From f3d8885d8f5d479c102df5199a49102783296859 Mon Sep 17 00:00:00 2001 From: Rolandas Griskevicius Date: Mon, 24 Jan 2022 11:06:18 +0200 Subject: [PATCH] Fix issue 86 authorization scheme must be case insensitive --- src/buddy/auth/backends/httpbasic.clj | 2 +- src/buddy/auth/backends/token.clj | 2 +- test/buddy/auth/backends/httpbasic_tests.clj | 23 ++++++++++++++++---- test/buddy/auth/backends/token_tests.clj | 10 ++++++++- 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/src/buddy/auth/backends/httpbasic.clj b/src/buddy/auth/backends/httpbasic.clj index b585125..b0f066b 100644 --- a/src/buddy/auth/backends/httpbasic.clj +++ b/src/buddy/auth/backends/httpbasic.clj @@ -25,7 +25,7 @@ "Given a request, try to extract and parse the http basic header." [request] - (let [pattern (re-pattern "^Basic (.+)$") + (let [pattern (re-pattern "^(?i)Basic (.+)$") decoded (some->> (http/-get-header request "authorization") (re-find pattern) (second) diff --git a/src/buddy/auth/backends/token.clj b/src/buddy/auth/backends/token.clj index 9ba2bb6..90e49b4 100644 --- a/src/buddy/auth/backends/token.clj +++ b/src/buddy/auth/backends/token.clj @@ -29,7 +29,7 @@ (defn- parse-header [request token-name] (some->> (http/-get-header request "authorization") - (re-find (re-pattern (str "^" token-name " (.+)$"))) + (re-find (re-pattern (str "^(?i)" token-name " (.+)$"))) (second))) (defn jws-backend diff --git a/test/buddy/auth/backends/httpbasic_tests.clj b/test/buddy/auth/backends/httpbasic_tests.clj index beb147e..ab03487 100644 --- a/test/buddy/auth/backends/httpbasic_tests.clj +++ b/test/buddy/auth/backends/httpbasic_tests.clj @@ -9,14 +9,16 @@ [buddy.auth.middleware :refer [wrap-authentication wrap-authorization]])) (defn make-header - [username password] - (format "Basic %s" (-> (b64/encode (format "%s:%s" username password)) - (bytes->str)))) + ([schema username password] + (format "%s %s" schema (-> (b64/encode (format "%s:%s" username password)) + (bytes->str))))) (defn make-request ([] {:headers {}}) ([username password] - (let [auth (make-header username password)] + (make-request "Basic" username password)) + ([schema username password] + (let [auth (make-header schema username password)] {:headers {"auThorIzation" auth "lala" "2"}}))) (defn auth-fn @@ -44,6 +46,19 @@ (is (not (nil? parsed))) (is (= (:password parsed) "bar:baz")) (is (= (:username parsed) "foo"))))) + (testing "Parsing httpbasic header as case insensitive schema" + (let [parse #'httpbasic/parse-header + request (make-request "BASIC" "Ufoo" "Ubar") + parsed (parse request)] + (is (not (nil? parsed))) + (is (= (:password parsed) "Ubar")) + (is (= (:username parsed) "Ufoo"))) + (let [parse #'httpbasic/parse-header + request (make-request "basic" "lfoo" "lbar") + parsed (parse request)] + (is (not (nil? parsed))) + (is (= (:password parsed) "lbar")) + (is (= (:username parsed) "lfoo")))) (deftest httpbasic-auth-backend (testing "Testing anon request" diff --git a/test/buddy/auth/backends/token_tests.clj b/test/buddy/auth/backends/token_tests.clj index b43e1b3..67506c3 100644 --- a/test/buddy/auth/backends/token_tests.clj +++ b/test/buddy/auth/backends/token_tests.clj @@ -34,7 +34,15 @@ (testing "Parse authorization header different header name yields nil" (let [parse #'token/parse-header parsed (parse (make-request "foo") "MyToken")] - (is (= parsed nil))))) + (is (= parsed nil)))) + + (testing "Token authorization schema is case insensitive" + (let [request (make-request "foo") + parse #'token/parse-header + parsed-small (parse request "token") + parsed-caps (parse request "token")] + (is (= parsed-small "foo")) + (is (= parsed-caps "foo"))))) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Tests: JWS