Skip to content

Commit

Permalink
fix: add cookie support for HTTP bearer authentication (cdimascio#949)
Browse files Browse the repository at this point in the history
* fix: add cookie support for HTTP bearer authentication

- Updated validateHttp() to handle bearer tokens in both authorization header and cookies.
- Adapted logic to ensure flexibility for projects using HTTP-only cookies instead of headers for authentication.

* fix: Refine HTTP authentication validation based on code review feedback

- Maintain existing error for missing Authorization header
- Add specific error for cookie authentication when specified in security scheme
- Consider both Authorization header and cookie for bearer token validation

* fix: Revert unintended code style changes made during previous commit

* fix: Revert unintended code style changes made during previous commit

* fix: fix: update validateHttp to handle missing auth headers properly

- Restructure Basic auth validation to check header existence first
- Maintain original error messages for non-cookie authentication
- Add proper cookie authentication check when specified
- Fix undefined.includes() error in Basic auth validation
  • Loading branch information
SeokHoChoi authored Oct 26, 2024
1 parent 5e21e3f commit 00d070b
Showing 1 changed file with 26 additions and 13 deletions.
39 changes: 26 additions & 13 deletions src/middlewares/openapi.security.ts
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,8 @@ export function security(
if (success) {
next();
} else {
const errors = extractErrorsFromResults(results)
throw errors[0]
const errors = extractErrorsFromResults(results);
throw errors[0];
}
} catch (e) {
const message = e?.error?.message || 'unauthorized';
Expand Down Expand Up @@ -232,18 +232,31 @@ class AuthValidator {
const authHeader =
req.headers['authorization'] &&
req.headers['authorization'].toLowerCase();

if (!authHeader) {
throw Error(`Authorization header required`);
}

const authCookie =
req.cookies[scheme.name] || req.signedCookies?.[scheme.name];

const type = scheme.scheme && scheme.scheme.toLowerCase();
if (type === 'bearer' && !authHeader.includes('bearer')) {
throw Error(`Authorization header with scheme 'Bearer' required`);
if (type === 'bearer') {
if (authHeader && !authHeader.includes('bearer')) {
throw Error(`Authorization header with scheme 'Bearer' required`);
}

if (!authHeader && !authCookie) {
if (scheme.in === 'cookie') {
throw Error(`Cookie authentication required`);
} else {
throw Error(`Authorization header required`);
}
}
}

if (type === 'basic' && !authHeader.includes('basic')) {
throw Error(`Authorization header with scheme 'Basic' required`);

if (type === 'basic') {
if (!authHeader) {
throw Error(`Authorization header required`);
}
if (!authHeader.includes('basic')) {
throw Error(`Authorization header with scheme 'Basic' required`);
}
}
}
}
Expand Down Expand Up @@ -276,4 +289,4 @@ class Util {
o.constructor === Object
);
}
}
}

0 comments on commit 00d070b

Please sign in to comment.