Ignore authorization headers if not Bearer (#325)

* Ignore authorization headers if not Bearer * Update jwt.js * lint fix * Apply suggestions from code review Co-authored-by: KaKa <[email protected]> Signed-off-by: cberescu <[email protected]> * Update jwt.js Co-authored-by: Gürgün Dayıoğlu <[email protected]> Signed-off-by: cberescu <[email protected]> * fixed tests --------- Signed-off-by: cberescu <[email protected]> Co-authored-by: Ciprian <[email protected]> Co-authored-by: KaKa <[email protected]> Co-authored-by: Gürgün Dayıoğlu <[email protected]>
fastify · Jan 7, 2024 · 3bab18e · 3bab18e
1 parent 7a8802f
commit 3bab18e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 16 deletions.
diff --git a/jwt.js b/jwt.js
@@ -240,15 +240,10 @@ function fastifyJwt (fastify, options, next) {
       if (!token) {
         throw new BadRequestError()
       }
-    } else if ((request.headers && request.headers.authorization) && (!onlyCookie)) {
+    } else if (request.headers.authorization && !onlyCookie && /^Bearer\s/i.test(request.headers.authorization)) {
       const parts = request.headers.authorization.split(' ')
       if (parts.length === 2) {
-        const scheme = parts[0]
         token = parts[1]
-
-        if (!/^Bearer$/i.test(scheme)) {
-          throw new BadRequestError()
-        }
       } else {
         throw new BadRequestError()
       }

diff --git a/test/jwt.test.js b/test/jwt.test.js
@@ -1617,8 +1617,7 @@ test('errors', function (t) {
           t.equal(response.statusCode, 401)
         })
       })
-
-      t.test('authorization header format error', function (t) {
+      t.test('no bearer authorization header error', function (t) {
         t.plan(2)
 
         fastify.inject({
@@ -1629,8 +1628,8 @@ test('errors', function (t) {
           }
         }).then(function (response) {
           const error = JSON.parse(response.payload)
-          t.equal(error.message, 'Format is Authorization: Bearer [token]')
-          t.equal(response.statusCode, 400)
+          t.equal(error.message, 'No Authorization was found in request.headers')
+          t.equal(response.statusCode, 401)
         })
       })
 
@@ -2196,7 +2195,7 @@ test('token in cookie, with @fastify/cookie parsing', function (t) {
   })
 
   t.test('both authorization and cookie headers present, header malformed', function (t) {
-    t.plan(3)
+    t.plan(2)
     fastify.inject({
       method: 'post',
       url: '/sign',
@@ -2215,9 +2214,8 @@ test('token in cookie, with @fastify/cookie parsing', function (t) {
           authorization: 'BearerX'
         }
       }).then(function (verifyResponse) {
-        const error = JSON.parse(verifyResponse.payload)
-        t.equal(error.message, 'Format is Authorization: Bearer [token]')
-        t.equal(error.statusCode, 400)
+        const decodedToken = JSON.parse(verifyResponse.payload)
+        t.equal(decodedToken.foo, 'bar')
       })
     })
   })
@@ -2394,8 +2392,8 @@ test('custom response messages', function (t) {
           }
         }).then(function (response) {
           const error = JSON.parse(response.payload)
-          t.equal(error.message, 'Format is Authorization: Bearer [token]')
-          t.equal(response.statusCode, 400)
+          t.equal(error.message, 'auth header missing')
+          t.equal(response.statusCode, 401)
         })
       })