Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Accept lowercase Authorization tokens.

Browse Source
This commit is contained in:
Ruben Verborgh 2021-12-03 11:55:43 +01:00
parent 5a01f09f81
commit 9c52011add
6 changed files with 42 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/authentication/BearerWebIdExtractor.ts
View File

@ -19,7 +19,7 @@ export class BearerWebIdExtractor extends CredentialsExtractor {
public async canHandle({ headers }: HttpRequest): Promise<void> { public async canHandle({ headers }: HttpRequest): Promise<void> {
const { authorization } = headers; const { authorization } = headers;
if (!authorization || !authorization.startsWith('Bearer ')) { if (!authorization || !/^Bearer /ui.test(authorization)) {
throw new NotImplementedHttpError('No Bearer Authorization header specified.'); throw new NotImplementedHttpError('No Bearer Authorization header specified.');
} }
} }

2
src/authentication/DPoPWebIdExtractor.ts
View File

@ -27,7 +27,7 @@ export class DPoPWebIdExtractor extends CredentialsExtractor {
public async canHandle({ headers }: HttpRequest): Promise<void> { public async canHandle({ headers }: HttpRequest): Promise<void> {
const { authorization } = headers; const { authorization } = headers;
if (!authorization || !authorization.startsWith('DPoP ')) { if (!authorization || !/^DPoP /ui.test(authorization)) {
throw new NotImplementedHttpError('No DPoP-bound Authorization header specified.'); throw new NotImplementedHttpError('No DPoP-bound Authorization header specified.');
} }
} }

4
src/authentication/UnsecureWebIdExtractor.ts
View File

@ -13,13 +13,13 @@ export class UnsecureWebIdExtractor extends CredentialsExtractor {
public async canHandle({ headers }: HttpRequest): Promise<void> { public async canHandle({ headers }: HttpRequest): Promise<void> {
const { authorization } = headers; const { authorization } = headers;
if (!authorization || !authorization.startsWith('WebID ')) { if (!authorization || !/^WebID /ui.test(authorization)) {
throw new NotImplementedHttpError('No WebID Authorization header specified.'); throw new NotImplementedHttpError('No WebID Authorization header specified.');
} }
} }
public async handle({ headers }: HttpRequest): Promise<CredentialSet> { public async handle({ headers }: HttpRequest): Promise<CredentialSet> {
const webId = /^WebID\s+(.*)/u.exec(headers.authorization!)![1]; const webId = /^WebID\s+(.*)/ui.exec(headers.authorization!)![1];
this.logger.info(`Agent unsecurely claims to be ${webId}`); this.logger.info(`Agent unsecurely claims to be ${webId}`);
return { [CredentialGroup.agent]: { webId }}; return { [CredentialGroup.agent]: { webId }};
} }

15
test/unit/authentication/BearerWebIdExtractor.test.ts
View File

@ -62,6 +62,21 @@ describe('A BearerWebIdExtractor', (): void => {
}); });
}); });
describe('on a request with Authorization and a lowercase Bearer token', (): void => {
const request = {
method: 'GET',
headers: {
authorization: 'bearer token-1234',
},
} as any as HttpRequest;
it('calls the Bearer verifier with the correct parameters.', async(): Promise<void> => {
await webIdExtractor.handleSafe(request);
expect(solidTokenVerifier).toHaveBeenCalledTimes(1);
expect(solidTokenVerifier).toHaveBeenCalledWith('bearer token-1234');
});
});
describe('when verification throws an error', (): void => { describe('when verification throws an error', (): void => {
const request = { const request = {
method: 'GET', method: 'GET',

16
test/unit/authentication/DPoPWebIdExtractor.test.ts
View File

@ -90,6 +90,22 @@ describe('A DPoPWebIdExtractor', (): void => {
}); });
}); });
describe('on a request with Authorization specifying DPoP in lowercase', (): void => {
const request = {
method: 'GET',
headers: {
authorization: 'dpop token-1234',
dpop: 'token-5678',
},
} as any as HttpRequest;
it('calls the target extractor with the correct parameters.', async(): Promise<void> => {
await webIdExtractor.handleSafe(request);
expect(targetExtractor.handle).toHaveBeenCalledTimes(1);
expect(targetExtractor.handle).toHaveBeenCalledWith({ request });
});
});
describe('when verification throws an error', (): void => { describe('when verification throws an error', (): void => {
const request = { const request = {
method: 'GET', method: 'GET',

8
test/unit/authentication/UnsecureWebIdExtractor.test.ts
View File

@ -20,9 +20,15 @@ describe('An UnsecureWebIdExtractor', (): void => {
await expect(result).rejects.toThrow('No WebID Authorization header specified.'); await expect(result).rejects.toThrow('No WebID Authorization header specified.');
}); });
it('returns the authorization header as WebID if there is one.', async(): Promise<void> => { it('returns the authorization header as WebID if specified.', async(): Promise<void> => {
const headers = { authorization: 'WebID http://alice.example/card#me' }; const headers = { authorization: 'WebID http://alice.example/card#me' };
const result = extractor.handleSafe({ headers } as HttpRequest); const result = extractor.handleSafe({ headers } as HttpRequest);
await expect(result).resolves.toEqual({ [CredentialGroup.agent]: { webId: 'http://alice.example/card#me' }}); await expect(result).resolves.toEqual({ [CredentialGroup.agent]: { webId: 'http://alice.example/card#me' }});
}); });
it('returns the authorization header as WebID if specified with a lowercase token.', async(): Promise<void> => {
const headers = { authorization: 'webid http://alice.example/card#me' };
const result = extractor.handleSafe({ headers } as HttpRequest);
await expect(result).resolves.toEqual({ [CredentialGroup.agent]: { webId: 'http://alice.example/card#me' }});
});
}); });