From 979052dd511712213ab1274d4a3ad3f0a251dbb8 Mon Sep 17 00:00:00 2001 From: Lucas Leadbetter <5595530+lleadbet@users.noreply.github.com> Date: Thu, 22 Feb 2024 11:42:13 -0500 Subject: [PATCH 1/7] first pass at ignoring other auth prefixes using option --- ...eat_lleadbet_ignore_other_auth_prefixes.md | 20 +++++++ .../src/plugins/authentication/mod.rs | 28 +++++++-- .../src/plugins/authentication/tests.rs | 58 ++++++++++++++++--- docs/source/configuration/authn-jwt.mdx | 17 ++++++ 4 files changed, 112 insertions(+), 11 deletions(-) create mode 100644 .changesets/feat_lleadbet_ignore_other_auth_prefixes.md diff --git a/.changesets/feat_lleadbet_ignore_other_auth_prefixes.md b/.changesets/feat_lleadbet_ignore_other_auth_prefixes.md new file mode 100644 index 0000000000..f960ffeec8 --- /dev/null +++ b/.changesets/feat_lleadbet_ignore_other_auth_prefixes.md @@ -0,0 +1,20 @@ +### Ability to ignore other auth prefixes in the JWT plugin + +You can now ignore whether to ignore other header prefixes with the JWT plugin. As many applications will use the format of `Authorization: `, this will enable the use other schemes within the `Authorization` header. + +If the header prefix is an empty string, this option will be ignored. + +You can configure this, such as: + +```yaml title="router.yaml" +authentication: + router: + jwt: + header_name: authorization + header_value_prefix: "Bearer" + ignore_mismatched_prefix: true +``` + +In the above, the router will ignore `Authorization: Basic `, but process requests with `Authorization: Bearer ` defined. + +By [@lleadbet](https://github.com/lleadbet) in https://github.com/apollographql/router/pull/4718 \ No newline at end of file diff --git a/apollo-router/src/plugins/authentication/mod.rs b/apollo-router/src/plugins/authentication/mod.rs index 03693a1106..9985bc9c10 100644 --- a/apollo-router/src/plugins/authentication/mod.rs +++ b/apollo-router/src/plugins/authentication/mod.rs @@ -128,6 +128,9 @@ struct JWTConf { /// Header value prefix #[serde(default = "default_header_value_prefix")] header_value_prefix: String, + /// Whether to ignore any mismatched prefixes + #[serde(default="default_ignore_other_prefixes")] + ignore_other_prefixes: bool, } #[derive(Clone, Debug, Deserialize, JsonSchema)] @@ -181,6 +184,10 @@ fn default_poll_interval() -> Duration { DEFAULT_AUTHENTICATION_DOWNLOAD_INTERVAL } +fn default_ignore_other_prefixes() -> bool { + false +} + #[derive(Debug, Default)] struct JWTCriteria { alg: Algorithm, @@ -406,6 +413,7 @@ impl Plugin for AuthenticationPlugin { .as_ref() .map(|algs| algs.iter().cloned().collect()), poll_interval: jwks_conf.poll_interval, + }); } @@ -532,11 +540,13 @@ fn authenticate( // Make sure the format of our message matches our expectations // Technically, the spec is case sensitive, but let's accept - // case variations - // + // case variations. Furthermore, if the user has configured to ignore + // mismatched prefixes, we'll skip this check and instead do it in a + // later step. let prefix_len = config.header_value_prefix.len(); - if jwt_value.len() < prefix_len - || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix) + if !&config.ignore_other_prefixes && + (jwt_value.len() < prefix_len + || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix)) { return failure_message( request.context, @@ -545,6 +555,16 @@ fn authenticate( ); } + // Here we'll check if the user has configured to ignore mismatched prefixes + // and if so, we'll skip any unknown prefixes and not validate the token. + if config.ignore_other_prefixes { + if jwt_value.len() < prefix_len + || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix) + { + return ControlFlow::Continue(request); + } + } + // If there's no header prefix, we need to avoid splitting the header let jwt = if config.header_value_prefix.is_empty() { // check for whitespace- we've already trimmed, so this means the request has a prefix that shouldn't exist diff --git a/apollo-router/src/plugins/authentication/tests.rs b/apollo-router/src/plugins/authentication/tests.rs index af3cd14590..8c5b7c58c9 100644 --- a/apollo-router/src/plugins/authentication/tests.rs +++ b/apollo-router/src/plugins/authentication/tests.rs @@ -36,13 +36,14 @@ fn