hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-08 10:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure "Bearer " prefix always removed from Authorization header

Browse Source
This commit is contained in:
Tim Donohue
2021-11-09 15:04:05 -06:00
parent 083539754b
commit b4249dbc0d
1 changed files with 11 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
View File

@@ -231,7 +231,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Verify the Auth cookie has been destroyed // Verify the Auth cookie has been destroyed
.andExpect(cookie().value(AUTHORIZATION_COOKIE, "")) .andExpect(cookie().value(AUTHORIZATION_COOKIE, ""))
// Verify token is now sent back in the Authorization header as the Bearer token // Verify token is now sent back in the Authorization header as the Bearer token
.andExpect(header().string(AUTHORIZATION_HEADER, "Bearer " + token)) .andExpect(header().string(AUTHORIZATION_HEADER, AUTHORIZATION_TYPE + token))
// Verify that the CSRF token has been changed // Verify that the CSRF token has been changed
// (as both cookie and header should be sent back) // (as both cookie and header should be sent back)
.andExpect(cookie().exists("DSPACE-XSRF-COOKIE")) .andExpect(cookie().exists("DSPACE-XSRF-COOKIE"))
@@ -276,9 +276,6 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Login via password to retrieve a valid token // Login via password to retrieve a valid token
String token = getAuthToken(eperson.getEmail(), password); String token = getAuthToken(eperson.getEmail(), password);
// Remove "Bearer " from that token, so that we are left with the token itself
token = token.replace("Bearer ", "");
// Fake the creation of an auth cookie, just for testing. (Currently, it's not possible to create an auth cookie // Fake the creation of an auth cookie, just for testing. (Currently, it's not possible to create an auth cookie
// via Password auth, but this test proves it would work if enabled) // via Password auth, but this test proves it would work if enabled)
Cookie authCookie = new Cookie(AUTHORIZATION_COOKIE, token); Cookie authCookie = new Cookie(AUTHORIZATION_COOKIE, token);
@@ -306,7 +303,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Verify the Auth cookie has been destroyed // Verify the Auth cookie has been destroyed
.andExpect(cookie().value(AUTHORIZATION_COOKIE, "")) .andExpect(cookie().value(AUTHORIZATION_COOKIE, ""))
// Verify token is now sent back in the Authorization header // Verify token is now sent back in the Authorization header
.andExpect(header().string(AUTHORIZATION_HEADER, "Bearer " + token)) .andExpect(header().string(AUTHORIZATION_HEADER, AUTHORIZATION_TYPE + token))
// Verify that the CSRF token has been changed // Verify that the CSRF token has been changed
// (as both cookie and header should be sent back) // (as both cookie and header should be sent back)
.andExpect(cookie().exists("DSPACE-XSRF-COOKIE")) .andExpect(cookie().exists("DSPACE-XSRF-COOKIE"))
@@ -506,7 +503,8 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.andExpect(cookie().value("DSPACE-XSRF-COOKIE", "")) .andExpect(cookie().value("DSPACE-XSRF-COOKIE", ""))
// CSRF Tokens generated by Spring Security are UUIDs // CSRF Tokens generated by Spring Security are UUIDs
.andExpect(header().string("DSPACE-XSRF-TOKEN", matchesPattern(REGEX_UUID))) .andExpect(header().string("DSPACE-XSRF-TOKEN", matchesPattern(REGEX_UUID)))
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER); .andReturn().getResponse()
.getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
assertNotEquals(token, newToken); assertNotEquals(token, newToken);
@@ -529,9 +527,6 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// Login via password to retrieve a valid token // Login via password to retrieve a valid token
String token = getAuthToken(eperson.getEmail(), password); String token = getAuthToken(eperson.getEmail(), password);
// Remove "Bearer " from that token, so that we are left with the token itself
token = token.replace("Bearer ", "");
// Save token to an Authorization cookie // Save token to an Authorization cookie
Cookie[] cookies = new Cookie[1]; Cookie[] cookies = new Cookie[1];
cookies[0] = new Cookie(AUTHORIZATION_COOKIE, token); cookies[0] = new Cookie(AUTHORIZATION_COOKIE, token);
@@ -565,7 +560,8 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
// (as both cookie and header should be sent back) // (as both cookie and header should be sent back)
.andExpect(cookie().exists("DSPACE-XSRF-COOKIE")) .andExpect(cookie().exists("DSPACE-XSRF-COOKIE"))
.andExpect(header().exists("DSPACE-XSRF-TOKEN")) .andExpect(header().exists("DSPACE-XSRF-TOKEN"))
.andReturn().getResponse().getHeader("Authorization"); .andReturn().getResponse()
.getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
//Logout //Logout
getClient(token).perform(post("/api/authn/logout")) getClient(token).perform(post("/api/authn/logout"))
@@ -850,7 +846,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.requestAttr("SHIB-MAIL", eperson.getEmail()) .requestAttr("SHIB-MAIL", eperson.getEmail())
.requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")) .requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff"))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER); .andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
getClient(token).perform(get("/api/authn/status").param("projection", "full")) getClient(token).perform(get("/api/authn/status").param("projection", "full"))
.andExpect(status().isOk()) .andExpect(status().isOk())
@@ -891,7 +887,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.with(ip("123.123.123.123")) .with(ip("123.123.123.123"))
.header("SHIB-MAIL", eperson.getEmail())) .header("SHIB-MAIL", eperson.getEmail()))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER); .andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
getClient(token).perform(get("/api/authn/status").param("projection", "full") getClient(token).perform(get("/api/authn/status").param("projection", "full")
.with(ip("123.123.123.123"))) .with(ip("123.123.123.123")))
@@ -911,7 +907,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.with(ip("234.234.234.234")) .with(ip("234.234.234.234"))
.header("SHIB-MAIL", eperson.getEmail())) .header("SHIB-MAIL", eperson.getEmail()))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER); .andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
getClient(token).perform(get("/api/authn/status").param("projection", "full") getClient(token).perform(get("/api/authn/status").param("projection", "full")
.with(ip("234.234.234.234"))) .with(ip("234.234.234.234")))
@@ -972,7 +968,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.requestAttr("SHIB-MAIL", eperson.getEmail()) .requestAttr("SHIB-MAIL", eperson.getEmail())
.requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")) .requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff"))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace("Bearer ", ""); .andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
//Check if we have a valid token //Check if we have a valid token
getClient(token).perform(get("/api/authn/status")) getClient(token).perform(get("/api/authn/status"))
@@ -1064,7 +1060,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
.requestAttr("SHIB-MAIL", eperson.getEmail()) .requestAttr("SHIB-MAIL", eperson.getEmail())
.requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")) .requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff"))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andReturn().getResponse().getHeader(AUTHORIZATION_HEADER); .andReturn().getResponse().getHeader(AUTHORIZATION_HEADER).replace(AUTHORIZATION_TYPE, "");
//Logout //Logout
getClient(token).perform(post("/api/authn/logout")) getClient(token).perform(post("/api/authn/logout"))