Allow RW auth to use capitalised authorization header #3829
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deploying to AWS (with serverless) seems to transform the authorization header to be captialised "Authorization". This causes the auth to fail. I found this from my own experience deploying this test project https://github.com/Irev-Dev/redwood-serverless-cors-demo Besides my own experience I tried to find docs confirming this, I found https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html Which says: "Header names and query parameters are processed in a case-sensitive way." and lists authorization with a capital "A", it doesn't explicitly say the header is transformed to uppercase, but I think it's implied. Besides AWS I think it somewhat likely that other deploy targets in the future might have the same quirk so this only seems to make the auth provider more robust.
|
For context I found this when looking into #3812. |
|
|'ve learned a little more since, This issue of the capitalised "Authorization" header only effects AWS's REST api, as opposed to the http api which doesn't have the same problem. The current serverless setup command uses the http-api, and that's recommended (it's newer and faster) so maybe this PR isn't needed, but it's possible a RW user would switch to the old api. |
|
@Irev-Dev it's a simple change that seem reasonable to me either way. Looping in @dthyresson for the offical go/no-go review. |
dac09
approved these changes
Dec 15, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Deploying to AWS (with serverless) seems to transform the authorization header to be
captialised "Authorization".
This causes the auth to fail.
I found this from my own experience deploying this test project:
https://github.com/Irev-Dev/redwood-serverless-cors-demo
Which I was able to resolve with this change.
Besides my own experience I tried to find docs confirming this, I found
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html
Which says:
"Header names and query parameters are processed in a case-sensitive way."
and lists authorization with a capital "A", it doesn't explicitly say
the header is transformed to uppercase, but I think it's implied.
Besides AWS, it's plausible that future deploy targets will have the same quirk, this change only makes the auth more robust.
Here's a screen shot from my Cloudwatch logs that show shows the "The
Authorizationheader is not valid." error I was getting before the fix as well as the headers logged out showing the case of the authorization header.