support leading/trailing whitespace in Authorization header value

koajs · May 31, 2020 · f694cb6 · f694cb6
1 parent c073cf2
commit f694cb6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/lib/resolvers/auth-header.js b/lib/resolvers/auth-header.js
@@ -12,7 +12,7 @@ module.exports = function resolveAuthorizationHeader(ctx, opts) {
         return;
     }
 
-    const parts = ctx.header.authorization.split(' ');
+    const parts = ctx.header.authorization.trim().split(' ');
 
     if (parts.length === 2) {
         const scheme = parts[0];

diff --git a/test/test.js b/test/test.js
@@ -433,6 +433,27 @@ describe('success tests', () => {
       .end(done);
   });
 
+  it('should work if authorization header contains leading and/or trailing whitespace', done => {
+    const validUserResponse = res => res.body.foo !== 'bar' && 'Wrong user';
+
+    const secret = 'shhhhhh';
+    const token = jwt.sign({foo: 'bar'}, secret);
+
+    const app = new Koa();
+
+    app.use(koajwt({ secret: secret }));
+    app.use(ctx => {
+      ctx.body = ctx.state.user;
+    });
+
+    request(app.listen())
+      .get('/')
+      .set('Authorization', `     Bearer ${token}     `)
+      .expect(200)
+      .expect(validUserResponse)
+      .end(done);
+  });
+
   it('should work if authorization header is valid jwt according to one of the secrets', done => {
     const validUserResponse = res => res.body.foo !== 'bar' && 'Wrong user';