search

prime-8-consulting / meteor-oauth2

60 stars 20 forks source link

content-type for oauth/token is case sensitive #28

Open MichaelJCole opened 7 years ago

MichaelJCole commented 7 years ago

Hi, I was getting an error on a Zapier integration:

OAuth2Error: Method must be POST with application/x-www-form-urlencoded encoding
2017-09-06T03:10:23.121798+00:00 app[web.1]:     at OAuth2Error (/app/bundle/programs/server/npm/node_modules/meteor/prime8consulting_meteor-oauth2-server/node_modules/oauth2-server/lib/error.js:30:12)
2017-09-06T03:10:23.121799+00:00 app[web.1]:     at Grant.extractCredentials (/app/bundle/programs/server/npm/node_modules/meteor/prime8consulting_meteor-oauth2-server/node_modules/oauth2-server/lib/grant.js:70:17)
2017-09-06T03:10:23.121800+00:00 app[web.1]:     at run (/app/bundle/programs/server/npm/node_modules/meteor/prime8consulting_meteor-oauth2-server/node_modules/oauth2-server/lib/runner.js:15:14)
2017-09-06T03:10:23.121800+00:00 app[web.1]:     at runner (/app/bundle/programs/server/npm/node_modules/meteor/prime8consulting_meteor-oauth2-server/node_modules/oauth2-server/lib/runner.js:19:5)
2017-09-06T03:10:23.121801+00:00 app[web.1]:     at new Grant (/app/bundle/programs/server/npm/node_modules/meteor/prime8consulting_meteor-oauth2-server/node_modules/oauth2-server/lib/grant.js:57:3)
...

With this header:

        headers: {
          'Content-Type': 'application/x-www-form-urlencoded'
        }

With this header, it works: 

        headers: {
          'content-type': 'application/x-www-form-urlencoded'
        }

The internet thinks header field names are case insensitive: https://stackoverflow.com/questions/5258977/are-http-headers-case-sensitive

vangorra commented 7 years ago

Looks like the Zapier server is expecting a header in a specific case. That would mean they are handling the http headers in a non-standard way. HTTP headers are case insensitve and part of the W3C standard. Changing this on our end could potentially break other implementations that also are not standards compliant. I recommend filing a but report with Zapier about how they are handling headers.

This stack overflow sums it up: https://stackoverflow.com/a/5259004/1267536

MichaelJCole commented 7 years ago

Hi @vangorra,

Looks like the Zapier server is expecting a header in a specific case.

Nope. I'm talking about meteor-oauth2 not accepting the headers correctly. So pretty universally "Content-Type" is how it's spelled in examples on the net. That doesn't appear to work with meteor-oauth2. I had to change it to "content-type" which is a non-standard spelling.

I think meteor-oauth2 isn't handling the HTTP headers to spec, because it doesn't accept "Content-Type" in the header.

vangorra commented 7 years ago

I misread that. That would be a bug. I'll take a look.

vangorra commented 7 years ago

I dug though the code and didn't find any place where the case was specific. In fact, because this is running as a node application, the express package lower cases all headers on the way in. Could you give me some reproduction steps with necessary rest post calls so I can reproduce this on the local examples?