Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relax constraints on bearer token format #3111

Merged
merged 3 commits into from
May 9, 2024
Merged

Relax constraints on bearer token format #3111

merged 3 commits into from
May 9, 2024

Conversation

inahga
Copy link
Contributor

@inahga inahga commented May 8, 2024

Closes #3107. The bearer part is now case insensitive. Add some basic tests.

I also allow whitespace between bearer and the token. The 1*SP part of the grammar, IIUC, indices one or more whitespace:

Authorization = credentials
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

@inahga inahga requested a review from a team as a code owner May 8, 2024 20:34
tgeoghegan
tgeoghegan requested changes May 9, 2024
View reviewed changes
core/src/http.rs Outdated
Comment on lines 114 to 118
let (bearer, token) = authorization
.split_once(char::is_whitespace)
.ok_or_else(|| anyhow!("invalid bearer token"))?;

if bearer.to_lowercase() != "bearer" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
let (bearer, token) = authorization
.split_once(char::is_whitespace)
.ok_or_else(|| anyhow!("invalid bearer token"))?;
if bearer.to_lowercase() != "bearer" {
let (auth_scheme, token) = authorization
.split_once(char::is_whitespace)
.ok_or_else(|| anyhow!("invalid scheme in authorization header"))?;
if auth_scheme.to_lowercase() != "bearer" {

To line up with the credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] in the Backaus-whatever notation.

core/src/http.rs Outdated
Comment on lines 144 to 151
Ok(Some(_))
);
assert_matches!(
extract_bearer_token(
&TestConn::build("get", "/", "body")
.with_request_header("authorization", "BeArEr gVfRUu9krhxrUgFsEo-P5w"),
),
Ok(Some(_))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be nice to check the contents of the AuthenticationToken to make sure nothing bad happens when we call String::trim_start.

@inahga inahga requested a review from tgeoghegan May 9, 2024 16:18
@inahga inahga merged commit db1f10e into main May 9, 2024
8 checks passed
@inahga inahga deleted the inahga/bearer branch May 9, 2024 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@divergentdave divergentdave divergentdave approved these changes

@branlwyd branlwyd branlwyd approved these changes

@tgeoghegan tgeoghegan tgeoghegan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authentication scheme in Authorization header should not be case sensitive
4 participants
@inahga @divergentdave @branlwyd @tgeoghegan