Remove authentication via query parameters for websocket upgrade requests

service/src/main/java/org/whispersystems/textsecuregcm/websocket/WebSocketAccountAuthenticator.java

@@ -8,9 +8,6 @@ package org.whispersystems.textsecuregcm.websocket;
 import static org.whispersystems.textsecuregcm.util.HeaderUtils.basicCredentialsFromAuthHeader;
 
 import com.google.common.net.HttpHeaders;
-import io.dropwizard.auth.basic.BasicCredentials;
-import java.util.List;
-import java.util.Map;
 import javax.annotation.Nullable;
 import org.eclipse.jetty.websocket.api.UpgradeRequest;
 import org.whispersystems.textsecuregcm.auth.AccountAuthenticator;
@@ -26,7 +23,6 @@ public class WebSocketAccountAuthenticator implements WebSocketAuthenticator<Aut
   private static final ReusableAuth<AuthenticatedDevice> CREDENTIALS_NOT_PRESENTED = ReusableAuth.anonymous();
 
   private static final ReusableAuth<AuthenticatedDevice> INVALID_CREDENTIALS_PRESENTED = ReusableAuth.invalid();
-
   private final AccountAuthenticator accountAuthenticator;
   private final PrincipalSupplier<AuthenticatedDevice> principalSupplier;
 
@@ -40,13 +36,7 @@ public class WebSocketAccountAuthenticator implements WebSocketAuthenticator<Aut
   public ReusableAuth<AuthenticatedDevice> authenticate(final UpgradeRequest request)
       throws AuthenticationException {
     try {
-      // If the `Authorization` header was set for the request it takes priority, and we use the result of the
-      // header-based auth ignoring the result of the query-based auth.
-      final String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
-      if (authHeader != null) {
-        return authenticatedAccountFromHeaderAuth(authHeader);
-      }
-      return authenticatedAccountFromQueryParams(request);
+      return authenticatedAccountFromHeaderAuth(request.getHeader(HttpHeaders.AUTHORIZATION));
     } catch (final Exception e) {
       // this will be handled and logged upstream
       // the most likely exception is a transient error connecting to account storage
@@ -54,23 +44,7 @@ public class WebSocketAccountAuthenticator implements WebSocketAuthenticator<Aut
     }
   }
 
-  private ReusableAuth<AuthenticatedDevice> authenticatedAccountFromQueryParams(final UpgradeRequest request) {
-    final Map<String, List<String>> parameters = request.getParameterMap();
-    final List<String> usernames = parameters.get("login");
-    final List<String> passwords = parameters.get("password");
-    if (usernames == null || usernames.size() == 0 ||
-        passwords == null || passwords.size() == 0) {
-      return CREDENTIALS_NOT_PRESENTED;
-    }
-    final BasicCredentials credentials = new BasicCredentials(usernames.get(0).replace(" ", "+"),
-        passwords.get(0).replace(" ", "+"));
-    return accountAuthenticator.authenticate(credentials)
-        .map(authenticatedAccount -> ReusableAuth.authenticated(authenticatedAccount, this.principalSupplier))
-        .orElse(INVALID_CREDENTIALS_PRESENTED);
-  }
-
-  private ReusableAuth<AuthenticatedDevice> authenticatedAccountFromHeaderAuth(@Nullable final String authHeader)
-      throws AuthenticationException {
+  private ReusableAuth<AuthenticatedDevice> authenticatedAccountFromHeaderAuth(@Nullable final String authHeader) {
     if (authHeader == null) {
       return CREDENTIALS_NOT_PRESENTED;
     }