fix(express): reading of case sensitive headers (#2675)

commercetools · Jul 1, 2022 · cb60852 · cb60852 · github-actions · Jul 1, 2022
1 parent 21b8cc2
commit cb60852
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 12 deletions.
diff --git a/.changeset/eight-horses-carry.md b/.changeset/eight-horses-carry.md
@@ -0,0 +1,5 @@
+---
+'@commercetools-backend/express': patch
+---
+
+Fix reading and validating case sensitive `X-MC-API-*` headers
diff --git a/packages-backend/express/src/auth.ts b/packages-backend/express/src/auth.ts
@@ -14,7 +14,7 @@ import {
   MC_API_URLS,
   MC_API_PROXY_HEADERS,
 } from './constants';
-import { getFirstOrThrow } from './utils';
+import { getFirstHeaderValueOrThrow } from './utils';
 
 type TDecodedJWT = {
   sub: string;
@@ -142,8 +142,9 @@ function createSessionAuthVerifier<Request extends TBaseRequest>(
   // Returns an async HTTP handler.
   return async (request: Request, response?: unknown) => {
     // Get the cloud identifier header, forwarded by the `/proxy/forward-to` endpoint.
-    const cloudIdentifierHeader = getFirstOrThrow(
-      request.headers[MC_API_PROXY_HEADERS.CLOUD_IDENTIFIER],
+    const cloudIdentifierHeader = getFirstHeaderValueOrThrow(
+      request.headers,
+      MC_API_PROXY_HEADERS.CLOUD_IDENTIFIER,
       `Missing "X-MC-API-Cloud-Identifier" header.`
     );
 
@@ -155,8 +156,9 @@ function createSessionAuthVerifier<Request extends TBaseRequest>(
 
     // Get the `Accept-version` header, forwarded by the `/proxy/forward-to` endpoint.
     // The version should be sent by the client making the request, to use the features of v2.
-    const proxyForwardVersion = getFirstOrThrow(
-      request.headers[MC_API_PROXY_HEADERS.FORWARD_TO_VERSION],
+    const proxyForwardVersion = getFirstHeaderValueOrThrow(
+      request.headers,
+      MC_API_PROXY_HEADERS.FORWARD_TO_VERSION,
       `Missing "X-MC-API-Forward-To-Version" header.`
     );
     if (proxyForwardVersion === 'v1') {

diff --git a/packages-backend/express/src/middlewares/session-middleware.spec.ts b/packages-backend/express/src/middlewares/session-middleware.spec.ts
@@ -73,7 +73,13 @@ describe.each`
             issuer,
             audience: 'http://test-server/foo/bar',
           })}`,
-          'x-mc-api-cloud-identifier': cloudIdentifier,
+          // The following headers are validated as they are expected to be present
+          // in the incoming request.
+          // To ensure we can correctly read the header values no matter if the
+          // header key is lowercase or not, we test both headers variations:
+          // * one with upper/camel case key
+          // * one with lowercase key
+          'X-MC-API-Cloud-Identifier': cloudIdentifier,
           'x-mc-api-forward-to-version': 'v2',
         },
         originalUrl: '/foo/bar',

diff --git a/packages-backend/express/src/utils.ts b/packages-backend/express/src/utils.ts
@@ -1,11 +1,27 @@
-const getFirstOrThrow = (
-  value: string | string[] | undefined,
+const getHeaderByCaseInsensitiveKey = (
+  headers: Record<string, string | string[] | undefined>,
+  headerKey: string
+): string | undefined => {
+  const matchingHeader = Object.entries(headers).find(
+    ([key]) => headerKey.toLowerCase() === key.toLowerCase()
+  );
+  if (matchingHeader && matchingHeader.length > 0) {
+    const [, headerValue] = matchingHeader;
+    return Array.isArray(headerValue) ? headerValue[0] : headerValue;
+  }
+  return undefined;
+};
+
+const getFirstHeaderValueOrThrow = (
+  headers: Record<string, string | string[] | undefined>,
+  headerKey: string,
   errorMessage: string
-) => {
-  if (!value) {
+): string => {
+  const headerValue = getHeaderByCaseInsensitiveKey(headers, headerKey);
+  if (!headerValue) {
     throw new Error(errorMessage);
   }
-  return Array.isArray(value) ? value[0] : value;
+  return headerValue;
 };
 
-export { getFirstOrThrow };
+export { getHeaderByCaseInsensitiveKey, getFirstHeaderValueOrThrow };