You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/07/18 12:53:06 UTC

[GitHub] [pulsar] acortes-okode commented on a diff in pull request #16650: [improve][authentication] Support for get token from HTTP params

acortes-okode commented on code in PR #16650:
URL: https://github.com/apache/pulsar/pull/16650#discussion_r923329841


##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java:
##########
@@ -387,4 +387,26 @@ public boolean isExpired() {
             return expiration < System.currentTimeMillis();
         }
     }
+
+    private static final class HttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper {
+        private final HttpServletRequest request;
+
+        public HttpServletRequestWrapper(HttpServletRequest request) {
+            super(request);
+            this.request = request;
+        }
+
+        @Override
+        public String getHeader(String name) {
+            // The browser javascript WebSocket client couldn't add the auth param to the request header, use the
+            // query param `token` to transport the auth token for the browser javascript WebSocket client.
+            if (name.equals(HTTP_HEADER_NAME) && request.getHeader(HTTP_HEADER_NAME) == null) {
+                String token = request.getParameter(TOKEN);
+                if (token != null && !token.startsWith(HTTP_HEADER_VALUE_PREFIX)) {

Review Comment:
   If we are checking the token for not starting with the "Bearer " prefix ir order to return `"Bearer " + token` as the header value, shouldn't we return the `token` as is if it already starts with "Bearer "? I mean, something like this:
   ```java
   String token = request.getParameter(TOKEN);
   if (token != null) {
       return !token.startsWith(HTTP_HEADER_VALUE_PREFIX) ? HTTP_HEADER_VALUE_PREFIX + token : token;
   }
   ```
   If what is intended is to encourage users to not sending the "Bearer " prefix as part of the `token` query param, then I'm not sure about performing the 'startsWith' check since it will already fail. Or maybe we could have the check and use it to log a warning or error message explaining the cause why the `token` request param value was not taken as the `Authorization` header value?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org