From a5babc9b7d72ac374e20d13c99699f8a98853f7a Mon Sep 17 00:00:00 2001 From: Simran Date: Thu, 30 Jan 2020 01:10:14 +0100 Subject: [PATCH 1/7] Don't cast non-string passwords to string (e.g. undefined) --- src/execute/swagger2/build-request.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/execute/swagger2/build-request.js b/src/execute/swagger2/build-request.js index bc019408b..d68ea9142 100644 --- a/src/execute/swagger2/build-request.js +++ b/src/execute/swagger2/build-request.js @@ -88,7 +88,8 @@ export function applySecurities({request, securities = {}, operation = {}, spec} result.headers.authorization = value.header } else { - value.base64 = btoa(`${value.username}:${value.password}`) + const password = typeof value.password === "string" || value.password instanceof String ? value.password : "" + value.base64 = btoa(`${value.username}:${password}`) result.headers.authorization = `Basic ${value.base64}` } } From 2e1ba4617c229ceb95db3cdeadaf814529d25240 Mon Sep 17 00:00:00 2001 From: Simran Date: Thu, 30 Jan 2020 01:23:28 +0100 Subject: [PATCH 2/7] Update build-request.js --- src/execute/swagger2/build-request.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/execute/swagger2/build-request.js b/src/execute/swagger2/build-request.js index d68ea9142..84b6abdbf 100644 --- a/src/execute/swagger2/build-request.js +++ b/src/execute/swagger2/build-request.js @@ -88,8 +88,9 @@ export function applySecurities({request, securities = {}, operation = {}, spec} result.headers.authorization = value.header } else { + const username = value.username const password = typeof value.password === "string" || value.password instanceof String ? value.password : "" - value.base64 = btoa(`${value.username}:${password}`) + value.base64 = btoa(`${username}:${password}`) result.headers.authorization = `Basic ${value.base64}` } } From 3d88c26f84f180c649fc98428fcfa44648e83554 Mon Sep 17 00:00:00 2001 From: Simran Date: Thu, 30 Jan 2020 01:23:59 +0100 Subject: [PATCH 3/7] Update build-request.js --- src/execute/oas3/build-request.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/execute/oas3/build-request.js b/src/execute/oas3/build-request.js index 0b928c415..a4cc7dce4 100644 --- a/src/execute/oas3/build-request.js +++ b/src/execute/oas3/build-request.js @@ -148,7 +148,8 @@ export function applySecurities({request, securities = {}, operation = {}, spec} } else if (type === 'http') { if (schema.scheme === 'basic') { - const {username, password} = value + const username = value.username + const password = typeof value.password === "string" || value.password instanceof String ? value.password : "" const encoded = btoa(`${username}:${password}`) result.headers.Authorization = `Basic ${encoded}` } From 7b6a382ef6e235eb87d0f51b3a27712ebdbd332e Mon Sep 17 00:00:00 2001 From: Simran Date: Thu, 30 Jan 2020 01:41:49 +0100 Subject: [PATCH 4/7] Add test --- test/oas3/execute/authorization.js | 47 ++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/test/oas3/execute/authorization.js b/test/oas3/execute/authorization.js index 122fe4005..ae51ebf21 100644 --- a/test/oas3/execute/authorization.js +++ b/test/oas3/execute/authorization.js @@ -140,6 +140,53 @@ describe('Authorization - OpenAPI Specification 3.0', () => { }) } ) + test( + 'should allow empty password without casting undefined to string', + () => { + const spec = { + openapi: '3.0.0', + components: { + securitySchemes: { + myBasicAuth: { + type: 'http', + in: 'header', + scheme: 'basic' + } + } + }, + paths: { + '/': { + get: { + operationId: 'myOperation' + } + } + } + } + + // when + const req = buildRequest({ + spec, + operationId: 'myOperation', + securities: { + authorized: { + myBasicAuth: { + username: 'somebody', + password: undefined + } + } + } + }) + + expect(req).toEqual({ + method: 'GET', + url: '/', + credentials: 'same-origin', + headers: { + Authorization: `Basic ${btoa('somebody:')}` + }, + }) + } + ) }) describe('Bearer', () => { test('should add token to the Authorization header', () => { From 515ca50a6138e8cf9e71b6c77cdf055575b0fec8 Mon Sep 17 00:00:00 2001 From: Simran Date: Thu, 30 Jan 2020 01:49:52 +0100 Subject: [PATCH 5/7] Add test --- test/swagger2/execute/apply-securities.js | 41 +++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/test/swagger2/execute/apply-securities.js b/test/swagger2/execute/apply-securities.js index b135d8d75..140a47ab6 100644 --- a/test/swagger2/execute/apply-securities.js +++ b/test/swagger2/execute/apply-securities.js @@ -123,6 +123,47 @@ describe('swagger2 - execute - applySecurities', () => { }) }) + test('should allow empty password without casting undefined to string', () => { + const spec = { + host: 'swagger.io', + basePath: '/v1', + security: [{authMe: []}], + paths: { + '/one': { + get: { + operationId: 'getMe', + security: [{authMe: []}] + } + } + }, + securityDefinitions: { + authMe: { + type: 'basic' + } + } + } + + const request = { + url: 'http://swagger.io/v1/one', + method: 'GET', + query: {} + } + const securities = { + authorized: { + authMe: { + username: 'foo', + password: undefined + } + } + } + + const applySecurity = applySecurities({request, securities, operation: spec.paths['/one'].get, spec}) + + expect(applySecurity.headers).toEqual({ + authorization: 'Basic Zm9vOg==' + }) + }) + test('should be able to apply multiple auths', () => { const spec = { host: 'swagger.io', From 6dc9e621e7bfaec9d409bff291fab2e18640eb12 Mon Sep 17 00:00:00 2001 From: Simran Date: Thu, 30 Jan 2020 02:12:13 +0100 Subject: [PATCH 6/7] Fix test --- test/oas3/execute/authorization.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/oas3/execute/authorization.js b/test/oas3/execute/authorization.js index ae51ebf21..ce2d28909 100644 --- a/test/oas3/execute/authorization.js +++ b/test/oas3/execute/authorization.js @@ -157,7 +157,10 @@ describe('Authorization - OpenAPI Specification 3.0', () => { paths: { '/': { get: { - operationId: 'myOperation' + operationId: 'myOperation', + security: [{ + myBasicAuth: [] + }], } } } From 7d58b524c9178582a43a60d66c91bf86b42ab181 Mon Sep 17 00:00:00 2001 From: Simran Brucherseifer Date: Mon, 9 Mar 2020 17:50:12 +0100 Subject: [PATCH 7/7] Only test for falsy values --- src/execute/oas3/build-request.js | 4 ++-- src/execute/swagger2/build-request.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/execute/oas3/build-request.js b/src/execute/oas3/build-request.js index a4cc7dce4..b5b0b48de 100644 --- a/src/execute/oas3/build-request.js +++ b/src/execute/oas3/build-request.js @@ -148,8 +148,8 @@ export function applySecurities({request, securities = {}, operation = {}, spec} } else if (type === 'http') { if (schema.scheme === 'basic') { - const username = value.username - const password = typeof value.password === "string" || value.password instanceof String ? value.password : "" + const username = value.username || '' + const password = value.password || '' const encoded = btoa(`${username}:${password}`) result.headers.Authorization = `Basic ${encoded}` } diff --git a/src/execute/swagger2/build-request.js b/src/execute/swagger2/build-request.js index 84b6abdbf..979db2cd9 100644 --- a/src/execute/swagger2/build-request.js +++ b/src/execute/swagger2/build-request.js @@ -88,8 +88,8 @@ export function applySecurities({request, securities = {}, operation = {}, spec} result.headers.authorization = value.header } else { - const username = value.username - const password = typeof value.password === "string" || value.password instanceof String ? value.password : "" + const username = value.username || '' + const password = value.password || '' value.base64 = btoa(`${username}:${password}`) result.headers.authorization = `Basic ${value.base64}` }