stormpath / stormpath-nginx

A Stormpath integration written in Lua for the nginx web server.
Apache License 2.0
24 stars 7 forks source link

Extra space between 'Bearer' and access_token causes HTTP 500 #5

Closed kaspersorensen closed 7 years ago

kaspersorensen commented 7 years ago

We are using the stormpath nginx plugin but facing an issue where an extra space between Bearer and the access token causes nginx to return HTTP 500 Internal Server Error.

To be clear, here's how the Authentication header value would look like:

Bearer  [access_token]

I would expect this to instead return HTTP 400 Bad Request, or maybe even be fault-tolerant against such white-space issues.

edjiang commented 7 years ago

Thanks for reporting this. Let me take a look at what should be a "correct" response.

Right now I'm thinking that the two potentially correct responses would be to either 401 as an "unrecognized" token, or be OK with whitespace. I don't think 400 would be a valid response in this context.

edjiang commented 7 years ago

It looks like the spec is fairly clear that there's 1 space between Bearer and the token, so I'll fix this so it 401s.

https://tools.ietf.org/html/rfc6750#section-2.1

edjiang commented 7 years ago

So... I'm not able to replicate this. Could you please post instructions on how to reproduce?

With stormpath.getAccount()

image

With stormpath.requireAccount()

image

With stormpath.requireAccount() and potentially invalid characters

image

kaspersorensen commented 7 years ago

Thank you for the help. It turns out you are right. So sorry for my mistake.

Explanation: We are using the nginx auth_request module (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) in conjunction with the stormpath nginx module. And it seems that our authorization controller was failing in this case, NOT the stormpath module.

Thank you for a great product.

edjiang commented 7 years ago

No problem; glad you figured things out!