allow bearer and other types of authorization in default handler

lib/AuthHandler.ts

@@ -37,8 +37,12 @@ class AuthRequest {
   public is_basic: boolean;
   public user: string;
   public password: string;
+
+  public is_bearer: boolean;
+  public token?: string;
   public token_data?: unknown;
   public token_id?: string;
+
   public body: string;
 
   private _cookie_name?: string;
@@ -53,6 +57,7 @@ class AuthRequest {
     this.response = res;
     this.body = body;
     this.is_basic = false;
+    this.is_bearer = false;
     this.user = '';
     this.password = '';
     this._cookie_name = cookie;
@@ -180,7 +185,7 @@ export default function create_auth_handler (
       .exec (req.headers.authorization as string);
 
     if (token === null) {
-      request.deny ();
+      request.invalid ('missing authorization header');
       return Promise.resolve ();
     }
 
@@ -197,12 +202,14 @@ export default function create_auth_handler (
       return default_handler (request);
     }
 
-    const token_data = auth.verify (token?.groups?.token as string);
+    if ((/Bearer/ui).test (token?.groups?.type as string)) {
+      request.is_bearer = true;
+      request.token = token?.groups?.token;
 
-    if (!token_data.valid) {
-      request.deny ();
-      return Promise.resolve ();
-    }
+      const token_data = auth.verify (request.token as string);
+
+      if (!token_data.valid)
+        return default_handler (request);
 
       request.token_data = token_data.data;
       request.token_id = token_data.id;
@@ -228,6 +235,9 @@ export default function create_auth_handler (
 
       request.invalid ('invalid bearer type');
       return Promise.resolve ();
+    }
+
+    return default_handler (request);
   };
 }
 

test/spec/AuthHandler.ts

@@ -49,8 +49,11 @@ describe ('auth handler', () => {
   let server: http.Server|null = null;
   beforeAll (() => {
     const ah = create_auth_handler ((req) => {
-      if (!req.is_basic) {
-        req.invalid ('unknown autorization type');
+      if (!req.is_basic && !req.is_bearer) {
+        req.invalid ('unknown authorization type');
+      }
+      else if (req.is_bearer) {
+        req.deny ();
       }
       else if (req.user === 'foo' && req.password === 'bar') {
         req.allow_access ({
@@ -170,10 +173,13 @@ describe ('auth handler', () => {
   it ('should reject invalid requests', async () => {
     const resp1 = await get ();
     expect (resp1.statusCode)
-      .toEqual (401);
+      .toEqual (400);
     const res1 = check_headers (resp1);
     expect (res1.data)
-      .toEqual ({ error: 'invalid_client' });
+      .toEqual ({
+        error:             'invalid_request',
+        error_description: 'missing authorization header'
+      });
 
     const resp2a = await get ({ authorization: 'Basic foo:bar' });
     const res2a = check_headers (resp2a);
@@ -237,6 +243,17 @@ describe ('auth handler', () => {
     expect (res2.rt).not.toEqual (res1.rt);
   });
 
+  it ('should handle any authorization type', async () => {
+    const resp = await get ({ authorization: 'Foo asdefg' });
+    expect (resp.statusCode)
+      .toEqual (400);
+    expect (JSON.parse (resp.body as string))
+      .toEqual ({
+        error:             'invalid_request',
+        error_description: 'unknown authorization type'
+      });
+  });
+
   afterAll (() => {
     if (server === null)
       throw new Error ('server is null');