cbsecurity
cbsecurity copied to clipboard
coldbox-modules
Bearer token scenario not working
What are the steps to reproduce this issue?
- In cbsecurity configuration do not specify a 'customAuthHeader' in cbsecurity -> jwt settings
- Make a request to a resthandler using a standard 'Authorization' header with a value of 'Bearer [token]'
What happens?
The Bearer token is not found because the code in 'JWTService.discoverToken()' that attempts to use the 'customAuthHeader' returns a null value and a subsequent check to see if the token has a length fails silently.
The current code is this:
string function discoverToken(){
var event = variables.requestService.getContext();
// Discover api token from headers using a custom header or the incoming RC
var jwtToken = event.getHTTPHeader(
header = variables.settings.jwt.customAuthHeader,
defaultValue = event.getValue( name = variables.settings.jwt.customAuthHeader, defaultValue = "" )
);
// If we found it, return it, else try other headers
if ( jwtToken.len() ) {
return jwtToken;
}
// Authorization Header
return event
.getHTTPHeader( header = "Authorization", defaultValue = "" )
.replaceNoCase( "Bearer", "" )
.trim();
}
This section:
if ( jwtToken.len() ) {
return jwtToken;
}
Should be this or something like it:
if (IsNull(jwtToken) == false && jwtToken.len() ) {
return jwtToken;
}
…
What were you expecting to happen?
If no 'customAuthHeader' is specified in jwt settings, the discoverToken method is supposed to use the standard Authorization/Bearer token construct.
There really needs to be a NULL check or a check to see if 'customAuthHeader' is even specified.
…
Any logs, error output, etc?
…
Any other comments?
The documentation states that 'by default it uses the authorization bearer header', but there doesn't appear to be a test for this. …
What versions are you using?
Operating System: Windows Package Version: Lucee 5.4
