Authorization header
abdula opened this issue · 2 comments
abdula commented
Authorization header can contain another information like Basic auth data. This case strategy does not handle.
Example:
Basic bW9iaWxlVjE6YWJjMTIzNDU2, Bearer xfDddHcepoDPIUwTlItMfVWgWo4JQTTb5R/s3xaeYk4=
jaredhanson commented
I don't believe that is a valid Authorization header, since it contains more than once credential. A client should send one of Basic or Bearer, but not multiple. If this is allowed by the spec, please provide me with a pointer to the documentation.
If the client was conformant, you could authenticate with:
passport.authenticate(['basic', 'bearer'], ...);
abdula commented
Yes, seems You are right. I didn't find any documentation about that.
Sorry to disturb.