fix: add cookie support for HTTP bearer authentication (#949)

SeokHoChoi · web-flow · commit 79424b26137f · 2024-10-26T15:30:11.000-04:00
* fix: add cookie support for HTTP bearer authentication

- Updated validateHttp() to handle bearer tokens in both authorization header and cookies.
- Adapted logic to ensure flexibility for projects using HTTP-only cookies instead of headers for authentication.

* fix: Refine HTTP authentication validation based on code review feedback

- Maintain existing error for missing Authorization header
- Add specific error for cookie authentication when specified in security scheme
- Consider both Authorization header and cookie for bearer token validation

* fix: Revert unintended code style changes made during previous commit

* fix: Revert unintended code style changes made during previous commit

* fix: fix: update validateHttp to handle missing auth headers properly

- Restructure Basic auth validation to check header existence first
- Maintain original error messages for non-cookie authentication
- Add proper cookie authentication check when specified
- Fix undefined.includes() error in Basic auth validation
diff --git a/src/middlewares/openapi.security.ts b/src/middlewares/openapi.security.ts
@@ -86,8 +86,8 @@ export function security(
       if (success) {
         next();
       } else {
-        const errors = extractErrorsFromResults(results)
-        throw errors[0]
+        const errors = extractErrorsFromResults(results);
+        throw errors[0];
       }
     } catch (e) {
       const message = e?.error?.message || 'unauthorized';
@@ -232,18 +232,31 @@ class AuthValidator {
       const authHeader =
         req.headers['authorization'] &&
         req.headers['authorization'].toLowerCase();
-
-      if (!authHeader) {
-        throw Error(`Authorization header required`);
-      }
-
+      const authCookie =
+        req.cookies[scheme.name] || req.signedCookies?.[scheme.name];
+  
       const type = scheme.scheme && scheme.scheme.toLowerCase();
-      if (type === 'bearer' && !authHeader.includes('bearer')) {
-        throw Error(`Authorization header with scheme 'Bearer' required`);
+      if (type === 'bearer') {
+        if (authHeader && !authHeader.includes('bearer')) {
+          throw Error(`Authorization header with scheme 'Bearer' required`);
+        }
+        
+        if (!authHeader && !authCookie) {
+          if (scheme.in === 'cookie') {
+            throw Error(`Cookie authentication required`);
+          } else {
+            throw Error(`Authorization header required`);
+          }
+        }
       }
-
-      if (type === 'basic' && !authHeader.includes('basic')) {
-        throw Error(`Authorization header with scheme 'Basic' required`);
+  
+      if (type === 'basic') {
+        if (!authHeader) {
+          throw Error(`Authorization header required`);
+        }
+        if (!authHeader.includes('basic')) {
+          throw Error(`Authorization header with scheme 'Basic' required`);
+        }
       }
     }
   }
@@ -276,4 +289,4 @@ class Util {
       o.constructor === Object
     );
   }
-}
+}
