From a8dc0ae9a419d2151518fe28fd5fd4ef0354540f Mon Sep 17 00:00:00 2001
From: Clement Delafargue <clement.delafargue.ext@outscale.com>
Date: Tue, 16 May 2023 11:17:34 +0200
Subject: [PATCH] express: ensure the authorization header starts with Bearer

It used to just skip the 7 first chars without verifying that said
chars were indeed `Bearer `
---
 snippets/biscuit-express.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/snippets/biscuit-express.js b/snippets/biscuit-express.js
index 84fe8fd..06809ec 100644
--- a/snippets/biscuit-express.js
+++ b/snippets/biscuit-express.js
@@ -2,12 +2,15 @@ export function middleware(options) {
   // assumes the token is in the `Authorization` header,
   // prefixed with `Bearer `
   const defaultExtractor = function (req) {
-    const authHeader = req.headers.authorization?.slice(7);
+    const authHeader = req.headers.authorization;
     if (!authHeader) {
       throw new Error("Missing Authorization header");
     }
+    if (!authHeader.startsWith("Bearer ")) {
+      throw new Error("Authorization header does not carry a bearer token");
+    }
 
-    return authHeader;
+    return authHeader.slice(7);
   };
 
   const defaultParser = function (data, publicKey) {