Authorization scheme not validated

[mootari]

Prerequisites

• [X] I have written a descriptive issue title
• [X] I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.24.3

Plugin version

9.1.0

Node.js version

18.13.0

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

13.6.1

Description

The plugin does not verify that the authentication scheme passed in the authorization header matches the value of bearerType. Additionally the string length comparison allows for the scheme to be one character shorter.

Steps to Reproduce

Create server.mjs:

import Fastify from "fastify";
import auth from "@fastify/bearer-auth";

const fastify = Fastify();
await fastify.register(auth, { keys: ["abc"] });
fastify.get("/", () => "ok");

await fastify.listen({ port: 3000 });

Run:

node server.mjs &
curl "http://localhost:3000" -H 'authorization: AAAAA abc'

Expected Behavior

The server should respond with 401 Unauthorized if the authorization scheme does not match bearerType.

[mcollina]

Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests.

[mootari]

I'm afraid not. In practice this is not an issue for me and doesn't warrant spending more of my time on it. I just wanted to make sure it gets logged. 🙏