create_an_url(filename: &str) -> String { } async fn build_a_default_test_harness() -> router::BoxCloneService { - build_a_test_harness(None, None, false).await + build_a_test_harness(None, None, true, None).await } async fn build_a_test_harness( header_name: Option, header_value_prefix: Option, multiple_jwks: bool, + ignore_other_prefixes: Option ) -> router::BoxCloneService { // create a mock service we will use to test our plugin let mut mock_service = test::MockSupergraphService::new(); @@ -110,6 +111,11 @@ async fn build_a_test_harness( serde_json::Value::String(hp); } + if let Some(ignore_other_prefixes) = ignore_other_prefixes { + config["authentication"]["router"]["jwt"]["ignore_other_prefixes"] = + serde_json::Value::Bool(ignore_other_prefixes); + } + crate::TestHarness::builder() .configuration_json(config) .unwrap() @@ -424,9 +430,47 @@ async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt() { assert_eq!(expected_mock_response_data, response.data.as_ref().unwrap()); } +#[tokio::test] +async fn it_accepts_when_auth_prefix_does_not_match_config_and_is_ignored() { + let test_harness = build_a_test_harness(None, None, true, Some(true)).await; + // Let's create a request with our operation name + let request_with_appropriate_name = supergraph::Request::canned_builder() + .operation_name("me".to_string()) + .header( + http::header::AUTHORIZATION, + "Basic dXNlcjpwYXNzd29yZA==", + ) + .build() + .unwrap(); + + // ...And call our service stack with it + let mut service_response = test_harness + .oneshot(request_with_appropriate_name.try_into().unwrap()) + .await + .unwrap(); + let response: graphql::Response = serde_json::from_slice( + service_response + .next_response() + .await + .unwrap() + .unwrap() + .to_vec() + .as_slice(), + ) + .unwrap(); + + assert_eq!(response.errors, vec![]); + + assert_eq!(StatusCode::OK, service_response.response.status()); + + let expected_mock_response_data = "response created within the mock"; + // with the expected message + assert_eq!(expected_mock_response_data, response.data.as_ref().unwrap()); +} + #[tokio::test] async fn it_accepts_when_auth_prefix_has_correct_format_multiple_jwks_and_valid_jwt() { - let test_harness = build_a_test_harness(None, None, true).await; + let test_harness = build_a_test_harness(None, None, true, None).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -465,7 +509,7 @@ async fn it_accepts_when_auth_prefix_has_correct_format_multiple_jwks_and_valid_ #[tokio::test] async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_auth() { - let test_harness = build_a_test_harness(Some("SOMETHING".to_string()), None, false).await; + let test_harness = build_a_test_harness(None, None, true, None).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -504,7 +548,7 @@ async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_aut #[tokio::test] async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_prefix() { - let test_harness = build_a_test_harness(None, Some("SOMETHING".to_string()), false).await; + let test_harness = build_a_test_harness(None, None, true, None).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -543,7 +587,7 @@ async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_pre #[tokio::test] async fn it_accepts_when_no_auth_prefix_and_valid_jwt_custom_prefix() { - let test_harness = build_a_test_harness(None, Some("".to_string()), false).await; + let test_harness = build_a_test_harness(None, None, true, None).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -583,13 +627,13 @@ async fn it_accepts_when_no_auth_prefix_and_valid_jwt_custom_prefix() { #[tokio::test] #[should_panic] async fn it_panics_when_auth_prefix_has_correct_format_but_contains_whitespace() { - let _test_harness = build_a_test_harness(None, Some("SOMET HING".to_string()), false).await; + let _test_harness = build_a_test_harness(None, Some("SOMET HING".to_string()), false, None).await; } #[tokio::test] #[should_panic] async fn it_panics_when_auth_prefix_has_correct_format_but_contains_trailing_whitespace() { - let _test_harness = build_a_test_harness(None, Some("SOMETHING ".to_string()), false).await; + let _test_harness = build_a_test_harness(None, None, true, None).await; } async fn build_jwks_search_components() -> JwksManager { diff --git a/docs/source/configuration/authn-jwt.mdx b/docs/source/configuration/authn-jwt.mdx index 626d2be233..a8a2f03b6b 100644 --- a/docs/source/configuration/authn-jwt.mdx +++ b/docs/source/configuration/authn-jwt.mdx @@ -133,6 +133,23 @@ The default value is `Bearer`. + + + +##### `ignore_other_prefixes` + + + + +Whether to ignore other prefixes in the `Authorization` header. If set to `false`, the router will only accept tokens with the prefix specified in `header_value_prefix`. If set to `true`, the router will ignore any requests that don't start with the prefix specified in `header_value_prefix`. + +If a header prefix is set to an empty string, this option is ignored. + +The default value is `false`. + + + + From 91ad740f5bae9ff20d630c13613b82230e25af6d Mon Sep 17 00:00:00 2001 From: Lucas Leadbetter <5595530+lleadbet@users.noreply.github.com> Date: Thu, 22 Feb 2024 13:30:22 -0500 Subject: [PATCH 2/7] formatting --- apollo-router/src/plugins/authentication/mod.rs | 13 ++++++------- .../src/plugins/authentication/tests.rs | 16 +++++++--------- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/apollo-router/src/plugins/authentication/mod.rs b/apollo-router/src/plugins/authentication/mod.rs index 9985bc9c10..fb218d7515 100644 --- a/apollo-router/src/plugins/authentication/mod.rs +++ b/apollo-router/src/plugins/authentication/mod.rs @@ -129,7 +129,7 @@ struct JWTConf { #[serde(default = "default_header_value_prefix")] header_value_prefix: String, /// Whether to ignore any mismatched prefixes - #[serde(default="default_ignore_other_prefixes")] + #[serde(default = "default_ignore_other_prefixes")] ignore_other_prefixes: bool, } @@ -413,7 +413,6 @@ impl Plugin for AuthenticationPlugin { .as_ref() .map(|algs| algs.iter().cloned().collect()), poll_interval: jwks_conf.poll_interval, - }); } @@ -540,13 +539,13 @@ fn authenticate( // Make sure the format of our message matches our expectations // Technically, the spec is case sensitive, but let's accept - // case variations. Furthermore, if the user has configured to ignore - // mismatched prefixes, we'll skip this check and instead do it in a + // case variations. Furthermore, if the user has configured to ignore + // mismatched prefixes, we'll skip this check and instead do it in a // later step. let prefix_len = config.header_value_prefix.len(); - if !&config.ignore_other_prefixes && - (jwt_value.len() < prefix_len - || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix)) + if !&config.ignore_other_prefixes + && (jwt_value.len() < prefix_len + || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix)) { return failure_message( request.context, diff --git a/apollo-router/src/plugins/authentication/tests.rs b/apollo-router/src/plugins/authentication/tests.rs index 8c5b7c58c9..13142af420 100644 --- a/apollo-router/src/plugins/authentication/tests.rs +++ b/apollo-router/src/plugins/authentication/tests.rs @@ -43,7 +43,7 @@ async fn build_a_test_harness( header_name: Option, header_value_prefix: Option, multiple_jwks: bool, - ignore_other_prefixes: Option + ignore_other_prefixes: Option, ) -> router::BoxCloneService { // create a mock service we will use to test our plugin let mut mock_service = test::MockSupergraphService::new(); @@ -435,13 +435,10 @@ async fn it_accepts_when_auth_prefix_does_not_match_config_and_is_ignored() { let test_harness = build_a_test_harness(None, None, true, Some(true)).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() - .operation_name("me".to_string()) - .header( - http::header::AUTHORIZATION, - "Basic dXNlcjpwYXNzd29yZA==", - ) - .build() - .unwrap(); + .operation_name("me".to_string()) + .header(http::header::AUTHORIZATION, "Basic dXNlcjpwYXNzd29yZA==") + .build() + .unwrap(); // ...And call our service stack with it let mut service_response = test_harness @@ -627,7 +624,8 @@ async fn it_accepts_when_no_auth_prefix_and_valid_jwt_custom_prefix() { #[tokio::test] #[should_panic] async fn it_panics_when_auth_prefix_has_correct_format_but_contains_whitespace() { - let _test_harness = build_a_test_harness(None, Some("SOMET HING".to_string()), false, None).await; + let _test_harness = + build_a_test_harness(None, Some("SOMET HING".to_string()), false, None).await; } #[tokio::test] From