Closed jumika closed 6 years ago
daffl
commented
6 years ago Casing generally shouldn't matter for HTTP headers but you still need a format to check against, the preferred one usually being all lowercase since it's easy to convert. Not sure if ExtractJwt.fromHeader already takes care of it but we figured it doesn't really hurt to do it anyway.
jumika
commented
6 years ago Thanks for the answer. I'm trying to simulate a client request on the server api for server side rendering. What i'm doing is reading the jwt from a cookie, then setting it as param.headers.Authorization for every service call. That's how i got fooled by the lower casing. I don't get how this header get lower cased when using the rest api for example, as the default setting for the jwt header is "Authorization". I'm trying to understand why the default value has upper case initial if the hook checks for a lower case variation.
daffl
commented
6 years ago Are you running into issues? I don't think this should affect anything in how it is used.
I'm wondering what is the purpuse of toLowerCase in the code below:
let strategyOptions = merge({ secretOrKey: jwtSettings.secret, jwtFromRequest: ExtractJwt.fromExtractors([ ExtractJwt.fromAuthHeaderWithScheme('jwt'), ExtractJwt.fromAuthHeaderAsBearerToken(), ExtractJwt.fromHeader(jwtSettings.header.toLowerCase()), ExtractJwt.fromBodyField(jwtSettings.bodyKey) ]) }, jwtSettings.jwt, omit(jwtSettings, ['jwt', 'header', 'secret']));