Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-standard header structure #361

Closed
timelesshaze opened this Issue Dec 6, 2016 · 5 comments

Comments

Projects
None yet
3 participants
@timelesshaze
Copy link

timelesshaze commented Dec 6, 2016

Steps to reproduce

Feathers is not using the recommended format for JWT authorization headers.
While I can build the header myself, most HTTP libraries have built-in support for bearer auth so that you only need to supply the token.

This does not break feathers, as it is consistently wrong in both the server and client implementations.

The feathers-authentication-client library has an undocumented option to supply a prefix to the chosen header, but no such option exists on the server.
https://github.com/feathersjs/feathers-authentication-client/blob/ffefbc91512ef442dca2d18f0957735a2bf02898/src/hooks/populate-header.js#L19

Expected behavior

The recommended JWT header is in the following form:
Authorization: Bearer

Actual behavior

Feathers uses the following format:
Authorization:

System configuration

Tell us about the applicable parts of your setup.

Module versions (especially the part that's not working):

feathers@2.0.2
feathers-authentication@1.0.0-beta-2
feathers-authentication-jwt@0.2.0
feathers-authentication-local@0.3.0

feathers-errors@2.5.0
feathers-hooks@1.7.0
feathers-rest@1.5.2
feathers-socketio@1.4.2

NodeJS version:
v6.9.1

Operating System:
Ubuntu 16.04.1

Browser Version:
N/A

React Native Version:
N/A

Module Loader:
N/A

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Dec 6, 2016

Hmmm. I'm pretty sure we were using standard headers in the very recent past. Am I wrong @ekryski? We should probably use the standard by default, and allow the option to customize it.

@timelesshaze

This comment has been minimized.

Copy link
Author

timelesshaze commented Dec 6, 2016

The websocket implementation was working fine, but when I tried to test my access token with curl I always received a bad-request error for missing credentials.

curl 'http://localhost:3030/customers' -H 'Authorization: Bearer {token}' fails
curl 'http://localhost:3030/customers' -H 'Authorization: {token}' succeeds

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Dec 6, 2016

@timelesshaze by default it doesn't accept Bearer. We are using passport-jwt under the hood so you can customize the format of your header and where your JWT is parsed from by setting jwtFromRequest: ExtractJwt.<your parsing strategy>.

If you want to add a PR for a custom strategy that would accept both of those formats it would be welcome 😄

@ekryski ekryski closed this Dec 6, 2016

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Dec 6, 2016

I've created an issue on the feathers JWT repo. If you feel like taking a stab, it's a super easy task. feathersjs/authentication-jwt#5

@timelesshaze

This comment has been minimized.

Copy link
Author

timelesshaze commented Dec 6, 2016

Thanks, I'll take a look at it later!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.