b5d565066c96b4260f502631308e1dacaa47bfbe Mon Sep 17 00:00:00 2001 From: Lucas Leadbetter <5595530+lleadbet@users.noreply.github.com> Date: Thu, 22 Feb 2024 16:37:45 -0500 Subject: [PATCH 3/7] fixing clippy --- apollo-router/src/plugins/authentication/mod.rs | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/apollo-router/src/plugins/authentication/mod.rs b/apollo-router/src/plugins/authentication/mod.rs index fb218d7515..2e2fb7a5ef 100644 --- a/apollo-router/src/plugins/authentication/mod.rs +++ b/apollo-router/src/plugins/authentication/mod.rs @@ -556,12 +556,11 @@ fn authenticate( // Here we'll check if the user has configured to ignore mismatched prefixes // and if so, we'll skip any unknown prefixes and not validate the token. - if config.ignore_other_prefixes { - if jwt_value.len() < prefix_len - || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix) - { - return ControlFlow::Continue(request); - } + if config.ignore_other_prefixes + && (jwt_value.len() < prefix_len + || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix)) + { + return ControlFlow::Continue(request); } // If there's no header prefix, we need to avoid splitting the header From 7ff8fdf21786d2200e692fe25ee6a8b44f1e8008 Mon Sep 17 00:00:00 2001 From: Lucas Leadbetter <5595530+lleadbet@users.noreply.github.com> Date: Fri, 23 Feb 2024 09:23:27 -0500 Subject: [PATCH 4/7] Apply suggestions from code review Co-authored-by: Gary Pennington --- .changesets/feat_lleadbet_ignore_other_auth_prefixes.md | 2 +- apollo-router/src/plugins/authentication/mod.rs | 2 +- docs/source/configuration/authn-jwt.mdx | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.changesets/feat_lleadbet_ignore_other_auth_prefixes.md b/.changesets/feat_lleadbet_ignore_other_auth_prefixes.md index f960ffeec8..9e68cdc527 100644 --- a/.changesets/feat_lleadbet_ignore_other_auth_prefixes.md +++ b/.changesets/feat_lleadbet_ignore_other_auth_prefixes.md @@ -1,6 +1,6 @@ ### Ability to ignore other auth prefixes in the JWT plugin -You can now ignore whether to ignore other header prefixes with the JWT plugin. As many applications will use the format of `Authorization: `, this will enable the use other schemes within the `Authorization` header. +You can now choose whether to ignore other header prefixes with the JWT plugin. Many applications will use the format of `Authorization: ` and this will enable the use of other schemes within the `Authorization` header. If the header prefix is an empty string, this option will be ignored. diff --git a/apollo-router/src/plugins/authentication/mod.rs b/apollo-router/src/plugins/authentication/mod.rs index 2e2fb7a5ef..17d8e7c95d 100644 --- a/apollo-router/src/plugins/authentication/mod.rs +++ b/apollo-router/src/plugins/authentication/mod.rs @@ -129,7 +129,7 @@ struct JWTConf { #[serde(default = "default_header_value_prefix")] header_value_prefix: String, /// Whether to ignore any mismatched prefixes - #[serde(default = "default_ignore_other_prefixes")] + #[serde(default)] ignore_other_prefixes: bool, } diff --git a/docs/source/configuration/authn-jwt.mdx b/docs/source/configuration/authn-jwt.mdx index a8a2f03b6b..2fc9bacfd6 100644 --- a/docs/source/configuration/authn-jwt.mdx +++ b/docs/source/configuration/authn-jwt.mdx @@ -141,7 +141,7 @@ The default value is `Bearer`. -Whether to ignore other prefixes in the `Authorization` header. If set to `false`, the router will only accept tokens with the prefix specified in `header_value_prefix`. If set to `true`, the router will ignore any requests that don't start with the prefix specified in `header_value_prefix`. +Whether to ignore other prefixes in the `Authorization` header. If set to `false`, or unspecified, the router will only accept tokens with the prefix specified in `header_value_prefix`. If set to `true`, the router will ignore any requests that don't start with the prefix specified in `header_value_prefix`. If a header prefix is set to an empty string, this option is ignored. From af4f06345ee788d734ce674754c809d53f1f97e2 Mon Sep 17 00:00:00 2001 From: Lucas Leadbetter <5595530+lleadbet@users.noreply.github.com> Date: Fri, 23 Feb 2024 09:42:28 -0500 Subject: [PATCH 5/7] fixing mistaken test changes + pr feedback --- ...nfiguration__tests__schema_generation.snap | 5 ++++ .../src/plugins/authentication/mod.rs | 21 ++++----------- .../src/plugins/authentication/tests.rs | 27 ++++++++++--------- 3 files changed, 24 insertions(+), 29 deletions(-) diff --git a/apollo-router/src/configuration/snapshots/apollo_router__configuration__tests__schema_generation.snap b/apollo-router/src/configuration/snapshots/apollo_router__configuration__tests__schema_generation.snap index 46e3461afb..6efcfe7ca0 100644 --- a/apollo-router/src/configuration/snapshots/apollo_router__configuration__tests__schema_generation.snap +++ b/apollo-router/src/configuration/snapshots/apollo_router__configuration__tests__schema_generation.snap @@ -246,6 +246,11 @@ expression: "&schema" "default": "Bearer", "type": "string" }, + "ignore_other_prefixes": { + "description": "Whether to ignore any mismatched prefixes", + "default": false, + "type": "boolean" + }, "jwks": { "description": "List of JWKS used to verify tokens", "type": "array", diff --git a/apollo-router/src/plugins/authentication/mod.rs b/apollo-router/src/plugins/authentication/mod.rs index 17d8e7c95d..82f0174cd9 100644 --- a/apollo-router/src/plugins/authentication/mod.rs +++ b/apollo-router/src/plugins/authentication/mod.rs @@ -184,10 +184,6 @@ fn default_poll_interval() -> Duration { DEFAULT_AUTHENTICATION_DOWNLOAD_INTERVAL } -fn default_ignore_other_prefixes() -> bool { - false -} - #[derive(Debug, Default)] struct JWTCriteria { alg: Algorithm, @@ -543,10 +539,12 @@ fn authenticate( // mismatched prefixes, we'll skip this check and instead do it in a // later step. let prefix_len = config.header_value_prefix.len(); - if !&config.ignore_other_prefixes - && (jwt_value.len() < prefix_len - || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix)) + if jwt_value.len() < prefix_len + || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix) { + if config.ignore_other_prefixes { + return ControlFlow::Continue(request); + } return failure_message( request.context, AuthenticationError::InvalidPrefix(jwt_value_untrimmed, &config.header_value_prefix), @@ -554,15 +552,6 @@ fn authenticate( ); } - // Here we'll check if the user has configured to ignore mismatched prefixes - // and if so, we'll skip any unknown prefixes and not validate the token. - if config.ignore_other_prefixes - && (jwt_value.len() < prefix_len - || !&jwt_value[..prefix_len].eq_ignore_ascii_case(&config.header_value_prefix)) - { - return ControlFlow::Continue(request); - } - // If there's no header prefix, we need to avoid splitting the header let jwt = if config.header_value_prefix.is_empty() { // check for whitespace- we've already trimmed, so this means the request has a prefix that shouldn't exist diff --git a/apollo-router/src/plugins/authentication/tests.rs b/apollo-router/src/plugins/authentication/tests.rs index 13142af420..b22ef64abf 100644 --- a/apollo-router/src/plugins/authentication/tests.rs +++ b/apollo-router/src/plugins/authentication/tests.rs @@ -36,14 +36,14 @@ fn create_an_url(filename: &str) -> String { } async fn build_a_default_test_harness() -> router::BoxCloneService { - build_a_test_harness(None, None, true, None).await + build_a_test_harness(None, None, false, false).await } async fn build_a_test_harness( header_name: Option, header_value_prefix: Option, multiple_jwks: bool, - ignore_other_prefixes: Option, + ignore_other_prefixes: bool, ) -> router::BoxCloneService { // create a mock service we will use to test our plugin let mut mock_service = test::MockSupergraphService::new(); @@ -111,10 +111,8 @@ async fn build_a_test_harness( serde_json::Value::String(hp); } - if let Some(ignore_other_prefixes) = ignore_other_prefixes { - config["authentication"]["router"]["jwt"]["ignore_other_prefixes"] = - serde_json::Value::Bool(ignore_other_prefixes); - } + config["authentication"]["router"]["jwt"]["ignore_other_prefixes"] = + serde_json::Value::Bool(ignore_other_prefixes); crate::TestHarness::builder() .configuration_json(config) @@ -432,7 +430,7 @@ async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt() { #[tokio::test] async fn it_accepts_when_auth_prefix_does_not_match_config_and_is_ignored() { - let test_harness = build_a_test_harness(None, None, true, Some(true)).await; + let test_harness = build_a_test_harness(None, None, false, true).