-
Notifications
You must be signed in to change notification settings - Fork 996
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(auth): Handle when authorization header is lowercased (#10442)
In one of the PRs I did for last release, I switched getting the header using the new `getEventHeaders` function. This function will check for two cases: ``` getEventHeaders('Authorization') => a) header['authorization'] b) header['Authorization'] ``` **BUT** if you passed it a lowercase header in the first place: ``` getEventHeaders('authorization') => a) header['authorization'] b) header['authorization'] ``` I actually didn't change the logic it's the same as before, but in`parseAuthorizationHeader`, we used to call it with the capital case. I know the _full_ solution is to grab the headers, and convert them all to lower-case, but I'm intentionally avoiding this because I don't want to slow down handling of every request by looping over all the headers. --- This PR makes a minor change, and adds some extra tests. 🤞 we'll move everything to Fetch API soon and won't have to deal with this sillyness!
- Loading branch information
1 parent
357efac
commit 5deb43b
Showing
3 changed files
with
73 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
- fix(auth): Handle when authorization header is lowercased (#10442) by @dac09 | ||
Handles when 'authorization' header is lowercased, and adds some extra tests. |
70 changes: 70 additions & 0 deletions
70
packages/api/src/auth/__tests__/parseAuthorizationHeader.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
import type { APIGatewayProxyEvent } from 'aws-lambda' | ||
import { test, expect, describe } from 'vitest' | ||
|
||
import { parseAuthorizationHeader } from '../index' | ||
|
||
describe('parseAuthorizationHeader', () => { | ||
test('throws error if Authorization header is not valid', () => { | ||
const invalidHeaders = [ | ||
undefined, | ||
null, | ||
'', | ||
'Bearer', | ||
'Bearer ', | ||
'Bearer token with spaces', | ||
'Token', | ||
'Token ', | ||
'Token token with spaces', | ||
] | ||
|
||
invalidHeaders.forEach((header) => { | ||
expect(() => | ||
// @ts-expect-error That's what we're testing | ||
parseAuthorizationHeader({ headers: { Authorization: header } }), | ||
Check warning on line 23 in packages/api/src/auth/__tests__/parseAuthorizationHeader.test.ts GitHub Actions / 🚢 Publish Release Candidate
Check warning on line 23 in packages/api/src/auth/__tests__/parseAuthorizationHeader.test.ts GitHub Actions / 🏗 Build, lint, test / ubuntu-latest / node 20 latest
|
||
).toThrowError('The `Authorization` header is not valid.') | ||
}) | ||
}) | ||
|
||
test('returns the schema and token from valid Authorization header', () => { | ||
const validHeaders = [ | ||
'Bearer token', | ||
'Bearer 12345', | ||
'Token token', | ||
'Token 12345', | ||
] | ||
|
||
validHeaders.forEach((header) => { | ||
// We only care about the headers in the event | ||
const result = parseAuthorizationHeader({ | ||
headers: { Authorization: header }, | ||
} as unknown as APIGatewayProxyEvent) | ||
|
||
expect(result).toEqual({ | ||
schema: header.split(' ')[0], | ||
token: header.split(' ')[1], | ||
}) | ||
}) | ||
}) | ||
|
||
test('Handles different lower-casing of the authorization header', () => { | ||
const result = parseAuthorizationHeader({ | ||
headers: { authorization: 'Bearer bazinga' }, | ||
} as unknown as APIGatewayProxyEvent) | ||
|
||
expect(result).toEqual({ | ||
schema: 'Bearer', | ||
token: 'bazinga', | ||
}) | ||
}) | ||
|
||
test('Handles different capital-casing of the Authorization header', () => { | ||
const result = parseAuthorizationHeader({ | ||
headers: { Authorization: 'Bearer bazinga' }, | ||
} as unknown as APIGatewayProxyEvent) | ||
|
||
expect(result).toEqual({ | ||
schema: 'Bearer', | ||
token: 'bazinga', | ||
}) | ||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters