mirror of
https://github.com/labstack/echo.git
synced 2024-12-26 20:54:00 +02:00
Ignore case of auth scheme in request header
Some clients send an authorization header containing the "bearer" keyword in lower case. This led to echo responding with "missing or malformed jwt". Request.BasicAuth (net/http) ignores the basic auth scheme's case since a while: https://go-review.googlesource.com/c/go/+/111516/
This commit is contained in:
parent
fcda0e8840
commit
499097e061
@ -295,7 +295,7 @@ func jwtFromHeader(header string, authScheme string) jwtExtractor {
|
|||||||
return func(c echo.Context) (string, error) {
|
return func(c echo.Context) (string, error) {
|
||||||
auth := c.Request().Header.Get(header)
|
auth := c.Request().Header.Get(header)
|
||||||
l := len(authScheme)
|
l := len(authScheme)
|
||||||
if len(auth) > l+1 && auth[:l] == authScheme {
|
if len(auth) > l+1 && strings.EqualFold(auth[:l], authScheme) {
|
||||||
return auth[l+1:], nil
|
return auth[l+1:], nil
|
||||||
}
|
}
|
||||||
return "", ErrJWTMissing
|
return "", ErrJWTMissing
|
||||||
|
@ -261,6 +261,11 @@ func TestJWT(t *testing.T) {
|
|||||||
expErrCode: http.StatusUnauthorized,
|
expErrCode: http.StatusUnauthorized,
|
||||||
info: "Token verification does not pass using a user-defined KeyFunc",
|
info: "Token verification does not pass using a user-defined KeyFunc",
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
hdrAuth: strings.ToLower(DefaultJWTConfig.AuthScheme) + " " + token,
|
||||||
|
config: JWTConfig{SigningKey: validKey},
|
||||||
|
info: "Valid JWT with lower case AuthScheme",
|
||||||
|
},
|
||||||
} {
|
} {
|
||||||
if tc.reqURL == "" {
|
if tc.reqURL == "" {
|
||||||
tc.reqURL = "/"
|
tc.reqURL = "/"
|
||||||
|
Loading…
Reference in New Issue
Block a user