From 1d25d1526a632db93e97308a99510e6c5a34e36f Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Thu, 18 Jun 2020 16:03:58 +0200 Subject: [PATCH 1/3] fix(scheme): make scheme comparison case insensitive As per RFC7235 auth scheme is case insensitive. 2.1. Challenge and Response HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request and by a client to provide authentication information. It uses a case- insensitive token as a means to identify the authentication scheme, followed by additional information necessary for achieving. https://tools.ietf.org/html/rfc7235#section-2.1 Refs #1531, #1473 Refs https://github.com/OAI/OpenAPI-Specification/issues/1876 Refs https://github.com/swagger-api/swagger-ui/issues/5965 --- src/execute/oas3/build-request.js | 4 +- test/oas3/execute/authorization.js | 96 ++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 2 deletions(-) diff --git a/src/execute/oas3/build-request.js b/src/execute/oas3/build-request.js index d524382be..95f9edb69 100644 --- a/src/execute/oas3/build-request.js +++ b/src/execute/oas3/build-request.js @@ -120,14 +120,14 @@ export function applySecurities({request, securities = {}, operation = {}, spec} } } else if (type === 'http') { - if (schema.scheme === 'basic') { + if (/^basic$/i.test(schema.scheme)) { const username = value.username || '' const password = value.password || '' const encoded = btoa(`${username}:${password}`) result.headers.Authorization = `Basic ${encoded}` } - if (schema.scheme === 'bearer') { + if (/^bearer$/i.test(schema.scheme)) { result.headers.Authorization = `Bearer ${value}` } } diff --git a/test/oas3/execute/authorization.js b/test/oas3/execute/authorization.js index ce2d28909..5bccf50b8 100644 --- a/test/oas3/execute/authorization.js +++ b/test/oas3/execute/authorization.js @@ -95,6 +95,54 @@ describe('Authorization - OpenAPI Specification 3.0', () => { }, }) }) + + test('should consider scheme to be case insensitive', () => { + const spec = { + openapi: '3.0.0', + components: { + securitySchemes: { + myBasicAuth: { + type: 'http', + in: 'header', + scheme: 'Basic' + } + } + }, + paths: { + '/': { + get: { + operationId: 'myOperation', + security: [{ + myBasicAuth: [] + }], + } + } + } + } + + const req = buildRequest({ + spec, + operationId: 'myOperation', + securities: { + authorized: { + myBasicAuth: { + username: 'somebody', + password: 'goodpass' + } + } + } + }) + + expect(req).toEqual({ + method: 'GET', + url: '/', + credentials: 'same-origin', + headers: { + Authorization: `Basic ${btoa('somebody:goodpass')}` + }, + }) + }) + test( 'should not add credentials to operations without the security requirement', () => { @@ -238,6 +286,54 @@ describe('Authorization - OpenAPI Specification 3.0', () => { }, }) }) + + test('should consider scheme to be case insensitive', () => { + const spec = { + openapi: '3.0.0', + components: { + securitySchemes: { + myBearerAuth: { + type: 'http', + in: 'header', + scheme: 'Bearer' + } + } + }, + paths: { + '/': { + get: { + operationId: 'myOperation', + security: [{ + myBearerAuth: [] + }] + } + } + } + } + + // when + const req = buildRequest({ + spec, + operationId: 'myOperation', + securities: { + authorized: { + myBearerAuth: { + value: 'Asdf1234' + } + } + } + }) + + expect(req).toEqual({ + method: 'GET', + url: '/', + credentials: 'same-origin', + headers: { + Authorization: 'Bearer Asdf1234' + }, + }) + }) + test( 'should not add credentials to operations without the security requirement', () => { From 11f966dfd0df431d252ce990d2e585857d919cdf Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Thu, 18 Jun 2020 16:16:12 +0200 Subject: [PATCH 2/3] Update test/oas3/execute/authorization.js Co-authored-by: Helen Kosova --- test/oas3/execute/authorization.js | 1 - 1 file changed, 1 deletion(-) diff --git a/test/oas3/execute/authorization.js b/test/oas3/execute/authorization.js index 5bccf50b8..4cdf1fff8 100644 --- a/test/oas3/execute/authorization.js +++ b/test/oas3/execute/authorization.js @@ -103,7 +103,6 @@ describe('Authorization - OpenAPI Specification 3.0', () => { securitySchemes: { myBasicAuth: { type: 'http', - in: 'header', scheme: 'Basic' } } From 8474e3886ae71ea0e441ad2ebac299afc94fecec Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Thu, 18 Jun 2020 16:16:21 +0200 Subject: [PATCH 3/3] Update test/oas3/execute/authorization.js Co-authored-by: Helen Kosova --- test/oas3/execute/authorization.js | 1 - 1 file changed, 1 deletion(-) diff --git a/test/oas3/execute/authorization.js b/test/oas3/execute/authorization.js index 4cdf1fff8..d188ca20b 100644 --- a/test/oas3/execute/authorization.js +++ b/test/oas3/execute/authorization.js @@ -293,7 +293,6 @@ describe('Authorization - OpenAPI Specification 3.0', () => { securitySchemes: { myBearerAuth: { type: 'http', - in: 'header', scheme: 'Bearer' } }