-
Notifications
You must be signed in to change notification settings - Fork 761
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parse OAS3 HTTP-Auth schemes case-insensitively #1531
Conversation
According to the authors of the OAI spec [1] schemes are case-insensitive. Even if they were not, the current checks against lowercase versions of scheme names do not match the IANA registry's canonical versions [2] which are "Basic" and "Bearer". [1] OAI/OpenAPI-Specification#1880 (comment) [2] https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#table-authschemes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contribution and pointing out this issue! In order for this PR to be merge we need a tests case that will guarantee the case-insensitivity of the scheme
. Would you be able to provide one?
@@ -147,14 +147,15 @@ export function applySecurities({request, securities = {}, operation = {}, spec} | |||
} | |||
} | |||
else if (type === 'http') { | |||
if (schema.scheme === 'basic') { | |||
const scheme = schema.scheme && schema.scheme.toLowerCase() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be able to use lodash toLower which returns and empty string of when provided a non-string argument.
import 'toLower' from 'lodash/toLower';
const scheme = schema.scheme && schema.scheme.toLowerCase() | |
const scheme = toLower(schema.scheme) |
As per RFC7235 auth scheme is case insensitive. 2.1. Challenge and Response HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request and by a client to provide authentication information. It uses a case- insensitive token as a means to identify the authentication scheme, followed by additional information necessary for achieving. https://tools.ietf.org/html/rfc7235#section-2.1 Refs #1531, #1473 Refs OAI/OpenAPI-Specification#1876 Refs swagger-api/swagger-ui#5965
Closing in favor of #1562 |
As per RFC7235 auth scheme is case insensitive. 2.1. Challenge and Response HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request and by a client to provide authentication information. It uses a case- insensitive token as a means to identify the authentication scheme, followed by additional information necessary for achieving. https://tools.ietf.org/html/rfc7235#section-2.1 Refs #1531, #1473 Refs OAI/OpenAPI-Specification#1876 Refs swagger-api/swagger-ui#5965
As per RFC7235 auth scheme is case insensitive. 2.1. Challenge and Response HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request and by a client to provide authentication information. It uses a case- insensitive token as a means to identify the authentication scheme, followed by additional information necessary for achieving. https://tools.ietf.org/html/rfc7235#section-2.1 Co-authored-by: Helen Kosova <hkosova@users.noreply.github.com> Refs #1531, #1473 Refs OAI/OpenAPI-Specification#1876 Refs swagger-api/swagger-ui#5965
According to the authors of the OAI spec (OAI/OpenAPI-Specification#1880 (comment)), schemes are case-insensitive. Even if they were not, the current checks against lowercase versions of scheme names do not match the IANA registry's canonical versions (https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#table-authschemes), which are "Basic" and "Bearer".
Description
Motivation and Context
If users are overly-adhering to the spec, they may copy-paste HTTP auth scheme names directly from the IANA registry. If they do, the request builder will omit the necessary headers, because it performs a case-sensitive comparison of the scheme name to a lower-case version.
How Has This Been Tested?
I have not yet tested this change.
Types of changes
package.json
)Checklist: