Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove forced type check of request body #9

Closed
wants to merge 3 commits into from
Closed

Remove forced type check of request body #9

wants to merge 3 commits into from

Conversation

adampatarino
Copy link

Escher is authentication framework, so it shouldn't make assumptions on the data type of the request body. This is especially clear when using alongside other request body parsing middleware in frameworks like express or koa.

Example:

const bodyParser = require('body-parser'),
          Escher = require('escher-auth');

app.use(bodyParser.json());

// ... setup escher options

escher.authenticate(request, keyDB);

This throws an error

Error: The request body shouldn't be empty if the request method is POST

However, the body is present, in the form of an object:

{
    "body": {
        "customer_id": "00000000",
        "resource_id": null,
        "environment": "suite00.emarsys.net",
        "language": "en"
    }
}

This pull request changes the type check of req.body from a strict String or Buffer to a simple exists check:

//Before
!(typeof reqBody === 'string' || reqBody instanceof Buffer)

// After
!request.body

@adampatarino
Remove forced type check of http body
e8ba4b2 
Authentication should not assume type of body, in cases where middlewares have parsed body into object, json, etc.
@adampatarino
Add simple check for request body
3a4ad2e
@adampatarino
Fix variable reference
8fa33f0
@szeist
Copy link
Contributor

szeist commented Apr 3, 2018
edited
Loading

Hi Adam,

You are right about that this is an authentication library and the mentioned error message is misleading.
However the escher signature can be calculated only on strings or buffers, so I'm still thinking that we need to enforce the verifiable request body type.
Maybe we can throw a "The request body should be only string or buffer".

The signature validation will only pass if the tested request body is exactly the same as the signed request body. So if we try to convert the parsed body back to string (e.g.: JSON.stringify) and the result is not exactly the same with the original request body (e.g.: the original request contained some additional spaces which didn't break the JSON) the validation will fail.

If you are using Koa, I suggest the koa-escher-auth middleware.

All the best,
Istvan

@adampatarino
Copy link
Author

@szeist Ok I didn't realize escher was using the body content as part of the authentication method. I've built a workaround in my express midleware to JSON.parse after escher has validated the connection.

Thanks for the added detail!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@adampatarino @szeist