Fix invalid Bearer prefix format (wrong character instead of a space) (#99)

VojtechVitek · web-flow · commit 81e4c11ac99e · 2025-03-27T07:49:34.000-04:00
* Rewrite simple tests to table-driven tests

* Add tests cases for invalid Bearer prefixes

* Disallow invalid character after BEARER prefix
diff --git a/jwtauth.go b/jwtauth.go
@@ -268,7 +268,7 @@ func TokenFromCookie(r *http.Request) string {
 func TokenFromHeader(r *http.Request) string {
 	// Get token from authorization header.
 	bearer := r.Header.Get("Authorization")
-	if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
+	if len(bearer) > 7 && strings.ToUpper(bearer[0:7]) == "BEARER " {
 		return bearer[7:]
 	}
 	return ""
diff --git a/jwtauth_test.go b/jwtauth_test.go
@@ -66,47 +66,37 @@ func TestSimple(t *testing.T) {
 	ts := httptest.NewServer(r)
 	defer ts.Close()
 
-	// sending unauthorized requests
-	if status, resp := testRequest(t, ts, "GET", "/", nil, nil); status != 401 || resp != "no token found\n" {
-		t.Fatalf(resp)
-	}
-
-	h := http.Header{}
-	h.Set("Authorization", "BEARER "+newJwtToken([]byte("wrong"), map[string]interface{}{}))
-	if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 || resp != "token is unauthorized\n" {
-		t.Fatalf(resp)
-	}
-	h.Set("Authorization", "BEARER asdf")
-	if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 || resp != "token is unauthorized\n" {
-		t.Fatalf(resp)
-	}
-	// wrong token secret and wrong alg
-	h.Set("Authorization", "BEARER "+newJwt512Token([]byte("wrong"), map[string]interface{}{}))
-	if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 || resp != "token is unauthorized\n" {
-		t.Fatalf(resp)
-	}
-	// correct token secret but wrong alg
-	h.Set("Authorization", "BEARER "+newJwt512Token(TokenSecret, map[string]interface{}{}))
-	if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 || resp != "token is unauthorized\n" {
-		t.Fatalf(resp)
-	}
-
-	// correct token, but has expired within the skew time
-	h.Set("Authorization", "BEARER "+newJwtToken(TokenSecret, map[string]interface{}{"exp": time.Now().Unix() - 29}))
-	if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 200 || resp != "welcome" {
-		fmt.Println("status", status, "resp", resp)
-		t.Fatalf(resp)
-	}
-
-	// correct token, but has expired outside of the skew time
-	h.Set("Authorization", "BEARER "+newJwtToken(TokenSecret, map[string]interface{}{"exp": time.Now().Unix() - 31}))
-	if status, resp := testRequest(t, ts, "GET", "/", h, nil); status != 401 || resp != "token is expired\n" {
-		t.Fatalf(resp)
-	}
-
-	// sending authorized requests
-	if status, resp := testRequest(t, ts, "GET", "/", newAuthHeader(), nil); status != 200 || resp != "welcome" {
-		t.Fatalf(resp)
+	tt := []struct {
+		Name          string
+		Authorization string
+		Status        int
+		Resp          string
+	}{
+		{Name: "empty token", Authorization: "", Status: 401, Resp: "no token found\n"},
+		{Name: "wrong token", Authorization: "Bearer asdf", Status: 401, Resp: "token is unauthorized\n"},
+		{Name: "wrong secret", Authorization: "Bearer " + newJwtToken([]byte("wrong")), Status: 401, Resp: "token is unauthorized\n"},
+		{Name: "wrong secret/alg", Authorization: "Bearer " + newJwt512Token([]byte("wrong")), Status: 401, Resp: "token is unauthorized\n"},
+		{Name: "wrong alg", Authorization: "Bearer " + newJwt512Token(TokenSecret, map[string]interface{}{}), Status: 401, Resp: "token is unauthorized\n"},
+		{Name: "expired within skew", Authorization: "Bearer " + newJwtToken(TokenSecret, map[string]interface{}{"exp": time.Now().Unix() - 29}), Status: 200, Resp: "welcome"},
+		{Name: "expired outside skew", Authorization: "Bearer " + newJwtToken(TokenSecret, map[string]interface{}{"exp": time.Now().Unix() - 31}), Status: 401, Resp: "token is expired\n"},
+		{Name: "valid token", Authorization: "Bearer " + newJwtToken(TokenSecret), Status: 200, Resp: "welcome"},
+		{Name: "valid Bearer", Authorization: "Bearer " + newJwtToken(TokenSecret, map[string]interface{}{"service": "test"}), Status: 200, Resp: "welcome"},
+		{Name: "valid BEARER", Authorization: "BEARER " + newJwtToken(TokenSecret), Status: 200, Resp: "welcome"},
+		{Name: "valid bearer", Authorization: "bearer " + newJwtToken(TokenSecret), Status: 200, Resp: "welcome"},
+		{Name: "valid claim", Authorization: "Bearer " + newJwtToken(TokenSecret, map[string]interface{}{"service": "test"}), Status: 200, Resp: "welcome"},
+		{Name: "invalid bearer_", Authorization: "BEARER_" + newJwtToken(TokenSecret), Status: 401, Resp: "no token found\n"},
+		{Name: "invalid bearerx", Authorization: "BEARERx" + newJwtToken(TokenSecret), Status: 401, Resp: "no token found\n"},
+	}
+
+	for _, tc := range tt {
+		h := http.Header{}
+		if tc.Authorization != "" {
+			h.Set("Authorization", tc.Authorization)
+		}
+		status, resp := testRequest(t, ts, "GET", "/", h, nil)
+		if status != tc.Status || resp != tc.Resp {
+			t.Errorf("test '%s' failed: expected Status: %d %q, got %d %q", tc.Name, tc.Status, tc.Resp, status, resp)
+		}
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -268,7 +268,7 @@ func TokenFromCookie(r *http.Request) string {`
`268`	`268`	`func TokenFromHeader(r *http.Request) string {`
`269`	`269`	`// Get token from authorization header.`
`270`	`270`	`bearer := r.Header.Get("Authorization")`
`271`		`- if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {`
	`271`	`+ if len(bearer) > 7 && strings.ToUpper(bearer[0:7]) == "BEARER " {`
`272`	`272`	`return bearer[7:]`
`273`	`273`	`}`
`274`	`274`	`return ""`