Trailing slash bypasses authentication

[rmsmith251]

Bug Description

I tried to see if this was mentioned anywhere but I didn't see any currently open issues regarding this.

Issue

Adding a trailing slash to the endpoint (i.e. /auth/ vs /auth) in the request will bypass the authentication step.

Expected

I would expect that the request would fail to authorize like the request with no slash.

I don't know the code enough to find what is causing this but I'm still searching and I'll update here if I find it.

Steps to Reproduce

Code

This sample is taken straight from the docs but I found this while working on my own API.

from robyn import Request, Robyn
from robyn.authentication import AuthenticationHandler, BearerGetter, Identity

app = Robyn(__file__)


class BasicAuthHandler(AuthenticationHandler):
    def authenticate(self, request: Request) -> Identity | None:
        token = self.token_getter.get_token(request)
        if token == "valid":
            return Identity(claims={})
        return None


app.configure_authentication(BasicAuthHandler(token_getter=BearerGetter()))


@app.get("/auth", auth_required=True)
async def auth(request: Request):
    # This route method will only be executed if the user is authenticated
    # Otherwise, a 401 response will be returned
    return "Hello, world"


if __name__ == "__main__":
    app.start(host="0.0.0.0", port=8080)

Tests

$ curl -X GET 0.0.0.0:8080/auth
Unauthorized
$  curl -X GET 0.0.0.0:8080/auth/
Hello, world

>>> requests.get("http://0.0.0.0:8080/auth").text
'Unauthorized'
>>> requests.get("http://0.0.0.0:8080/auth/").text
'Hello, world'

Your operating system

Linux

Your Python version (python --version)

Other (specify below)

Your Robyn version

latest

Additional Info

Python version: 3.10.18
Robyn version: 0.72.1

The dropdown has Python 3.1 where I'd expect 3.10.

[sansyrox]

This is not good. Thanks for raising this @rmsmith251

[rmsmith251]

Just an update for those that might want a workaround: I've been using the following code at the top of my endpoint functions to reject requests that didn't authenticate. It's not ideal since I have to put it on every function but it works for now.

if request.identity is None:
    return Response(
        status_code=401,
        headers=request.headers,
        description="Unauthorized",
    )

[thePromger]

@sansyrox

This is not good. Thanks for raising this @rmsmith251

I got something, can you do check is it useful? can it help us in standardizing the routing system? and helps us in future bugs related to routing?

can we just use 4-10char random uuid and map it with each unique endpoint with having all the important info in hashmap like endpoint/path, httpmethod supported, etc, etc info with it
and we do this initial check in starting and later on, that hash key + route, request matched with(not the actual route received from request, in cases where endpoint is regex based) just for logic processing cases,
and then it will be passed to further processing and if any method/function needs the data then they can fetch from that hashmap.

• we can even add nested route inside the hashmap too, like this

#we have /auth/users/system, /auth/users/admin, etc, etc
we can put endpoints in hashmap in nested way like this:
/auth includes /users and /users include system and admin as nested endpoints

this can help us in finding the route in more cleaner way

[thePromger]

@sansyrox

I have some more changes around routing, do I need to create separate PR for it or can i push it in just single one with this issue fix?