Allow empty bearer-auth middleware prefixes

honojs · Jul 19, 2024 · 8be3763 · 8be3763
1 parent f23a416
commit 8be3763
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 7 deletions.
diff --git a/src/middleware/bearer-auth/index.test.ts b/src/middleware/bearer-auth/index.test.ts
@@ -29,6 +29,12 @@ describe('Bearer Auth by Middleware', () => {
       return c.text('auth bot')
     })
 
+    app.use('/apiKey/*', bearerAuth({ token, prefix: '', headerName: 'X-Api-Key' }))
+    app.get('/apiKey/*', (c) => {
+      handlerExecuted = true
+      return c.text('auth apiKey')
+    })
+
     app.use('/nested/*', async (c, next) => {
       const auth = bearerAuth({ token })
       return auth(c, next)
@@ -126,6 +132,26 @@ describe('Bearer Auth by Middleware', () => {
     expect(await res.text()).toBe('Bad Request')
   })
 
+  it('Should authorize', async () => {
+    const req = new Request('http://localhost/apiKey/a')
+    req.headers.set('X-Api-Key', 'abcdefg12345-._~+/=')
+    const res = await app.request(req)
+    expect(res).not.toBeNull()
+    expect(res.status).toBe(200)
+    expect(handlerExecuted).toBeTruthy()
+    expect(await res.text()).toBe('auth apiKey')
+  })
+
+  it('Should not authorize - invalid request', async () => {
+    const req = new Request('http://localhost/apiKey/a')
+    req.headers.set('Authorization', 'Bearer abcdefg12345-._~+/=')
+    const res = await app.request(req)
+    expect(res).not.toBeNull()
+    expect(handlerExecuted).toBeFalsy()
+    expect(res.status).toBe(401)
+    expect(await res.text()).toBe('Unauthorized')
+  })
+
   it('Should authorize - nested', async () => {
     const req = new Request('http://localhost/nested/a')
     req.headers.set('Authorization', 'Bearer abcdefg12345-._~+/=')

diff --git a/src/middleware/bearer-auth/index.ts b/src/middleware/bearer-auth/index.ts
@@ -37,7 +37,7 @@ type BearerAuthOptions =
  * @param {string | string[]} [options.token] - The string or array of strings to validate the incoming bearer token against.
  * @param {Function} [options.verifyToken] - The function to verify the token.
  * @param {string} [options.realm=""] - The domain name of the realm, as part of the returned WWW-Authenticate challenge header.
- * @param {string} [options.prefix="Bearer"] - The prefix (or known as `schema`) for the Authorization header value.
+ * @param {string} [options.prefix="Bearer"] - The prefix (or known as `schema`) for the Authorization header value. If set to the empty string, no prefix is expected.
  * @param {string} [options.headerName=Authorization] - The header name.
  * @param {Function} [options.hashFunction] - A function to handle hashing for safe comparison of authentication tokens.
  * @returns {MiddlewareHandler} The middleware handler function.
@@ -64,33 +64,34 @@ export const bearerAuth = (options: BearerAuthOptions): MiddlewareHandler => {
   if (!options.realm) {
     options.realm = ''
   }
-  if (!options.prefix) {
+  if (options.prefix === undefined) {
     options.prefix = PREFIX
   }
 
   const realm = options.realm?.replace(/"/g, '\\"')
+  const prefixRegexStr = options.prefix === '' ? '' : `${options.prefix} +`
+  const regexp = new RegExp(`^${prefixRegexStr}(${TOKEN_STRINGS}) *$`)
+  const wwwAuthenticatePrefix = options.prefix === '' ? '' : `${options.prefix} `
 
   return async function bearerAuth(c, next) {
     const headerToken = c.req.header(options.headerName || HEADER)
-
     if (!headerToken) {
       // No Authorization header
       const res = new Response('Unauthorized', {
         status: 401,
         headers: {
-          'WWW-Authenticate': `${options.prefix} realm="` + realm + '"',
+          'WWW-Authenticate': `${wwwAuthenticatePrefix}realm="` + realm + '"',
         },
       })
       throw new HTTPException(401, { res })
     } else {
-      const regexp = new RegExp('^' + options.prefix + ' +(' + TOKEN_STRINGS + ') *$')
       const match = regexp.exec(headerToken)
       if (!match) {
         // Invalid Request
         const res = new Response('Bad Request', {
           status: 400,
           headers: {
-            'WWW-Authenticate': `${options.prefix} error="invalid_request"`,
+            'WWW-Authenticate': `${wwwAuthenticatePrefix}error="invalid_request"`,
           },
         })
         throw new HTTPException(400, { res })
@@ -113,7 +114,7 @@ export const bearerAuth = (options: BearerAuthOptions): MiddlewareHandler => {
           const res = new Response('Unauthorized', {
             status: 401,
             headers: {
-              'WWW-Authenticate': `${options.prefix} error="invalid_token"`,
+              'WWW-Authenticate': `${wwwAuthenticatePrefix}error="invalid_token"`,
             },
           })
           throw new HTTPException(401, { res })