/src/config.rs
index 33d03aee..7cf8f8a0 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -317,6 +317,12 @@ make_config! {
 }
 
 fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
+    if let Some(ref token) = cfg.admin_token {
+        if token.trim().is_empty() {
+            err!("`ADMIN_TOKEN` is enabled but has an empty value. To enable the admin page without token, use `DISABLE_ADMIN_TOKEN`")
+        }
+    }
+
     if cfg.yubico_client_id.is_some() != cfg.yubico_secret_key.is_some() {
         err!("Both `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` need to be set for Yubikey OTP support")
     }