[GitHub] [pulsar] acortes-okode commented on a diff in pull request #16650: [improve][authentication] Support for get token from HTTP params

Mon, 18 Jul 2022 05:53:13 -0700 


acortes-okode commented on code in PR #16650:
URL: https://github.com/apache/pulsar/pull/16650#discussion_r923329841


##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java:
##########
@@ -387,4 +387,26 @@ public boolean isExpired() {
             return expiration < System.currentTimeMillis();
         }
     }
+
+    private static final class HttpServletRequestWrapper extends 
javax.servlet.http.HttpServletRequestWrapper {
+        private final HttpServletRequest request;
+
+        public HttpServletRequestWrapper(HttpServletRequest request) {
+            super(request);
+            this.request = request;
+        }
+
+        @Override
+        public String getHeader(String name) {
+            // The browser javascript WebSocket client couldn't add the auth 
param to the request header, use the
+            // query param `token` to transport the auth token for the browser 
javascript WebSocket client.
+            if (name.equals(HTTP_HEADER_NAME) && 
request.getHeader(HTTP_HEADER_NAME) == null) {
+                String token = request.getParameter(TOKEN);
+                if (token != null && 
!token.startsWith(HTTP_HEADER_VALUE_PREFIX)) {

Review Comment:
   If we are checking the token for not starting with the "Bearer " prefix ir 
order to return `"Bearer " + token` as the header value, shouldn't we return 
the `token` as is if it already starts with "Bearer "? I mean, something like 
this:
   ```java
   String token = request.getParameter(TOKEN);
   if (token != null) {
       return !token.startsWith(HTTP_HEADER_VALUE_PREFIX) ? 
HTTP_HEADER_VALUE_PREFIX + token : token;
   }
   ```
   If what is intended is to encourage users to not sending the "Bearer " 
prefix as part of the `token` query param, then I'm not sure about performing 
the 'startsWith' check since it will already fail. Or maybe we could have the 
check and use it to log a warning or error message explaining the cause why the 
`token` request param value was not taken as the `Authorization` header value?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to