Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Bearer regular expression matching in authenticate handler #614

Open
wants to merge 1 commit into
base: v5-dev
Choose a base branch
from

Conversation

shinenelson
Copy link

The implementation ( lib/handlers/authenticate-handler.ts#L145 )
of the pattern matching for the Bearer token matches only the string
"Bearer" followed by one whitespace character followed by any number of
non-whitespace characters. However, the loophole in the expression is
that one can prefix the Authorization string with any string before the
"Bearer" string and still get away with a successful match.
This means that fooBearer bar or foo Bearer bar are valid headers
according to the code.

RFC 6750 | OAuth 2.0 Bearer Token Usage | Section 2.1
https://tools.ietf.org/html/rfc6750#section-2.1
specifies that the Authorization header start with the string "Bearer".

This changeset modifies the code and the test case to make the above
examples get thrown as InvalidRequestErrors

The implementation ( lib/handlers/authenticate-handler.ts#L145 )
of the pattern matching for the Bearer token matches only the string
"Bearer" followed by one whitespace character followed by any number of
non-whitespace characters. However, the loophole in the expression is
that one can prefix the Authorization string with any string before the
"Bearer" string and still get away with a successful match.
This means that `fooBearer bar` or `foo Bearer bar` are valid headers
according to the code.

RFC 6750 | OAuth 2.0 Bearer Token Usage | Section 2.1
https://tools.ietf.org/html/rfc6750#section-2.1
specifies that the Authorization header start with the string "Bearer".

This changeset modifies the code and the test case to make the above
examples get thrown as `InvalidRequestError`s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant