fix: Fix JWT checking for non-authorized routes

iotaledger · Sep 18, 2023 · 9eaeb71 · 9eaeb71
1 parent ac78945
commit 9eaeb71
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/packages/authentication/jwt_auth_test.go b/packages/authentication/jwt_auth_test.go
@@ -61,12 +61,18 @@ func TestGetJWTAuthMiddleware(t *testing.T) {
 
 	t.Run("skip", func(t *testing.T) {
 		e := echo.New()
+		testRootURL := "http://fake-root"
 		skipPaths := []string{
 			"/",
 			shared.AuthRoute(),
 			shared.AuthInfoRoute(),
 			"/doc",
 		}
+		notSkipPaths := []string{
+			"/aa/",
+			"/user/" + shared.AuthRoute(),
+			"/bb/doc",
+		}
 		for _, path := range skipPaths {
 			e.GET(path, func(c echo.Context) error {
 				_, ok := c.Get(authentication.JWTContextKey).(*jwt.Token)
@@ -83,14 +89,24 @@ func TestGetJWTAuthMiddleware(t *testing.T) {
 		e.Use(middleware)
 
 		for _, path := range skipPaths {
-			req := httptest.NewRequest(http.MethodGet, path, http.NoBody)
+			req := httptest.NewRequest(http.MethodGet, testRootURL+path, http.NoBody)
 			res := httptest.NewRecorder()
 
 			e.ServeHTTP(res, req)
 
 			require.Equal(t, http.StatusOK, res.Code)
 			require.Equal(t, "\"\"\n", res.Body.String())
 		}
+
+		for _, path := range notSkipPaths {
+			req := httptest.NewRequest(http.MethodGet, testRootURL+path, http.NoBody)
+			req.Header.Set(echo.HeaderAuthorization, "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIweGNjYTUzMmNmN2RjNWNhNGExNmJiZjE5OTM5ZThiODlkMDMzN2FhNTk5ZDVjOGQxZGY4MDdlNDM4ZjA3MjExOTEiLCJzdWIiOiJ3YXNwIiwiYXVkIjpbIndhc3AiXSwiZXhwIjo2ODI0NjUwMzMyLCJuYmYiOjE2OTI1OTEyODksImlhdCI6MTY5MjU5MTI4OSwianRpIjoiMTY5MjU5MTI4OSIsInBlcm1pc3Npb25zIjp7IndyaXRlIjp7fX19.nFXeqX4i6K7Jmt3nEdaqJXYp2sp35an4EXdz-U5mWtQ")
+			res := httptest.NewRecorder()
+
+			e.ServeHTTP(res, req)
+
+			require.Equal(t, http.StatusUnauthorized, res.Code)
+		}
 	})
 }
 

diff --git a/packages/authentication/validate_middleware.go b/packages/authentication/validate_middleware.go
@@ -2,7 +2,6 @@ package authentication
 
 import (
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -37,9 +36,9 @@ func GetJWTAuthMiddleware(
 		Skipper: func(c echo.Context) bool {
 			path := c.Request().URL.Path
 			if path == "/" ||
-				strings.HasSuffix(path, shared.AuthRoute()) ||
-				strings.HasSuffix(path, shared.AuthInfoRoute()) ||
-				strings.HasPrefix(path, "/doc") {
+				path == shared.AuthRoute() ||
+				path == shared.AuthInfoRoute() ||
+				path == "/doc" {
 				return true
 			}