fix: add cookie support for HTTP bearer authentication (#949)

* fix: add cookie support for HTTP bearer authentication - Updated validateHttp() to handle bearer tokens in both authorization header and cookies. - Adapted logic to ensure flexibility for projects using HTTP-only cookies instead of headers for authentication. * fix: Refine HTTP authentication validation based on code review feedback - Maintain existing error for missing Authorization header - Add specific error for cookie authentication when specified in security scheme - Consider both Authorization header and cookie for bearer token validation * fix: Revert unintended code style changes made during previous commit * fix: Revert unintended code style changes made during previous commit * fix: fix: update validateHttp to handle missing auth headers properly - Restructure Basic auth validation to check header existence first - Maintain original error messages for non-cookie authentication - Add proper cookie authentication check when specified - Fix undefined.includes() error in Basic auth validation
cdimascio · Oct 26, 2024 · 00d070b · 00d070b
1 parent 5e21e3f
commit 00d070b
Showing 1 changed file with 26 additions and 13 deletions.
diff --git a/src/middlewares/openapi.security.ts b/src/middlewares/openapi.security.ts
@@ -86,8 +86,8 @@ export function security(
       if (success) {
         next();
       } else {
-        const errors = extractErrorsFromResults(results)
-        throw errors[0]
+        const errors = extractErrorsFromResults(results);
+        throw errors[0];
       }
     } catch (e) {
       const message = e?.error?.message || 'unauthorized';
@@ -232,18 +232,31 @@ class AuthValidator {
       const authHeader =
         req.headers['authorization'] &&
         req.headers['authorization'].toLowerCase();
-
-      if (!authHeader) {
-        throw Error(`Authorization header required`);
-      }
-
+      const authCookie =
+        req.cookies[scheme.name] || req.signedCookies?.[scheme.name];
+
       const type = scheme.scheme && scheme.scheme.toLowerCase();
-      if (type === 'bearer' && !authHeader.includes('bearer')) {
-        throw Error(`Authorization header with scheme 'Bearer' required`);
+      if (type === 'bearer') {
+        if (authHeader && !authHeader.includes('bearer')) {
+          throw Error(`Authorization header with scheme 'Bearer' required`);
+        }
+
+        if (!authHeader && !authCookie) {
+          if (scheme.in === 'cookie') {
+            throw Error(`Cookie authentication required`);
+          } else {
+            throw Error(`Authorization header required`);
+          }
+        }
       }
-
-      if (type === 'basic' && !authHeader.includes('basic')) {
-        throw Error(`Authorization header with scheme 'Basic' required`);
+
+      if (type === 'basic') {
+        if (!authHeader) {
+          throw Error(`Authorization header required`);
+        }
+        if (!authHeader.includes('basic')) {
+          throw Error(`Authorization header with scheme 'Basic' required`);
+        }
       }
     }
   }
@@ -276,4 +289,4 @@ class Util {
       o.constructor === Object
     );
   }
-}
+}