fix issue with "Bearer" being removed from header (#106)

TeslaGov · Aug 10, 2023 · 2eaf11c · 2eaf11c
1 parent a23ed3c
commit 2eaf11c
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 5 deletions.
diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -612,7 +612,6 @@ static ngx_int_t load_public_key(ngx_conf_t *cf, auth_jwt_conf_t *conf)
 static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location)
 {
   static const char *HEADER_PREFIX = "HEADER=";
-  static const char *BEARER_PREFIX = "Bearer ";
   static const char *COOKIE_PREFIX = "COOKIE=";
   char *jwtPtr = NULL;
 
@@ -629,13 +628,21 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location)
 
     if (jwtHeaderVal != NULL)
     {
+      static const char *BEARER_PREFIX = "Bearer ";
+
       if (ngx_strncmp(jwtHeaderVal->value.data, BEARER_PREFIX, sizeof(BEARER_PREFIX) - 1) == 0)
       {
-        jwtHeaderVal->value.data += sizeof(BEARER_PREFIX) - 1;
-        jwtHeaderVal->value.len -= sizeof(BEARER_PREFIX) - 1;
-      }
+        ngx_str_t jwtHeaderValWithoutBearer = jwtHeaderVal->value;
+
+        jwtHeaderValWithoutBearer.data += sizeof(BEARER_PREFIX) - 1;
+        jwtHeaderValWithoutBearer.len -= sizeof(BEARER_PREFIX) - 1;
 
-      jwtPtr = ngx_str_t_to_char_ptr(r->pool, jwtHeaderVal->value);
+        jwtPtr = ngx_str_t_to_char_ptr(r->pool, jwtHeaderValWithoutBearer);
+      }
+      else
+      {
+        jwtPtr = ngx_str_t_to_char_ptr(r->pool, jwtHeaderVal->value);
+      }
     }
   }
   else if (jwt_location.len > sizeof(COOKIE_PREFIX) && ngx_strncmp(jwt_location.data, COOKIE_PREFIX, sizeof(COOKIE_PREFIX) - 1) == 0)

diff --git a/test/etc/nginx/conf.d/test.conf b/test/etc/nginx/conf.d/test.conf
@@ -90,6 +90,17 @@ server {
         try_files index.html =404;
     }
 
+    location /secure/auth-header/default/proxy-header {
+        auth_jwt_enabled on;
+        auth_jwt_redirect off;
+        auth_jwt_location HEADER=Authorization;
+
+        add_header "Test-Authorization" "$http_authorization";
+
+        alias /usr/share/nginx/html/;
+        try_files index.html =404;
+    }
+
     location /secure/auth-header/rs256 {
         auth_jwt_enabled on;
         auth_jwt_redirect on;

diff --git a/test/test.sh b/test/test.sh
@@ -119,6 +119,12 @@ main() {
            -c '200' \
            -x "--header \"Authorization: Bearer ${JWT_HS256_VALID}\""
 
+  run_test -n 'when auth enabled with Authorization header with Bearer, should keep header intact' \
+           -p '/secure/auth-header/default/proxy-header' \
+           -c '200' \
+           -r "< Test-Authorization: Bearer ${JWT_HS256_VALID}" \
+           -x "--header \"Authorization: Bearer ${JWT_HS256_VALID}\""
+
   run_test -n 'when auth enabled with default algorithm and no JWT cookie, returns 302' \
            -p '/secure/cookie/default' \
            -c '302'