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() .operation_name("me".to_string()) @@ -467,7 +465,7 @@ async fn it_accepts_when_auth_prefix_does_not_match_config_and_is_ignored() { #[tokio::test] async fn it_accepts_when_auth_prefix_has_correct_format_multiple_jwks_and_valid_jwt() { - let test_harness = build_a_test_harness(None, None, true, None).await; + let test_harness = build_a_test_harness(None, None, true, false).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -506,7 +504,8 @@ async fn it_accepts_when_auth_prefix_has_correct_format_multiple_jwks_and_valid_ #[tokio::test] async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_auth() { - let test_harness = build_a_test_harness(None, None, true, None).await; + let test_harness = + build_a_test_harness(Some("SOMETHING".to_string()), None, false, false).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -545,7 +544,8 @@ async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_aut #[tokio::test] async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_prefix() { - let test_harness = build_a_test_harness(None, None, true, None).await; + let test_harness = + build_a_test_harness(None, Some("SOMETHING".to_string()), false, false).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -584,7 +584,7 @@ async fn it_accepts_when_auth_prefix_has_correct_format_and_valid_jwt_custom_pre #[tokio::test] async fn it_accepts_when_no_auth_prefix_and_valid_jwt_custom_prefix() { - let test_harness = build_a_test_harness(None, None, true, None).await; + let test_harness = build_a_test_harness(None, Some("".to_string()), false, false).await; // Let's create a request with our operation name let request_with_appropriate_name = supergraph::Request::canned_builder() @@ -625,13 +625,14 @@ async fn it_accepts_when_no_auth_prefix_and_valid_jwt_custom_prefix() { #[should_panic] async fn it_panics_when_auth_prefix_has_correct_format_but_contains_whitespace() { let _test_harness = - build_a_test_harness(None, Some("SOMET HING".to_string()), false, None).await; + build_a_test_harness(None, Some("SOMET HING".to_string()), false, false).await; } #[tokio::test] #[should_panic] async fn it_panics_when_auth_prefix_has_correct_format_but_contains_trailing_whitespace() { - let _test_harness = build_a_test_harness(None, None, true, None).await; + let _test_harness = + build_a_test_harness(None, Some("SOMETHING ".to_string()), false, false).await; } async fn build_jwks_search_components() -> JwksManager { From c0dde975fa74ad4eb68f0f1797b2cbcc9fa3d3ce Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Thu, 14 Mar 2024 15:23:23 +0100 Subject: [PATCH 6/7] lint --- apollo-router/src/plugins/authentication/mod.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apollo-router/src/plugins/authentication/mod.rs b/apollo-router/src/plugins/authentication/mod.rs index f123e8263c..2d45f1dc63 100644 --- a/apollo-router/src/plugins/authentication/mod.rs +++ b/apollo-router/src/plugins/authentication/mod.rs @@ -573,7 +573,11 @@ fn authenticate( let mut jwt = None; for source in &config.sources { - match extract_jwt(source, config.ignore_other_prefixes, request.router_request.headers()) { + match extract_jwt( + source, + config.ignore_other_prefixes, + request.router_request.headers() + ) { None => continue, Some(Err(error)) => { return failure_message(request.context, error, StatusCode::BAD_REQUEST) From 2baaf204c4c97dd702edf98c5cb6a7b2a9484205 Mon Sep 17 00:00:00 2001 From: Lucas Leadbetter <5595530+lleadbet@users.noreply.github.com> Date: Mon, 25 Mar 2024 09:12:17 -0400 Subject: [PATCH 7/7] cargo fmt --- apollo-router/src/plugins/authentication/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apollo-router/src/plugins/authentication/mod.rs b/apollo-router/src/plugins/authentication/mod.rs index 2d45f1dc63..19097212e2 100644 --- a/apollo-router/src/plugins/authentication/mod.rs +++ b/apollo-router/src/plugins/authentication/mod.rs @@ -576,7 +576,7 @@ fn authenticate( match extract_jwt( source, config.ignore_other_prefixes, - request.router_request.headers() + request.router_request.headers(), ) { None => continue, Some(Err(error)) => {