fix: Accept lowercase Authorization tokens.

2024-10-03 14:55:10 +00:00 · 2021-12-03 11:55:43 +01:00 · 2021-12-03 11:55:43 +01:00 · 9c52011add
commit 9c52011add
parent 5a01f09f81
6 changed files with 42 additions and 5 deletions
--- a/src/authentication/BearerWebIdExtractor.ts
+++ b/src/authentication/BearerWebIdExtractor.ts
@ -19,7 +19,7 @@ export class BearerWebIdExtractor extends CredentialsExtractor {

  public async canHandle({ headers }: HttpRequest): Promise<void> {
    const { authorization } = headers;
-    if (!authorization || !authorization.startsWith('Bearer ')) {
+    if (!authorization || !/^Bearer /ui.test(authorization)) {
      throw new NotImplementedHttpError('No Bearer Authorization header specified.');
    }
  }
--- a/src/authentication/DPoPWebIdExtractor.ts
+++ b/src/authentication/DPoPWebIdExtractor.ts
@ -27,7 +27,7 @@ export class DPoPWebIdExtractor extends CredentialsExtractor {

  public async canHandle({ headers }: HttpRequest): Promise<void> {
    const { authorization } = headers;
-    if (!authorization || !authorization.startsWith('DPoP ')) {
+    if (!authorization || !/^DPoP /ui.test(authorization)) {
      throw new NotImplementedHttpError('No DPoP-bound Authorization header specified.');
    }
  }
--- a/src/authentication/UnsecureWebIdExtractor.ts
+++ b/src/authentication/UnsecureWebIdExtractor.ts
@ -13,13 +13,13 @@ export class UnsecureWebIdExtractor extends CredentialsExtractor {

  public async canHandle({ headers }: HttpRequest): Promise<void> {
    const { authorization } = headers;
-    if (!authorization || !authorization.startsWith('WebID ')) {
+    if (!authorization || !/^WebID /ui.test(authorization)) {
      throw new NotImplementedHttpError('No WebID Authorization header specified.');
    }
  }

  public async handle({ headers }: HttpRequest): Promise<CredentialSet> {
-    const webId = /^WebID\s+(.*)/u.exec(headers.authorization!)![1];
+    const webId = /^WebID\s+(.*)/ui.exec(headers.authorization!)![1];
    this.logger.info(`Agent unsecurely claims to be ${webId}`);
    return { [CredentialGroup.agent]: { webId }};
  }
--- a/test/unit/authentication/BearerWebIdExtractor.test.ts
+++ b/test/unit/authentication/BearerWebIdExtractor.test.ts
@ -62,6 +62,21 @@ describe('A BearerWebIdExtractor', (): void => {
    });
  });

+  describe('on a request with Authorization and a lowercase Bearer token', (): void => {
+    const request = {
+      method: 'GET',
+      headers: {
+        authorization: 'bearer token-1234',
+      },
+    } as any as HttpRequest;
+
+    it('calls the Bearer verifier with the correct parameters.', async(): Promise<void> => {
+      await webIdExtractor.handleSafe(request);
+      expect(solidTokenVerifier).toHaveBeenCalledTimes(1);
+      expect(solidTokenVerifier).toHaveBeenCalledWith('bearer token-1234');
+    });
+  });
+
  describe('when verification throws an error', (): void => {
    const request = {
      method: 'GET',
--- a/test/unit/authentication/DPoPWebIdExtractor.test.ts
+++ b/test/unit/authentication/DPoPWebIdExtractor.test.ts
@ -90,6 +90,22 @@ describe('A DPoPWebIdExtractor', (): void => {
    });
  });

+  describe('on a request with Authorization specifying DPoP in lowercase', (): void => {
+    const request = {
+      method: 'GET',
+      headers: {
+        authorization: 'dpop token-1234',
+        dpop: 'token-5678',
+      },
+    } as any as HttpRequest;
+
+    it('calls the target extractor with the correct parameters.', async(): Promise<void> => {
+      await webIdExtractor.handleSafe(request);
+      expect(targetExtractor.handle).toHaveBeenCalledTimes(1);
+      expect(targetExtractor.handle).toHaveBeenCalledWith({ request });
+    });
+  });
+
  describe('when verification throws an error', (): void => {
    const request = {
      method: 'GET',
--- a/test/unit/authentication/UnsecureWebIdExtractor.test.ts
+++ b/test/unit/authentication/UnsecureWebIdExtractor.test.ts
@ -20,9 +20,15 @@ describe('An UnsecureWebIdExtractor', (): void => {
    await expect(result).rejects.toThrow('No WebID Authorization header specified.');
  });

-  it('returns the authorization header as WebID if there is one.', async(): Promise<void> => {
+  it('returns the authorization header as WebID if specified.', async(): Promise<void> => {
    const headers = { authorization: 'WebID http://alice.example/card#me' };
    const result = extractor.handleSafe({ headers } as HttpRequest);
    await expect(result).resolves.toEqual({ [CredentialGroup.agent]: { webId: 'http://alice.example/card#me' }});
  });
+
+  it('returns the authorization header as WebID if specified with a lowercase token.', async(): Promise<void> => {
+    const headers = { authorization: 'webid http://alice.example/card#me' };
+    const result = extractor.handleSafe({ headers } as HttpRequest);
+    await expect(result).resolves.toEqual({ [CredentialGroup.agent]: { webId: 'http://alice.example/card#me' }});
+  });
 });