express: ensure the authorization header starts with Bearer

It used to just skip the 7 first chars without verifying that said chars were indeed `Bearer `
biscuit-auth · May 16, 2023 · a8dc0ae · a8dc0ae
1 parent f4ab91d
commit a8dc0ae
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/snippets/biscuit-express.js b/snippets/biscuit-express.js
@@ -2,12 +2,15 @@ export function middleware(options) {
   // assumes the token is in the `Authorization` header,
   // prefixed with `Bearer `
   const defaultExtractor = function (req) {
-    const authHeader = req.headers.authorization?.slice(7);
+    const authHeader = req.headers.authorization;
     if (!authHeader) {
       throw new Error("Missing Authorization header");
     }
+    if (!authHeader.startsWith("Bearer ")) {
+      throw new Error("Authorization header does not carry a bearer token");
+    }
 
-    return authHeader;
+    return authHeader.slice(7);
   };
 
   const defaultParser = function (data, publicKey) {