thermokarst/jwt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed panic issue

Browse source 
When verifying a token from a malformed Authorization header, values
without a space would cause a panic. Thanks to
https://www.reddit.com/user/gohacker for pointing out this problem!
This commit is contained in:
Matthew Ryan Dillon 2016-02-18 06:15:17 -07:00
parent 9d3638db60
commit fa924c2198
2 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
jwt.go
View file

@ -107,7 +107,11 @@ func (m *Middleware) Secure(h http.Handler, v VerifyClaimsFunc) http.Handler {
return &jwtError{status: http.StatusUnauthorized, err: ErrMissingToken} return &jwtError{status: http.StatusUnauthorized, err: ErrMissingToken}
} }
} else { } else {
token = strings.Split(authHeader, " ")[1] token_parts := strings.Split(authHeader, " ")
if len(token_parts) != 2 {
return &jwtError{status: http.StatusUnauthorized, err: ErrMalformedToken}
}
token = token_parts[1]
} }
if status, err, message := m.VerifyToken(token, v, r); err != nil { if status, err, message := m.VerifyToken(token, v, r); err != nil {

13
jwt_test.go
View file

@ -232,3 +232,16 @@ func TestGenerateTokenHandlerNotPOST(t *testing.T) {
t.Errorf("wanted %q, got %q", ErrInvalidMethod.Error(), body) t.Errorf("wanted %q, got %q", ErrInvalidMethod.Error(), body)
} }
} }
func TestMalformedAuthorizationHeader(t *testing.T) {
_, middleware := newToken(t)
token := "hello!"
resp := httptest.NewRecorder()
req, _ := http.NewRequest("GET", "http://example.com", nil)
req.Header.Set("Authorization", token) // No "Bearer " portion of header
middleware.Secure(testHandler, verifyClaimsFunc).ServeHTTP(resp, req)
body := strings.TrimSpace(resp.Body.String())
if body != ErrMalformedToken.Error() {
t.Errorf("wanted %q, got %q", ErrMalformedToken.Error(), body)
}
}