node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard
verified publisher icon oauthjs

fix: Bearer regular expression matching in authenticate handler

Open shinenelson opened this issue 5 years ago • 0 comments

The implementation ( lib/handlers/authenticate-handler.ts#L145 ) of the pattern matching for the Bearer token matches only the string "Bearer" followed by one whitespace character followed by any number of non-whitespace characters. However, the loophole in the expression is that one can prefix the Authorization string with any string before the "Bearer" string and still get away with a successful match. This means that fooBearer bar or foo Bearer bar are valid headers according to the code.

RFC 6750 | OAuth 2.0 Bearer Token Usage | Section 2.1 https://tools.ietf.org/html/rfc6750#section-2.1 specifies that the Authorization header start with the string "Bearer".

This changeset modifies the code and the test case to make the above examples get thrown as InvalidRequestErrors

shinenelson avatar May 16 '20 00:05 shinenelson