From 092134f3f39f4e7a58382dcfc75d72a69e14b98b Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sat, 21 Oct 2023 17:00:50 +0000 Subject: [PATCH] Fix parsing of Authorization Bearer header (#3376) The semantics of the Authorization header are defined by RFC 9110, which says: > It uses a case-insensitive token to identify the authentication scheme: Therefore, "bearer", "Bearer", and "bEARER" are equivalent. This patch fixes the parsing of the Authorization header to check for the Bearer authentication scheme case insensitively. I've modified one of the test cases to use lowercase "bearer", so there's test coverage for this. --- router/middleware/auth.go | 9 ++++++--- test/automated/api/integrations.test.js | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/router/middleware/auth.go b/router/middleware/auth.go index 00e8dfc60..574610cdf 100644 --- a/router/middleware/auth.go +++ b/router/middleware/auth.go @@ -69,10 +69,13 @@ func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHand return } - authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ") - token := strings.Join(authHeader, "") + authHeader := r.Header.Get("Authorization") + token := "" + if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") { + token = authHeader[len("bearer "):] + } - if len(authHeader) == 0 || token == "" { + if token == "" { log.Warnln("invalid access token") accessDenied(w) return diff --git a/test/automated/api/integrations.test.js b/test/automated/api/integrations.test.js index 4b1ab345b..17914625e 100644 --- a/test/automated/api/integrations.test.js +++ b/test/automated/api/integrations.test.js @@ -83,7 +83,7 @@ test('send a system message using access token', async (done) => { }; const res = await request .post('/api/integrations/chat/system') - .set('Authorization', 'Bearer ' + accessToken) + .set('Authorization', 'bearer ' + accessToken) .send(payload) .expect(200); done();