From 00d070b0f24396de0f32057f58e1c04b5f023199 Mon Sep 17 00:00:00 2001 From: Dorong <126848879+SeokHoChoi@users.noreply.github.com> Date: Sun, 27 Oct 2024 04:30:11 +0900 Subject: [PATCH] fix: add cookie support for HTTP bearer authentication (#949) * fix: add cookie support for HTTP bearer authentication - Updated validateHttp() to handle bearer tokens in both authorization header and cookies. - Adapted logic to ensure flexibility for projects using HTTP-only cookies instead of headers for authentication. * fix: Refine HTTP authentication validation based on code review feedback - Maintain existing error for missing Authorization header - Add specific error for cookie authentication when specified in security scheme - Consider both Authorization header and cookie for bearer token validation * fix: Revert unintended code style changes made during previous commit * fix: Revert unintended code style changes made during previous commit * fix: fix: update validateHttp to handle missing auth headers properly - Restructure Basic auth validation to check header existence first - Maintain original error messages for non-cookie authentication - Add proper cookie authentication check when specified - Fix undefined.includes() error in Basic auth validation --- src/middlewares/openapi.security.ts | 39 +++++++++++++++++++---------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/src/middlewares/openapi.security.ts b/src/middlewares/openapi.security.ts index 8f43af14..9abb5412 100644 --- a/src/middlewares/openapi.security.ts +++ b/src/middlewares/openapi.security.ts @@ -86,8 +86,8 @@ export function security( if (success) { next(); } else { - const errors = extractErrorsFromResults(results) - throw errors[0] + const errors = extractErrorsFromResults(results); + throw errors[0]; } } catch (e) { const message = e?.error?.message || 'unauthorized'; @@ -232,18 +232,31 @@ class AuthValidator { const authHeader = req.headers['authorization'] && req.headers['authorization'].toLowerCase(); - - if (!authHeader) { - throw Error(`Authorization header required`); - } - + const authCookie = + req.cookies[scheme.name] || req.signedCookies?.[scheme.name]; + const type = scheme.scheme && scheme.scheme.toLowerCase(); - if (type === 'bearer' && !authHeader.includes('bearer')) { - throw Error(`Authorization header with scheme 'Bearer' required`); + if (type === 'bearer') { + if (authHeader && !authHeader.includes('bearer')) { + throw Error(`Authorization header with scheme 'Bearer' required`); + } + + if (!authHeader && !authCookie) { + if (scheme.in === 'cookie') { + throw Error(`Cookie authentication required`); + } else { + throw Error(`Authorization header required`); + } + } } - - if (type === 'basic' && !authHeader.includes('basic')) { - throw Error(`Authorization header with scheme 'Basic' required`); + + if (type === 'basic') { + if (!authHeader) { + throw Error(`Authorization header required`); + } + if (!authHeader.includes('basic')) { + throw Error(`Authorization header with scheme 'Basic' required`); + } } } } @@ -276,4 +289,4 @@ class Util { o.constructor === Object ); } -} +} \ No newline at end of file