go/echo
go/echo
1
0
Fork 0
mirror of https://github.com/labstack/echo.git synced 2024-12-24 20:14:31 +02:00
Code Issues Releases Activity

Ignore case of auth scheme in request header

Browse Source 
Some clients send an authorization header containing the "bearer"
keyword in lower case. This led to echo responding with "missing or
malformed jwt".

Request.BasicAuth (net/http) ignores the basic auth scheme's case since
a while: https://go-review.googlesource.com/c/go/+/111516/
This commit is contained in:
Philipp Thun 2021-08-09 17:21:13 +02:00 committed by Martti T
parent fcda0e8840
commit 499097e061
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
middleware/jwt.go
View File

@ -295,7 +295,7 @@ func jwtFromHeader(header string, authScheme string) jwtExtractor {
return func(c echo.Context) (string, error) { return func(c echo.Context) (string, error) {
auth := c.Request().Header.Get(header) auth := c.Request().Header.Get(header)
l := len(authScheme) l := len(authScheme)
if len(auth) > l+1 && auth[:l] == authScheme { if len(auth) > l+1 && strings.EqualFold(auth[:l], authScheme) {
return auth[l+1:], nil return auth[l+1:], nil
} }
return "", ErrJWTMissing return "", ErrJWTMissing

5
middleware/jwt_test.go
View File

@ -261,6 +261,11 @@ func TestJWT(t *testing.T) {
expErrCode: http.StatusUnauthorized, expErrCode: http.StatusUnauthorized,
info: "Token verification does not pass using a user-defined KeyFunc", info: "Token verification does not pass using a user-defined KeyFunc",
}, },
{
hdrAuth: strings.ToLower(DefaultJWTConfig.AuthScheme) + " " + token,
config: JWTConfig{SigningKey: validKey},
info: "Valid JWT with lower case AuthScheme",
},
} { } {
if tc.reqURL == "" { if tc.reqURL == "" {
tc.reqURL = "/" tc.reqURL = "/"