hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 01:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure "Bearer " prefix always removed from Authorization header

Browse Source
This commit is contained in:
Tim Donohue
2021-11-09 15:04:05 -06:00
parent 083539754b
commit b4249dbc0d
1 changed files with 11 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
View File

@@ -231,7 +231,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Verify the Auth cookie has been destroyed
.andExpect(cookie().value(AUTHORIZATION_COOKIE, ""))
// Verify token is now sent back in the Authorization header as the Bearer token
.andExpect(header().string(AUTHORIZATION_HEADER, "Bearer " + token))
.andExpect(header().string(AUTHORIZATION_HEADER, AUTHORIZATION_TYPE + token))
// Verify that the CSRF token has been changed
// (as both cookie and header should be sent back)
.andExpect(cookie().exists("DSPACE-XSRF-COOKIE"))
@@ -276,9 +276,6 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Login via password to retrieve a valid token
String token = getAuthToken(eperson.getEmail(), password);
// Remove "Bearer " from that token, so that we are left with the token itself
token = token.replace("Bearer ", "");
// Fake the creation of an auth cookie, just for testing. (Currently, it's not possible to create an auth cookie
// via Password auth, but this test proves it would work if enabled)
Cookie authCookie = new Cookie(AUTHORIZATION_COOKIE, token);
@@ -306,7 +303,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Verify the Auth cookie has been destroyed
.andExpect(cookie().value(AUTHORIZATION_COOKIE, ""))
// Verify token is now sent back in the Authorization header
.andExpect(header().string(AUTHORIZATION_HEADER, "Bearer " + token))
.andExpect(header().string(AUTHORIZATION_HEADER, AUTHORIZATION_TYPE + token))
// Verify that the CSRF token has been changed
// (as both cookie and header should be sent back)
.andExpect(cookie().exists("DSPACE-XSRF-COOKIE"))
@@ -506,7 +503,8 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.andExpect(cookie().value("DSPACE-XSRF-COOKIE", ""))
// CSRF Tokens generated by Spring Security are UUIDs
.andExpect(header().string("DSPACE-XSRF-TOKEN", matchesPattern(REGEX_UUID)))
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER);
.andReturn().getResponse()
.getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
assertNotEquals(token, newToken);
@@ -529,9 +527,6 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Login via password to retrieve a valid token
String token = getAuthToken(eperson.getEmail(), password);
// Remove "Bearer " from that token, so that we are left with the token itself
token = token.replace("Bearer ", "");
// Save token to an Authorization cookie
Cookie[] cookies = new Cookie[1];
cookies[0] = new Cookie(AUTHORIZATION_COOKIE, token);
@@ -565,7 +560,8 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// (as both cookie and header should be sent back)
.andExpect(cookie().exists("DSPACE-XSRF-COOKIE"))
.andExpect(header().exists("DSPACE-XSRF-TOKEN"))
.andReturn().getResponse().getHeader("Authorization");
.andReturn().getResponse()
.getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
//Logout
getClient(token).perform(post("/api/authn/logout"))
@@ -850,7 +846,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.requestAttr("SHIB-MAIL", eperson.getEmail())
.requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff"))
.andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER);
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
getClient(token).perform(get("/api/authn/status").param("projection", "full"))
.andExpect(status().isOk())
@@ -891,7 +887,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.with(ip("123.123.123.123"))
.header("SHIB-MAIL", eperson.getEmail()))
.andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER);
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
getClient(token).perform(get("/api/authn/status").param("projection", "full")
.with(ip("123.123.123.123")))
@@ -911,7 +907,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.with(ip("234.234.234.234"))
.header("SHIB-MAIL", eperson.getEmail()))
.andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER);
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
getClient(token).perform(get("/api/authn/status").param("projection", "full")
.with(ip("234.234.234.234")))
@@ -972,7 +968,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.requestAttr("SHIB-MAIL", eperson.getEmail())
.requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff"))
.andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace("Bearer ", "");
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
//Check if we have a valid token
getClient(token).perform(get("/api/authn/status"))
@@ -1064,7 +1060,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.requestAttr("SHIB-MAIL", eperson.getEmail())
.requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff"))
.andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER);
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
//Logout
getClient(token).perform(post("/api/authn/logout"))