Skip to content
This repository was archived by the owner on Mar 22, 2022. It is now read-only.

Non-standard header structure #361

Closed
timelesshaze opened this issue Dec 6, 2016 · 5 comments
Closed

Non-standard header structure #361

timelesshaze opened this issue Dec 6, 2016 · 5 comments

Comments

@timelesshaze
Copy link

timelesshaze commented Dec 6, 2016
edited
Loading

Steps to reproduce

Feathers is not using the recommended format for JWT authorization headers.
While I can build the header myself, most HTTP libraries have built-in support for bearer auth so that you only need to supply the token.

This does not break feathers, as it is consistently wrong in both the server and client implementations.

The feathers-authentication-client library has an undocumented option to supply a prefix to the chosen header, but no such option exists on the server.
https://github.com/feathersjs/feathers-authentication-client/blob/ffefbc91512ef442dca2d18f0957735a2bf02898/src/hooks/populate-header.js#L19

Expected behavior

The recommended JWT header is in the following form:
Authorization: Bearer

Actual behavior

Feathers uses the following format:
Authorization:

System configuration

Tell us about the applicable parts of your setup.

Module versions (especially the part that's not working):

feathers@2.0.2
feathers-authentication@1.0.0-beta-2
feathers-authentication-jwt@0.2.0
feathers-authentication-local@0.3.0

feathers-errors@2.5.0
feathers-hooks@1.7.0
feathers-rest@1.5.2
feathers-socketio@1.4.2

NodeJS version:
v6.9.1

Operating System:
Ubuntu 16.04.1

Browser Version:
N/A

React Native Version:
N/A

Module Loader:
N/A
@marshallswain
Copy link
Member

Hmmm. I'm pretty sure we were using standard headers in the very recent past. Am I wrong @ekryski? We should probably use the standard by default, and allow the option to customize it.

@timelesshaze
Copy link
Author

The websocket implementation was working fine, but when I tried to test my access token with curl I always received a bad-request error for missing credentials.

curl 'http://localhost:3030/customers' -H 'Authorization: Bearer {token}' fails
curl 'http://localhost:3030/customers' -H 'Authorization: {token}' succeeds

@ekryski
Copy link
Member

ekryski commented Dec 6, 2016
edited
Loading

@timelesshaze by default it doesn't accept Bearer. We are using passport-jwt under the hood so you can customize the format of your header and where your JWT is parsed from by setting jwtFromRequest: ExtractJwt.<your parsing strategy>.

If you want to add a PR for a custom strategy that would accept both of those formats it would be welcome 😄

@ekryski ekryski closed this as completed Dec 6, 2016
@ekryski
Copy link
Member

ekryski commented Dec 6, 2016

I've created an issue on the feathers JWT repo. If you feel like taking a stab, it's a super easy task. feathersjs-ecosystem/authentication-jwt#5

@timelesshaze
Copy link
Author

Thanks, I'll take a look at it later!

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marshallswain @ekryski @timelesshaze