Merge pull request #10246 from weseek/imprv/170346-support-bearer-token

imprv: Support Bearer token for new AccessToken

apps/app/src/features/mermaid/components/MermaidViewer.tsx

@@ -6,11 +6,6 @@ import { v7 as uuidV7 } from 'uuid';
 import { useNextThemes } from '~/stores-universal/use-next-themes';
 import loggerFactory from '~/utils/logger';
 
-const logger = loggerFactory('growi:features:mermaid:MermaidViewer');
-import { v7 as uuidV7 } from 'uuid';
-
-import loggerFactory from '~/utils/logger';
-
 const logger = loggerFactory('growi:features:mermaid:MermaidViewer');
 
 type MermaidViewerProps = {
@@ -25,7 +20,7 @@ export const MermaidViewer = React.memo((props: MermaidViewerProps): JSX.Element
   const ref = useRef<HTMLDivElement>(null);
 
   useEffect(() => {
-    (async () => {
+    (async() => {
       if (ref.current != null && value != null) {
         mermaid.initialize({
           theme: isDarkMode ? 'dark' : undefined,

apps/app/src/server/middlewares/access-token-parser/access-token.ts

@@ -5,14 +5,18 @@ import type { Response } from 'express';
 import { AccessToken } from '~/server/models/access-token';
 import loggerFactory from '~/utils/logger';
 
+import { extractBearerToken } from './extract-bearer-token';
 import type { AccessTokenParserReq } from './interfaces';
 
 const logger = loggerFactory('growi:middleware:access-token-parser:access-token');
 
 export const parserForAccessToken = (scopes: Scope[]) => {
   return async(req: AccessTokenParserReq, res: Response): Promise<void> => {
+    // Extract token from Authorization header first
+    // It is more efficient to call it only once in "AccessTokenParser," which is the caller of the method
+    const bearerToken = extractBearerToken(req.headers.authorization);
 
-    const accessToken = req.query.access_token ?? req.body.access_token;
+    const accessToken = bearerToken ?? req.query.access_token ?? req.body.access_token;
     if (accessToken == null || typeof accessToken !== 'string') {
       return;
     }

apps/app/src/server/middlewares/access-token-parser/api-token.ts

@@ -1,30 +1,20 @@
 import type { IUser, IUserHasId } from '@growi/core/dist/interfaces';
 import { serializeUserSecurely } from '@growi/core/dist/models/serializers';
-import type { NextFunction, Response } from 'express';
+import type { Response } from 'express';
 import type { HydratedDocument } from 'mongoose';
 import mongoose from 'mongoose';
 
 import loggerFactory from '~/utils/logger';
 
+import { extractBearerToken } from './extract-bearer-token';
 import type { AccessTokenParserReq } from './interfaces';
 
 const logger = loggerFactory('growi:middleware:access-token-parser:api-token');
 
-const extractBearerToken = (authHeader: string | undefined): string | null => {
-  if (authHeader == null) {
-    return null;
-  }
-
-  if (!authHeader.startsWith('Bearer ')) {
-    return null;
-  }
-
-  return authHeader.substring(7); // Remove 'Bearer ' prefix
-};
-
 
 export const parserForApiToken = async(req: AccessTokenParserReq, res: Response): Promise<void> => {
   // Extract token from Authorization header first
+  // It is more efficient to call it only once in "AccessTokenParser," which is the caller of the method
   const bearerToken = extractBearerToken(req.headers.authorization);
 
   // Try all possible token sources in order of priority

apps/app/src/server/middlewares/access-token-parser/extract-bearer-token.ts

@@ -0,0 +1,11 @@
+export const extractBearerToken = (authHeader: string | undefined): string | null => {
+  if (authHeader == null) {
+    return null;
+  }
+
+  if (!authHeader.startsWith('Bearer ')) {
+    return null;
+  }
+
+  return authHeader.substring(7); // Remove 'Bearer ' prefix
+};

apps/app/src/server/middlewares/access-token-parser/index.ts

@@ -14,7 +14,6 @@ export type AccessTokenParser = (scopes?: Scope[], opts?: {acceptLegacy: boolean
 
 export const accessTokenParser: AccessTokenParser = (scopes, opts) => {
   return async(req, res, next): Promise<void> => {
-    // TODO: comply HTTP header of RFC6750 / Authorization: Bearer
     if (scopes == null || scopes.length === 0) {
       logger.warn('scopes is empty');
       return next();