The type of `token_type` is 'bearer', but at runtime the value is `Bearer`
wlinna opened this issue · 4 comments
Prerequisites
- I have written a descriptive issue title
- I have searched existing issues to ensure the bug has not already been reported
Fastify version
4.15
Plugin version
7.0.1
Node.js version
18
Operating system
Linux
Operating system version (i.e. 20.04, 11.3, 10)
22.04
Description
According to the types, the type of Token.token_type
is 'bearer'
. However, at runtime the value is actually 'Bearer'
.
I'm not sure where the current value 'bearer'
comes, or what it should be. Maybe on the systems that you have preconfigured the value is 'bearer'
. However, on auth0, the value is 'Bearer'
.
Steps to Reproduce
Configuration code:
- Configure oauthPlugin
fastify.register(oauthPlugin, {
name: 'auth0',
credentials: {
client: {
id: fastify.config.CLIENT_ID,
secret: fastify.config.CLIENT_SECRET,
},
auth: {
authorizeHost: fastify.config.AUTH0_BASE_URL,
authorizePath: '/authorize',
tokenHost: fastify.config.AUTH0_BASE_URL,
tokenPath: '/oauth/token',
},
},
// Request Credits API to be added as an audience for the user access token
callbackUriParams: {
audience: fastify.config.CREDITS_API_ID,
},
scope: 'openid profile email read:credits write:credits',
code: 'code',
// This route starts the Auth0 authorization redirect flow
startRedirectPath: new URL(fastify.config.CLIENT_LOGIN_URI).pathname,
// User is redirected to this URL after login in Auth0
callbackUri: new URL(fastify.config.CLIENT_CALLBACK_URI).href,
});
- At the callback handler I have this code, which works correctly
const { token } = await this.auth0.getAccessTokenFromAuthorizationCodeFlow(request);
// Verify received tokens before using them
if (token.token_type !== 'Bearer') {
reply.code(400);
return 'Invalid authorization';
}
- TypeScript complains
This comparison appears to be unintentional because the types '"bearer"' and '"Bearer"' have no overlap.
. However, when I debug the code, I can see that the value is'Bearer'
, not'bearer'
.
Expected Behavior
TypeScript shouldn't complain about comparisons to 'Bearer'
.
OR
The value should be lowercased to 'bearer'
. Unfortunately, changing this now would break backwards compatibility for those who already depend on the value being 'Bearer'
.
Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests.
I think we could just add a union of 'Bearer'
too in
fastify-oauth2/types/index.d.ts
Line 35 in 53e30b4
FYI, the spec calls for Bearer
specifically.
Were actually? Afaik it says case insensitive.
https://www.rfc-editor.org/rfc/rfc6750#section-2.1
When sending the access token in the "Authorization" request header
field defined by HTTP/1.1 [RFC2617], the client uses the "Bearer"
authentication scheme to transmit the access token.For example:
GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM