Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set_user_token: Incompatibility between the Authorization header and having a param clashing with the auth header names. #1648

Open
nicoraynaud opened this issue Jan 21, 2025 · 0 comments
Open

set_user_token: Incompatibility between the Authorization header and having a param clashing with the auth header names. #1648

nicoraynaud opened this issue Jan 21, 2025 · 0 comments

Comments

@nicoraynaud
Copy link

Hi,

There seems to be a bug in how we read the authentication attributes in concerns/set_user_by_token.rb.

On line 52 and after this is how it reads:

uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name] || decoded_authorization_token[uid_name]
other_uid        = other_uid_name && request.headers[other_uid_name] || params[other_uid_name] || parsed_auth_cookie[other_uid_name]
@token           = DeviseTokenAuth::TokenFactory.new unless @token
@token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name] || decoded_authorization_token[access_token_name]
@token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name] || decoded_authorization_token[client_name]

The problem exists where: if someone uses the decoded_authorization_token values coming from the one Authorization header instead of relying on the other 4 headers, the order of reading values is interrupted by reading from the params.

As a result, if either a path, query or body param contains an attribute with a name clashing with the defined client_name, uid_name or access_token_name, this will get evaluated before we can even try to evaluate the decoded_authorization_token (and this would be the same with the cookie).

As a result, auth fails for these requests.

GET /api/protected/some_resource?client=123
Authorization: Bearer a3dxd.....
===> Fails because client = 123 instead of the value in the Bearer token.

Could we issue a fix where we read from params after any other option has been tried ?

uid              = request.headers[uid_name] || parsed_auth_cookie[uid_name] || decoded_authorization_token[uid_name] || params[uid_name]
other_uid        = other_uid_name && request.headers[other_uid_name] || parsed_auth_cookie[other_uid_name] || params[other_uid_name]
@token           = DeviseTokenAuth::TokenFactory.new unless @token
@token.token     ||= request.headers[access_token_name] || parsed_auth_cookie[access_token_name] || decoded_authorization_token[access_token_name] || params[access_token_name]
@token.client ||= request.headers[client_name] || parsed_auth_cookie[client_name] || decoded_authorization_token[client_name] || params[client_name]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nicoraynaud