Skip to content

fix: implement RFC 6750 Section 3.1 compliance for missing authentication #785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+23 −8
Open

fix: implement RFC 6750 Section 3.1 compliance for missing authentication #785

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions src/server/auth/errors.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,13 @@ export class InsufficientScopeError extends OAuthError {
static errorCode = "insufficient_scope";
}

/**
* Missing authentication error - The request lack required authentication information.
*/
export class MissingAuthenticationError extends OAuthError {
static errorCode = "missing_authentication";
}

/**
* A utility class for defining one-off error codes
*/
Expand Down Expand Up @@ -196,4 +203,5 @@ export const OAUTH_ERRORS = {
[TooManyRequestsError.errorCode]: TooManyRequestsError,
[InvalidClientMetadataError.errorCode]: InvalidClientMetadataError,
[InsufficientScopeError.errorCode]: InsufficientScopeError,
[MissingAuthenticationError.errorCode]: MissingAuthenticationError,
} as const;
10 changes: 5 additions & 5 deletions src/server/auth/middleware/bearerAuth.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ describe("requireBearerAuth middleware", () => {
status: jest.fn().mockReturnThis(),
json: jest.fn(),
set: jest.fn().mockReturnThis(),
send: jest.fn(),
};
nextFunction = jest.fn();
jest.spyOn(console, 'error').mockImplementation(() => {});
Expand Down Expand Up @@ -207,14 +208,12 @@ describe("requireBearerAuth middleware", () => {
expect(mockResponse.status).toHaveBeenCalledWith(401);
expect(mockResponse.set).toHaveBeenCalledWith(
"WWW-Authenticate",
expect.stringContaining('Bearer error="invalid_token"')
);
expect(mockResponse.json).toHaveBeenCalledWith(
expect.objectContaining({ error: "invalid_token", error_description: "Missing Authorization header" })
'Bearer realm="protected"'
);
expect(nextFunction).not.toHaveBeenCalled();
});


it("should return 401 when Authorization header format is invalid", async () => {
mockRequest.headers = {
authorization: "InvalidFormat",
Expand Down Expand Up @@ -336,6 +335,7 @@ describe("requireBearerAuth middleware", () => {
expect(nextFunction).not.toHaveBeenCalled();
});


describe("with resourceMetadataUrl", () => {
const resourceMetadataUrl = "https://api.example.com/.well-known/oauth-protected-resource";

Expand All @@ -348,7 +348,7 @@ describe("requireBearerAuth middleware", () => {
expect(mockResponse.status).toHaveBeenCalledWith(401);
expect(mockResponse.set).toHaveBeenCalledWith(
"WWW-Authenticate",
`Bearer error="invalid_token", error_description="Missing Authorization header", resource_metadata="${resourceMetadataUrl}"`
`Bearer realm="protected", resource_metadata="${resourceMetadataUrl}"`
);
expect(nextFunction).not.toHaveBeenCalled();
});
Expand Down
13 changes: 10 additions & 3 deletions src/server/auth/middleware/bearerAuth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { RequestHandler } from "express";
import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
import { InsufficientScopeError, InvalidTokenError, MissingAuthenticationError, OAuthError, ServerError } from "../errors.js";
import { OAuthTokenVerifier } from "../provider.js";
import { AuthInfo } from "../types.js";

Expand Down Expand Up @@ -42,7 +42,7 @@ export function requireBearerAuth({ verifier, requiredScopes = [], resourceMetad
try {
const authHeader = req.headers.authorization;
if (!authHeader) {
throw new InvalidTokenError("Missing Authorization header");
throw new MissingAuthenticationError("Missing Authorization header");
}

const [type, token] = authHeader.split(' ');
Expand Down Expand Up @@ -73,7 +73,14 @@ export function requireBearerAuth({ verifier, requiredScopes = [], resourceMetad
req.auth = authInfo;
next();
} catch (error) {
if (error instanceof InvalidTokenError) {
if (error instanceof MissingAuthenticationError) {
// RFC 6750 Section 3.1: Missing authentication should not include error codes
const wwwAuthValue = resourceMetadataUrl
? `Bearer realm="protected", resource_metadata="${resourceMetadataUrl}"`
: `Bearer realm="protected"`;
res.set("WWW-Authenticate", wwwAuthValue);
res.status(401).send();
} else if (error instanceof InvalidTokenError) {
const wwwAuthValue = resourceMetadataUrl
? `Bearer error="${error.errorCode}", error_description="${error.message}", resource_metadata="${resourceMetadataUrl}"`
: `Bearer error="${error.errorCode}", error_description="${error.message}"`;
Expand Down