diff --git a/src/authentication/BearerWebIdExtractor.ts b/src/authentication/BearerWebIdExtractor.ts index 09e455c1f..ca9f02867 100644 --- a/src/authentication/BearerWebIdExtractor.ts +++ b/src/authentication/BearerWebIdExtractor.ts @@ -19,7 +19,7 @@ export class BearerWebIdExtractor extends CredentialsExtractor { public async canHandle({ headers }: HttpRequest): Promise { const { authorization } = headers; - if (!authorization || !authorization.startsWith('Bearer ')) { + if (!authorization || !/^Bearer /ui.test(authorization)) { throw new NotImplementedHttpError('No Bearer Authorization header specified.'); } } diff --git a/src/authentication/DPoPWebIdExtractor.ts b/src/authentication/DPoPWebIdExtractor.ts index 9d73ae6a1..9fc62c8d5 100644 --- a/src/authentication/DPoPWebIdExtractor.ts +++ b/src/authentication/DPoPWebIdExtractor.ts @@ -27,7 +27,7 @@ export class DPoPWebIdExtractor extends CredentialsExtractor { public async canHandle({ headers }: HttpRequest): Promise { const { authorization } = headers; - if (!authorization || !authorization.startsWith('DPoP ')) { + if (!authorization || !/^DPoP /ui.test(authorization)) { throw new NotImplementedHttpError('No DPoP-bound Authorization header specified.'); } } diff --git a/src/authentication/UnsecureWebIdExtractor.ts b/src/authentication/UnsecureWebIdExtractor.ts index 28a35019d..9ef425d90 100644 --- a/src/authentication/UnsecureWebIdExtractor.ts +++ b/src/authentication/UnsecureWebIdExtractor.ts @@ -13,13 +13,13 @@ export class UnsecureWebIdExtractor extends CredentialsExtractor { public async canHandle({ headers }: HttpRequest): Promise { const { authorization } = headers; - if (!authorization || !authorization.startsWith('WebID ')) { + if (!authorization || !/^WebID /ui.test(authorization)) { throw new NotImplementedHttpError('No WebID Authorization header specified.'); } } public async handle({ headers }: HttpRequest): Promise { - const webId = /^WebID\s+(.*)/u.exec(headers.authorization!)![1]; + const webId = /^WebID\s+(.*)/ui.exec(headers.authorization!)![1]; this.logger.info(`Agent unsecurely claims to be ${webId}`); return { [CredentialGroup.agent]: { webId }}; } diff --git a/test/unit/authentication/BearerWebIdExtractor.test.ts b/test/unit/authentication/BearerWebIdExtractor.test.ts index 39dfcbe72..20721cde9 100644 --- a/test/unit/authentication/BearerWebIdExtractor.test.ts +++ b/test/unit/authentication/BearerWebIdExtractor.test.ts @@ -62,6 +62,21 @@ describe('A BearerWebIdExtractor', (): void => { }); }); + describe('on a request with Authorization and a lowercase Bearer token', (): void => { + const request = { + method: 'GET', + headers: { + authorization: 'bearer token-1234', + }, + } as any as HttpRequest; + + it('calls the Bearer verifier with the correct parameters.', async(): Promise => { + await webIdExtractor.handleSafe(request); + expect(solidTokenVerifier).toHaveBeenCalledTimes(1); + expect(solidTokenVerifier).toHaveBeenCalledWith('bearer token-1234'); + }); + }); + describe('when verification throws an error', (): void => { const request = { method: 'GET', diff --git a/test/unit/authentication/DPoPWebIdExtractor.test.ts b/test/unit/authentication/DPoPWebIdExtractor.test.ts index 37688987b..fdbdd2122 100644 --- a/test/unit/authentication/DPoPWebIdExtractor.test.ts +++ b/test/unit/authentication/DPoPWebIdExtractor.test.ts @@ -90,6 +90,22 @@ describe('A DPoPWebIdExtractor', (): void => { }); }); + describe('on a request with Authorization specifying DPoP in lowercase', (): void => { + const request = { + method: 'GET', + headers: { + authorization: 'dpop token-1234', + dpop: 'token-5678', + }, + } as any as HttpRequest; + + it('calls the target extractor with the correct parameters.', async(): Promise => { + await webIdExtractor.handleSafe(request); + expect(targetExtractor.handle).toHaveBeenCalledTimes(1); + expect(targetExtractor.handle).toHaveBeenCalledWith({ request }); + }); + }); + describe('when verification throws an error', (): void => { const request = { method: 'GET', diff --git a/test/unit/authentication/UnsecureWebIdExtractor.test.ts b/test/unit/authentication/UnsecureWebIdExtractor.test.ts index 949bd53bf..a5501a49b 100644 --- a/test/unit/authentication/UnsecureWebIdExtractor.test.ts +++ b/test/unit/authentication/UnsecureWebIdExtractor.test.ts @@ -20,9 +20,15 @@ describe('An UnsecureWebIdExtractor', (): void => { await expect(result).rejects.toThrow('No WebID Authorization header specified.'); }); - it('returns the authorization header as WebID if there is one.', async(): Promise => { + it('returns the authorization header as WebID if specified.', async(): Promise => { const headers = { authorization: 'WebID http://alice.example/card#me' }; const result = extractor.handleSafe({ headers } as HttpRequest); await expect(result).resolves.toEqual({ [CredentialGroup.agent]: { webId: 'http://alice.example/card#me' }}); }); + + it('returns the authorization header as WebID if specified with a lowercase token.', async(): Promise => { + const headers = { authorization: 'webid http://alice.example/card#me' }; + const result = extractor.handleSafe({ headers } as HttpRequest); + await expect(result).resolves.toEqual({ [CredentialGroup.agent]: { webId: 'http://alice.example/card#me' }}); + }); });