summer2026/quicklanch-server
7
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

security: JWT token extraction missing Bearer scheme handling #8

New Issue
Open
opened 2026-06-17 15:05:23 +00:00 by abumahid · 0 comments
abumahid commented 2026-06-17 15:05:23 +00:00
Owner
Copy Link
Copy Source

Description

The authentication middleware extracts tokens from the Authorization header but doesn't properly handle the standard "Bearer" scheme. It accepts any token in the header, and if a Bearer token is provided, it will pass the entire string "Bearer " to the JWT verification, causing verification to fail silently or with confusing errors.

Location

  • File: src/app/middlewares/auth.ts
  • Component: auth() middleware
  • Lines: 8-30

How to Fix

Extract and validate the Bearer token properly:

const auth = (...roles: Role[]) => {
  return async (req: Request, res: Response, next: NextFunction) => {
    try {
      let token = req.headers.authorization || req.cookies.access_token;
      
      // Handle Bearer scheme
      if (token && token.startsWith('Bearer ')) {
        token = token.slice(7); // Remove 'Bearer ' prefix
      }
      
      if (!token) {
        throw new AppError("You are not authorize!!", 401);
      }
      
      const verifiedUser = jwtHelpers.verifyToken(
        token,
        configs.jwt.access_token as string,
      );
      
      if (!roles.length || !roles.includes(verifiedUser.role)) {
        throw new AppError("You are not authorize!!", 401);
      }
      
      req.user = verifiedUser as JwtPayloadType;
      next();
    } catch (err) {
      next(err);
    }
  };
};

Acceptance Criteria

  • Bearer scheme tokens (with "Bearer " prefix) are properly parsed
  • Cookie tokens continue to work
  • Invalid Bearer tokens are rejected with 401
  • JWT verification works with extracted token
  • Build passes
  • Type check passes
  • Auth middleware accepts both Bearer and cookie tokens
### Description The authentication middleware extracts tokens from the Authorization header but doesn't properly handle the standard "Bearer" scheme. It accepts any token in the header, and if a Bearer token is provided, it will pass the entire string "Bearer <token>" to the JWT verification, causing verification to fail silently or with confusing errors. ### Location - **File:** `src/app/middlewares/auth.ts` - **Component:** `auth()` middleware - **Lines:** 8-30 ### How to Fix Extract and validate the Bearer token properly: ```typescript const auth = (...roles: Role[]) => { return async (req: Request, res: Response, next: NextFunction) => { try { let token = req.headers.authorization || req.cookies.access_token; // Handle Bearer scheme if (token && token.startsWith('Bearer ')) { token = token.slice(7); // Remove 'Bearer ' prefix } if (!token) { throw new AppError("You are not authorize!!", 401); } const verifiedUser = jwtHelpers.verifyToken( token, configs.jwt.access_token as string, ); if (!roles.length || !roles.includes(verifiedUser.role)) { throw new AppError("You are not authorize!!", 401); } req.user = verifiedUser as JwtPayloadType; next(); } catch (err) { next(err); } }; }; ``` ### Acceptance Criteria - [ ] Bearer scheme tokens (with "Bearer " prefix) are properly parsed - [ ] Cookie tokens continue to work - [ ] Invalid Bearer tokens are rejected with 401 - [ ] JWT verification works with extracted token - [ ] Build passes - [ ] Type check passes - [ ] Auth middleware accepts both Bearer and cookie tokens ---
abumahid added the securityHigh labels 2026-06-17 15:05:23 +00:00
abumahid added this to the quicklanch-server project 2026-06-17 15:05:23 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Code not working perfectly
 Critical
Critical
 feat
For new features
 fix
Need to fixed simple code changes
 High
High
 improvement
improvement
 Low
Low
 Medium
Medium
 perf
Performance
refactor
refactor
 security
security related issue
No Label High security
Milestone
No items
No Milestone
Projects
Clear projects
No project quicklanch-server
Assignees
Clear assignees
abumahid (Md Abumahid) rahat (Ruhul Amin Rahat) rimi sharafat (Md Sharafat Hassain Binoy) sinikdho (Md Ferdous Mahmud Sinikdho) techzaa (TechZaa : Innovating the Future) utsob
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: summer2026/quicklanch-server#8
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?