Closed kaspersorensen closed 7 years ago
Thanks for reporting this. Let me take a look at what should be a "correct" response.
Right now I'm thinking that the two potentially correct responses would be to either 401 as an "unrecognized" token, or be OK with whitespace. I don't think 400 would be a valid response in this context.
It looks like the spec is fairly clear that there's 1 space between Bearer
and the token, so I'll fix this so it 401s.
So... I'm not able to replicate this. Could you please post instructions on how to reproduce?
With stormpath.getAccount()
With stormpath.requireAccount()
With stormpath.requireAccount()
and potentially invalid characters
Thank you for the help. It turns out you are right. So sorry for my mistake.
Explanation: We are using the nginx auth_request module (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) in conjunction with the stormpath nginx module. And it seems that our authorization controller was failing in this case, NOT the stormpath module.
Thank you for a great product.
No problem; glad you figured things out!
We are using the stormpath nginx plugin but facing an issue where an extra space between
Bearer
and the access token causes nginx to return HTTP 500 Internal Server Error.To be clear, here's how the
Authentication
header value would look like:I would expect this to instead return HTTP 400 Bad Request, or maybe even be fault-tolerant against such white-space issues.