Strip Bearer From Token #5
Conversation
|
The C# library I'm using does this and it'll be easier to deal with it here rather than doing the stripping in all our services. cc @tylerodonnell @eesmith from our discussion earlier today. |
dpbackes
force-pushed
the
StripBearer
branch
2 times, most recently
from
a63aadd
to
c0aff33
Compare
index.js
Outdated
| @@ -26,6 +26,9 @@ const chooseKey = key => | |||
|
|
|||
| const decode = partialRight(jwt.decode, [{ complete: true }]) | |||
|
|
|||
| const stripBearer = token => | |||
| token ? token.replace(/^Bearer /, '') : null | |||
There was a problem hiding this comment.
I think we should also strip the lowercase version. Thoughts?
There was a problem hiding this comment.
don't see any reason not to
|
So most of our services are already stripping |
- Some libraries use the "Bearer" prefix when doing token authentication. If we encounter a token with a "Bearer" prefix then just strip it off and proceed as normal.
|
👀 |
There was a problem hiding this comment.
See comments below.
One general comment on workflow: please no more squashing and force-pushing. Just make separate commits for your changes. Force-pushing is problematic for others wishing to checkout locally and contribute.
When we merge it, we'll select the Squash and Merge option, which will rollup the whole PR into a single commit for us. It'll keep the commit history nice and pretty.
index.js
Outdated
| @@ -26,6 +26,9 @@ const chooseKey = key => | |||
|
|
|||
| const decode = partialRight(jwt.decode, [{ complete: true }]) | |||
|
|
|||
| const stripBearer = token => | |||
| token ? token.replace(/^[B|b]earer /, '') : null | |||
There was a problem hiding this comment.
The idiomatic way to do this in js is with the case-insensitive i flag. Also, Ramda has a point-free replace function:
const stripBearer =
replace(/^Bearer /i, '')The null-check is best left to the existing enforce function. I'll make a separate comment explaining that.
package.json
Outdated
| @@ -1,6 +1,6 @@ | |||
| { | |||
| "name": "@articulate/authentic", | |||
| "version": "0.1.2", | |||
| "version": "0.1.3", | |||
There was a problem hiding this comment.
Bumping the version isn't done until after the updates have been merged into #master. After the PR is merged, a new version is created and published with the following flow:
> yarn version # bumps the version and creates a matching git tag
> git push --tags origin master
> npm publish --access=publicJust move this back to 0.1.2 for now.
index.js
Outdated
|
|
||
| const authentic = token => | ||
| Promise.resolve(token) | ||
| .then(tapP(enforce)) | ||
| .then(stripBearer) |
There was a problem hiding this comment.
The need to strip and null-check in multiple places is a 👃 that suggests we organize things a little better with some composition:
// use unauthorized in enforce
const enforce = token =>
token || Promise.reject(unauthorized('null token not allowed'))
const stripBearer = // <<-- move here to maintain alphebetic order
replace(/^Bearer /i, '')
const unauthorized = err =>
Promise.reject(Boom.wrap(err, 401))
const factory = opts => {
// omiting other bits here...
// remove stripBearer from verify
const verify = curryN(2, partialRight(promisify(jwt.verify), [ verifyOpts ]))
const authentic = token =>
Promise.resolve(token)
// remove tapP(enforce) here
// remove stripBearer
.then(decode)
.then(tapP(checkIss))
.then(getSigningKey)
.then(chooseKey)
.then(verify(token))
.catch(unauthorized)
// composeP to null-check and strip all in one place
return composeP(authentic, stripBearer, tapP(enforce))
}
|
@flintinatux updated. Rambda doesn't support catches in composeP so I just did a normal promise chain. |
|
@dpbackes, that's why I suggested swapping the |
|
Hm, I'm noticing now that it should be |
|
|
authentication. If we encounter a token with a "Bearer"
prefix then just strip it off and proceed as normal.