fix: panic when missing token

2025-12-12 08:00:07 +01:00 · 2023-01-14 09:08:44 +01:00 · 2023-01-14 09:08:44 +01:00 · 89006df2af
commit 89006df2af
parent 7009f645e6
2 changed files with 25 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## Unreleased

+## 0.3.1 - (2023-1-14)
+
+### Fixed
+
+- fix: panicking when a bearer token is missing in protected request (be6bf9fb)
+
 ## 0.3.0 - (2023-1-13)

 ### Added 
--- a/jwt-authorizer/src/layer.rs
+++ b/jwt-authorizer/src/layer.rs
@ -129,19 +129,28 @@ where
    fn authorize(&self, mut request: Request<B>) -> Self::Future {
        let authorizer = self.auth.clone();
        let h = request.headers();
-        let bearer: Authorization<Bearer> = h.typed_get().unwrap();
+        let bearer_o: Option<Authorization<Bearer>> = h.typed_get();
        Box::pin(async move {
-            if let Ok(token_data) = authorizer.check_auth(bearer.token()).await {
-                // Set `token_data` as a request extension so it can be accessed by other
-                // services down the stack.
-                request.extensions_mut().insert(token_data);
+            if let Some(bearer) = bearer_o {
+                if let Ok(token_data) = authorizer.check_auth(bearer.token()).await {
+                    // Set `token_data` as a request extension so it can be accessed by other
+                    // services down the stack.
+                    request.extensions_mut().insert(token_data);
    
-                Ok(request)
+                    Ok(request)
+                } else {
+                    let unauthorized_response = Response::builder()
+                        .status(StatusCode::UNAUTHORIZED)
+                        .body(Body::empty()) // TODO: add error code (https://datatracker.ietf.org/doc/html/rfc6750#section-3.1)
+                        .unwrap();
+    
+                    Err(unauthorized_response)
+                }
            } else {
                let unauthorized_response = Response::builder()
-                    .status(StatusCode::UNAUTHORIZED)
-                    .body(Body::empty())
-                    .unwrap();
+                .status(StatusCode::UNAUTHORIZED)
+                .body(Body::empty()) // TODO: add error message (https://datatracker.ietf.org/doc/html/rfc6750#section-3.1)
+                .unwrap();

                Err(unauthorized_response)
            }