feat: send only valid JWT in Authorization header

Author: Guilherme Souza

Sources/Auth/Internal/Helpers.swift

@@ -28,14 +28,14 @@ func extractParams(from url: URL) -> [String: String] {
 private func extractParams(from fragment: String) -> [URLQueryItem] {
   let components =
     fragment
-      .split(separator: "&")
-      .map { $0.split(separator: "=") }
+    .split(separator: "&")
+    .map { $0.split(separator: "=") }
 
   return
     components
-      .compactMap {
-        $0.count == 2
-          ? URLQueryItem(name: String($0[0]), value: String($0[1]))
-          : nil
-      }
+    .compactMap {
+      $0.count == 2
+        ? URLQueryItem(name: String($0[0]), value: String($0[1]))
+        : nil
+    }
 }

Sources/Supabase/Helpers.swift

@@ -0,0 +1,60 @@
+import Foundation
+import HTTPTypes
+import IssueReporting
+
+let base64UrlRegex = try! NSRegularExpression(
+  pattern: "^([a-z0-9_-]{4})*($|[a-z0-9_-]{3}$|[a-z0-9_-]{2}$)", options: .caseInsensitive)
+
+/// Checks that the value somewhat looks like a JWT, does not do any additional parsing or verification.
+func isJWT(_ value: String) -> Bool {
+  var token = value
+
+  if token.hasPrefix("Bearer ") {
+    token = String(token.dropFirst("Bearer ".count))
+  }
+
+  token = token.trimmingCharacters(in: .whitespacesAndNewlines)
+
+  guard !token.isEmpty else {
+    return false
+  }
+
+  let parts = token.split(separator: ".")
+
+  guard parts.count == 3 else {
+    return false
+  }
+
+  for part in parts {
+    if part.count < 4 || !isBase64Url(String(part)) {
+      return false
+    }
+  }
+
+  return true
+}
+
+func isBase64Url(_ value: String) -> Bool {
+  let range = NSRange(location: 0, length: value.utf16.count)
+  return base64UrlRegex.firstMatch(in: value, options: [], range: range) != nil
+}
+
+func checkAuthorizationHeader(
+  _ headers: HTTPFields,
+  fileID: StaticString = #fileID,
+  filePath: StaticString = #filePath,
+  line: UInt = #line,
+  column: UInt = #column
+) {
+  guard let authorization = headers[.authorization] else { return }
+
+  if !isJWT(authorization) {
+    reportIssue(
+      "Authorization header does not contain a JWT",
+      fileID: fileID,
+      filePath: filePath,
+      line: line,
+      column: column
+    )
+  }
+}

Sources/Supabase/SupabaseClient.swift

@@ -170,6 +170,8 @@ public final class SupabaseClient: Sendable {
     ])
     .merging(with: HTTPFields(options.global.headers))
 
+    checkAuthorizationHeader(_headers)
+
     // default storage key uses the supabase project ref as a namespace
     let defaultStorageKey = "sb-\(supabaseURL.host!.split(separator: ".")[0])-auth-token"
 
@@ -351,7 +353,7 @@ public final class SupabaseClient: Sendable {
     let token = try? await _getAccessToken()
 
     var request = request
-    if let token {
+    if let token, isJWT(token), request.value(forHTTPHeaderField: "Authorization") == nil {
       request.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")
     }
     return request

Tests/SupabaseTests/HelpersTests.swift

@@ -0,0 +1,17 @@
+@testable import Supabase
+import XCTest
+
+final class HeleperTests: XCTestCase {
+  func testIsJWT() {
+    XCTAssertTrue(isJWT("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"))
+    XCTAssertTrue(isJWT("Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"))
+    XCTAssertFalse(isJWT("invalid.token.format"))
+    XCTAssertFalse(isJWT("part1.part2.part3.part4"))
+    XCTAssertFalse(isJWT("part1.part2"))
+    XCTAssertFalse(isJWT(".."))
+    XCTAssertFalse(isJWT("a.a.a"))
+    XCTAssertFalse(isJWT("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.*&@!.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"))
+    XCTAssertFalse(isJWT(""))
+    XCTAssertFalse(isJWT("Bearer "))
+  }
+}