fix(scheme): make scheme comparison case insensitive (#1562)

char0n · web-flow · commit 79fd3d7fbaee · 2020-06-18T20:01:11.000+02:00
As per RFC7235 auth scheme is case insensitive. 2.1. Challenge and Response HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request and by a client to provide authentication information. It uses a case- insensitive token as a means to identify the authentication scheme, followed by additional information necessary for achieving. https://tools.ietf.org/html/rfc7235#section-2.1 Co-authored-by: Helen Kosova <hkosova@users.noreply.github.com> Refs #1531, #1473 Refs OAI/OpenAPI-Specification#1876 Refs swagger-api/swagger-ui#5965
diff --git a/src/execute/oas3/build-request.js b/src/execute/oas3/build-request.js
@@ -120,14 +120,14 @@ export function applySecurities({request, securities = {}, operation = {}, spec}
           }
         }
         else if (type === 'http') {
-          if (schema.scheme === 'basic') {
+          if (/^basic$/i.test(schema.scheme)) {
             const username = value.username || ''
             const password = value.password || ''
             const encoded = btoa(`${username}:${password}`)
             result.headers.Authorization = `Basic ${encoded}`
           }
 
-          if (schema.scheme === 'bearer') {
+          if (/^bearer$/i.test(schema.scheme)) {
             result.headers.Authorization = `Bearer ${value}`
           }
         }
diff --git a/test/oas3/execute/authorization.js b/test/oas3/execute/authorization.js
@@ -90,6 +90,53 @@ describe('Authorization - OpenAPI Specification 3.0', () => {
           },
         })
       })
+
+      test('should consider scheme to be case insensitive', () => {
+        const spec = {
+          openapi: '3.0.0',
+          components: {
+            securitySchemes: {
+              myBasicAuth: {
+                type: 'http',
+                scheme: 'Basic'
+              }
+            }
+          },
+          paths: {
+            '/': {
+              get: {
+                operationId: 'myOperation',
+                security: [{
+                  myBasicAuth: []
+                }],
+              }
+            }
+          }
+        }
+
+        const req = buildRequest({
+          spec,
+          operationId: 'myOperation',
+          securities: {
+            authorized: {
+              myBasicAuth: {
+                username: 'somebody',
+                password: 'goodpass'
+              }
+            }
+          }
+        })
+
+        expect(req).toEqual({
+          method: 'GET',
+          url: '/',
+          credentials: 'same-origin',
+          headers: {
+            Authorization: `Basic ${btoa('somebody:goodpass')}`
+          },
+        })
+      })
+
       test(
         'should not add credentials to operations without the security requirement',
         () => {
@@ -230,6 +277,53 @@ describe('Authorization - OpenAPI Specification 3.0', () => {
           },
         })
       })
+
+      test('should consider scheme to be case insensitive', () => {
+        const spec = {
+          openapi: '3.0.0',
+          components: {
+            securitySchemes: {
+              myBearerAuth: {
+                type: 'http',
+                scheme: 'Bearer'
+              }
+            }
+          },
+          paths: {
+            '/': {
+              get: {
+                operationId: 'myOperation',
+                security: [{
+                  myBearerAuth: []
+                }]
+              }
+            }
+          }
+        }
+
+        // when
+        const req = buildRequest({
+          spec,
+          operationId: 'myOperation',
+          securities: {
+            authorized: {
+              myBearerAuth: {
+                value: 'Asdf1234'
+              }
+            }
+          }
+        })
+
+        expect(req).toEqual({
+          method: 'GET',
+          url: '/',
+          credentials: 'same-origin',
+          headers: {
+            Authorization: 'Bearer Asdf1234'
+          },
+        })
+      })
+
       test(
         'should not add credentials to operations without the security requirement',
         () => {

Original file line number	Diff line number	Diff line change
`@@ -120,14 +120,14 @@ export function applySecurities({request, securities = {}, operation = {}, spec}`
`120`	`120`	`}`
`121`	`121`	`}`
`122`	`122`	`else if (type === 'http') {`
`123`		`- if (schema.scheme === 'basic') {`
	`123`	`+ if (/^basic$/i.test(schema.scheme)) {`
`124`	`124`	`const username = value.username \|\| ''`
`125`	`125`	`const password = value.password \|\| ''`
`126`	`126`	const encoded = btoa(`${username}:${password}`)
`127`	`127`	result.headers.Authorization = `Basic ${encoded}`
`128`	`128`	`}`
`129`	`129`
`130`		`- if (schema.scheme === 'bearer') {`
	`130`	`+ if (/^bearer$/i.test(schema.scheme)) {`
`131`	`131`	result.headers.Authorization = `Bearer ${value}`
`132`	`132`	`}`
`133`	`133`	`}`