Removing "Bearer" from token header without implementing a custom authentication scheme or parsing the token? - McMap

About

Removing "Bearer" from token header without implementing a custom authentication scheme or parsing the token?

Asked 31/5, 2018 at 14:24 Answered 14/6, 2018 at 16:28

Solved mongodb mongoose oauth oauth-2.0 bearer-token

C

1

6

Currently utilizing a JWT authentication schema where the tokens have "Bearer: in the schema. Is it possible to remove the "Bearer" prefix so I wouldn't need to add it on the client side just to parse it out on the backend again? Is there a way to do this without implementing a custom scheme (So while still using the Bearer scheme) AND without having to parse the actual token for the "Bearer: " text?

Right now, the code looks like:

var token = req.headers.authorization;
var newToken = token.replace("Bearer ", "");
jwt.verify(newToken, jwtSecret, function (err, success) {
 if (err) {
  return res.
          status(401).
          end('Unauthorized, invalidtoken');
 } else {
  return next();
 }
})

Ideally it would be implemented as such:

var token = req.headers.authorization;
jwt.verify(token, jwtSecret, function (err, success) {
 if (err) {
  return res.
          status(401).
          end('Unauthorized, invalidtoken');
} else {
  return next();
}
})

Would this be okay? What are the implications of removing "Bearer" from the jwt authorization headers ?

Thanks

Contrabandist answered 31/5, 2018 at 14:24 Comment(4)

no, it's within tools.ietf.org/html/rfc7235#section-2 As a side note, you are confusing "header" and "token". The var token is actually an HTTP header which contains schema and token. Instead of replacing, you need to split the header, compare actual schema with expected "Bearer", and reject request instantly if it doesn't match. – Ackerman 31/5, 2018 at 14:37

Doesn't seem you can remove Bearer. See previously asked and beautifully answered: https://mcmap.net/q/92876/-best-http-authorization-header-type-for-jwt further reference: https://mcmap.net/q/92876/-best-http-authorization-header-type-for-jwt – Yellow 31/5, 2018 at 17:58

@MarkoBajlovic You can remove / omit it. Question from here is whether it is a good idea. While it follows best practice, what are the repercussions of not using it. – Filippa 31/5, 2018 at 18:20

Thanks for the help – Contrabandist 14/6, 2018 at 16:14

C

4

There is no programmatic difference from removing Bearer token in formatting the request header. If you do choose to do so, you are violating RFC and HTTP standards. It would be like sending a payload in a GET response and saving data to the database.

Use of bearer tokens derived from the Oauth design so have a look at here for standards.

Contrabandist answered 14/6, 2018 at 16:28 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.