search

koajs / jwt

Koa middleware for validating JSON Web Tokens
MIT License
1.34k stars 120 forks source link

Any space before and after Authorization header will result in the failure of koa-kwt to process and return an error #156

Closed notbucai closed 4 years ago

notbucai commented 4 years ago

Any space before and after Authorization header will result in the failure of koa-kwt to process and return an error

If it's not a standard header it will return Could not get any response

example

Authorization (There's a space here) : "Bearer xxxxxx" return Could not get any response not error

notbucai commented 4 years ago

Unless also won't work

sdd commented 4 years ago

As far a I can tell, According to the most recent RFC I can find for the HTTP spec (https://tools.ietf.org/html/rfc7230#page-83), spaces before the colon are not permitted:

header-field = field-name ":" OWS field-value OWS

As such, I don't think we should permit that.

But, optional whitespace is permitted after the colon and preceding Bearer (as well as after the token itself).

I've submitted this PR to handle whitespace that conforms to the spec.

notbucai commented 4 years ago

As far a I can tell, According to the most recent RFC I can find for the HTTP spec (https://tools.ietf.org/html/rfc7230#page-83), spaces before the colon are not permitted:

header-field = field-name ":" OWS field-value OWS

As such, I don't think we should permit that.

But, optional whitespace is permitted after the colon and preceding Bearer (as well as after the token itself).

I've submitted this PR to handle whitespace that conforms to the spec.

thank you