Skip to content

Commit 8719d83

Browse files
author
Francesco Stefanni
committed
Bearer regular expression matching in authenticate handler
1 parent 52ee11d commit 8719d83

File tree

2 files changed

+29
-1
lines changed

2 files changed

+29
-1
lines changed

lib/handlers/authenticate-handler.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -140,7 +140,7 @@ AuthenticateHandler.prototype.getTokenFromRequest = function(request) {
140140

141141
AuthenticateHandler.prototype.getTokenFromRequestHeader = function(request) {
142142
const token = request.get('Authorization');
143-
const matches = token.match(/Bearer\s(\S+)/);
143+
const matches = token.match(/^Bearer\s(\S+)/);
144144

145145
if (!matches) {
146146
throw new InvalidRequestError('Invalid request: malformed authorization header');

test/unit/handlers/authenticate-handler_test.js

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
*/
66

77
const AuthenticateHandler = require('../../../lib/handlers/authenticate-handler');
8+
const InvalidRequestError = require('../../../lib/errors/invalid-request-error');
89
const Request = require('../../../lib/request');
910
const sinon = require('sinon');
1011
const should = require('chai').should();
@@ -16,6 +17,33 @@ const ServerError = require('../../../lib/errors/server-error');
1617

1718
describe('AuthenticateHandler', function() {
1819
describe('getTokenFromRequest()', function() {
20+
describe('with bearer token in the request authorization header', function() {
21+
it('should throw an error if the token is malformed', () => {
22+
const handler = new AuthenticateHandler({
23+
model: { getAccessToken() {} },
24+
});
25+
const request = new Request({
26+
body: {},
27+
headers: {
28+
Authorization: 'foo Bearer bar',
29+
},
30+
method: 'ANY',
31+
query: {},
32+
});
33+
34+
try {
35+
handler.getTokenFromRequestHeader(request);
36+
37+
should.fail('should.fail', '');
38+
} catch (e) {
39+
e.should.be.an.instanceOf(InvalidRequestError);
40+
e.message.should.equal(
41+
'Invalid request: malformed authorization header',
42+
);
43+
}
44+
});
45+
});
46+
1947
describe('with bearer token in the request authorization header', function() {
2048
it('should call `getTokenFromRequestHeader()`', function() {
2149
const handler = new AuthenticateHandler({ model: { getAccessToken: function() {} } });

0 commit comments

Comments
 (0)