Bearer regular expression matching in authenticate handler#105
Bearer regular expression matching in authenticate handler#105jankapunkt merged 1 commit intonode-oauth:developmentfrom
Conversation
Uzlopak
left a comment
Uzlopak
left a comment
There was a problem hiding this comment.
seems about right but we should check RFC for BasicAuth if Bearer can have preceeding whitespace or something like that.
| AuthenticateHandler.prototype.getTokenFromRequestHeader = function(request) { | ||
| const token = request.get('Authorization'); | ||
| const matches = token.match(/Bearer\s(\S+)/); | ||
| const matches = token.match(/^Bearer\s(\S+)/); |
There was a problem hiding this comment.
Lets discuss this:
| const matches = token.match(/^Bearer\s(\S+)/); | |
| const matches = token.match(/^ *(?:[Bb][Ee][Aa][Rr][Ee][Rr]) +([A-Za-z0-9._~+/-]+=*) *$/); |
Inspired by https://github.com/jshttp/basic-auth/blob/e8a29f94dc7c05b5858b08090386338af010ce49/index.js#L35
There was a problem hiding this comment.
I agree, what's the improvement of this change @FStefanni
There was a problem hiding this comment.
In the spec it is defined as it should start with Bearer followed with a whitespace. That's what the additional ^ in the regex is for. I think we should not support BeArEr @Uzlopak
b64token = 1*( ALPHA / DIGIT /
"-" / "." / "_" / "~" / "+" / "/" ) *"="
credentials = "Bearer" 1*SP b64token
But I do like the check provided for the second part. But that should be a different issue/pull request. Because that check should also be done on the result of generateAccessToken and generateRefreshToken.
There was a problem hiding this comment.
I suggest we approve & merge this pull request and create a new issue for this.
There was a problem hiding this comment.
@jorenvandeweyer I am no regex expert but do you know if the new introduced regex can be overloaded to create a DoS?
There was a problem hiding this comment.
The issue is more, that there can be implementations of clients, where the Bearer is preceded by whitespace. Now it doesnt matter, but with this PR a previous working OAuth2 server could have a breaking change. Atleast I would suggest to add \s* in front of Bearer.
There was a problem hiding this comment.
In conflict between standard compliance and backward compatibility I will always vote for standard compliance. If preceeding whitespace is not against the standard and poses no security risks then I think it's okay to go for this kind of backward compatiblity
There was a problem hiding this comment.
@jankapunkt
Trick 17b
https://npm.runkit.com/safe-regex
var safeRegex = require("safe-regex")
console.log(safeRegex(/^Bearer\s(\S+)/))
result is true, so the regex is safe.
There was a problem hiding this comment.
Hi,
sorry but in the end I have not understand what is the conclusion...
Do we want to support the initial white spaces? (sorry but I do not know exactly if it is standard or not to allow such white spaces)
About the safe-regex, I do not think we need it here: we are just going to match some spaces.
Regards
There was a problem hiding this comment.
The regex thing: you should always check if a regex is safe from catastrophic backtracking. So jankapunkt was asking if the regex is safe. Complete normal phenomenon.
Uzlopak
left a comment
Uzlopak
left a comment
There was a problem hiding this comment.
I thought about it again. Making it strikter is more important than backwards compatibility.
4 participants
Summary
This pr fixes the regex for checking the bearer token.
Linked issue(s)
Issue #89, point 15, original pr oauthjs/node-oauth2-server#614
Added tests?
Yes
OAuth2 standard
RFC 6750 | OAuth 2.0 Bearer Token Usage | Section 2.1
https://tools.ietf.org/html/rfc6750#section-2.1