fastify/fastify-oauth2

The type of `token_type` is 'bearer', but at runtime the value is `Bearer`

wlinna opened this issue · 4 comments

wlinna commented

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.15

Plugin version

7.0.1

Node.js version

18

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

22.04

Description

According to the types, the type of Token.token_type is 'bearer'. However, at runtime the value is actually 'Bearer'.

I'm not sure where the current value 'bearer' comes, or what it should be. Maybe on the systems that you have preconfigured the value is 'bearer'. However, on auth0, the value is 'Bearer'.

Steps to Reproduce

Configuration code:

  1. Configure oauthPlugin
fastify.register(oauthPlugin, {
  name: 'auth0',
  credentials: {
    client: {
      id: fastify.config.CLIENT_ID,
      secret: fastify.config.CLIENT_SECRET,
    },
    auth: {
      authorizeHost: fastify.config.AUTH0_BASE_URL,
      authorizePath: '/authorize',
      tokenHost: fastify.config.AUTH0_BASE_URL,
      tokenPath: '/oauth/token',
    },
  },
  // Request Credits API to be added as an audience for the user access token
  callbackUriParams: {
    audience: fastify.config.CREDITS_API_ID,
  },
  scope: 'openid profile email read:credits write:credits',
  code: 'code',
  // This route starts the Auth0 authorization redirect flow
  startRedirectPath: new URL(fastify.config.CLIENT_LOGIN_URI).pathname,
  // User is redirected to this URL after login in Auth0
  callbackUri: new URL(fastify.config.CLIENT_CALLBACK_URI).href,
});
  1. At the callback handler I have this code, which works correctly
const { token } = await this.auth0.getAccessTokenFromAuthorizationCodeFlow(request);

  // Verify received tokens before using them
  if (token.token_type !== 'Bearer') {
    reply.code(400);
    return 'Invalid authorization';
  }
  1. TypeScript complains This comparison appears to be unintentional because the types '"bearer"' and '"Bearer"' have no overlap.. However, when I debug the code, I can see that the value is 'Bearer', not 'bearer'.

Expected Behavior

TypeScript shouldn't complain about comparisons to 'Bearer'.
OR
The value should be lowercased to 'bearer'. Unfortunately, changing this now would break backwards compatibility for those who already depend on the value being 'Bearer'.

mcollina commented

Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests.

I think we could just add a union of 'Bearer' too in

fastify-oauth2/types/index.d.ts

Line 35 in 53e30b4

token_type: 'bearer';
.

jsumners commented

FYI, the spec calls for Bearer specifically.

  • 👍1
Uzlopak commented

Were actually? Afaik it says case insensitive.

jsumners commented

https://www.rfc-editor.org/rfc/rfc6750#section-2.1

When sending the access token in the "Authorization" request header
field defined by HTTP/1.1 [RFC2617], the client uses the "Bearer"
authentication scheme to transmit the access token.

For example:

GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM