Open
Description
I see this comment in strategy.js:
- The HTTP Bearer authentication strategy authenticates requests based on
- a bearer token contained in the
Authorizationheader field,access_token - body parameter, or
access_tokenquery parameter.
This is in a project which has passport-http-bearer as dependency (version 1.0.1)- https://github.com/NodeBB/nodebb-plugin-write-api
I've tried asking the maintainer of that project but he says the following code is not his:
Strategy.prototype.authenticate = function(req) {
var token;
if (req.headers && req.headers.authorization) {
var parts = req.headers.authorization.split(' ');
if (parts.length == 2) {
var scheme = parts[0]
, credentials = parts[1];
if (/^Bearer$/i.test(scheme)) {
token = credentials;
}
} else {
return this.fail(400);
}
}
if (req.body && req.body.access_token) {
if (token) { return this.fail(400); }
token = req.body.access_token;
}
if (req.query && req.query.access_token) {
if (token) { return this.fail(400); }
token = req.query.access_token;
}
if (!token) { return this.fail(this._challenge()); }
var self = this;
function verified(err, user, info) {
if (err) { return self.error(err); }
if (!user) {
if (typeof info == 'string') {
info = { message: info }
}
info = info || {};
return self.fail(self._challenge('invalid_token', info.message));
}
self.success(user, info);
}
if (self._passReqToCallback) {
this._verify(req, token, verified);
} else {
this._verify(token, verified);
}
};
Wouldn't the above code block those use of the access_token parameter?
When I try to pass the bearer token in as a query or body parameter, I get a 401 but if I pass it as an authorization header, the call works.
Any ideas how I can debug this further to figure out what is blocking the request?
Metadata
Metadata
Assignees
Labels
No labels