Skip to content

[HttpClient] Allow bearer token with colon #38248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 24, 2020
Merged

[HttpClient] Allow bearer token with colon #38248

merged 1 commit into from
Sep 24, 2020

Conversation

stephanvierkant
Copy link
Contributor

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets n/a
License MIT
Doc PR n/a

The JetBrains Hub (YouTrack API) creates tokens with a perm: prefix. This doesn't work right now, because HttpClient doesn't allow a colon in the bearer token.

As far as I can see, there is no reason to disallow the use of the semicolon in the bearer token, so this PR fixes it.

Example of a token: perm:c3RlcGhhbg==.NTUtMw==.NiZw16agafhsQAShTvclhb78hyJh2H

@wouterj
Copy link
Member

wouterj commented Sep 20, 2020

Seems like the RFC 6750 bearer format was used here: https://tools.ietf.org/html/rfc6750#section-2.1

But I see no reason to prevent any other token format here, "bearer" isn't directly coupled to OAuth2.0, right?

fbourigault
fbourigault reviewed Sep 22, 2020
View reviewed changes
src/Symfony/Component/HttpClient/HttpClientTrait.php
@@ -110,7 +110,7 @@ private static function prepareRequest(?string $method, ?string $url, array $opt
throw new InvalidArgumentException(sprintf('Option "auth_basic" must be string or an array, "%s" given.', \gettype($options['auth_basic'])));
}

if (isset($options['auth_bearer']) && (!\is_string($options['auth_bearer']) || !preg_match('{^[-._=~+/0-9a-zA-Z]++$}', $options['auth_bearer']))) {
if (isset($options['auth_bearer']) && (!\is_string($options['auth_bearer']) || !preg_match('{^[-._=:~+/0-9a-zA-Z]++$}', $options['auth_bearer']))) {
throw new InvalidArgumentException(sprintf('Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, '.(\is_string($options['auth_bearer']) ? 'invalid string given.' : '"%s" given.'), \gettype($options['auth_bearer'])));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The message should be updated. It's now the base 64 alphabet with the colon!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted, no need to advertise the colon, its non-standard

@OskarStark
Copy link
Contributor

Could you add a testcase?

@stof
Copy link
Member

stof commented Sep 22, 2020

I think this still deserves reporting to Jetbrains that their OAuth tokens don't actually respect the OAuth stack.

But we might indeed be less strict here, accepting more things that servers provide as tokens.

@stephanvierkant
Copy link
Contributor Author

I think this still deserves reporting to Jetbrains that their OAuth tokens don't actually respect the OAuth stack.

But we might indeed be less strict here, accepting more things that servers provide as tokens.

https://youtrack.jetbrains.com/issue/JPS-10419

@nicolas-grekas nicolas-grekas added this to the 4.4 milestone Sep 24, 2020
nicolas-grekas
nicolas-grekas approved these changes Sep 24, 2020
View reviewed changes
src/Symfony/Component/HttpClient/HttpClientTrait.php
@@ -110,7 +110,7 @@ private static function prepareRequest(?string $method, ?string $url, array $opt
throw new InvalidArgumentException(sprintf('Option "auth_basic" must be string or an array, "%s" given.', \gettype($options['auth_basic'])));
}

if (isset($options['auth_bearer']) && (!\is_string($options['auth_bearer']) || !preg_match('{^[-._=~+/0-9a-zA-Z]++$}', $options['auth_bearer']))) {
if (isset($options['auth_bearer']) && (!\is_string($options['auth_bearer']) || !preg_match('{^[-._=:~+/0-9a-zA-Z]++$}', $options['auth_bearer']))) {
throw new InvalidArgumentException(sprintf('Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, '.(\is_string($options['auth_bearer']) ? 'invalid string given.' : '"%s" given.'), \gettype($options['auth_bearer'])));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted, no need to advertise the colon, its non-standard

@nicolas-grekas
Copy link
Member

Thank you @stephanvierkant.

@nicolas-grekas nicolas-grekas merged commit caab0f1 into symfony:4.4 Sep 24, 2020
@stephanvierkant stephanvierkant deleted the httpclient-bearer-colon branch September 24, 2020 13:32
This was referenced Sep 27, 2020
Merged
Merged
@wouterj wouterj mentioned this pull request Oct 16, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fbourigault fbourigault fbourigault left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

Assignees
No one assigned
Labels
Bug HttpClient Status: Reviewed
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
7 participants
@stephanvierkant @wouterj @OskarStark @stof @nicolas-grekas @fbourigault @carsonbot