What’s the correct way to remove the authorization header from an incoming request?
I’ve created a RegisterTypedRequestFilter< Authenticate>() but I run up against a System.NotSupportedException when I try to remove and/or set the value for the key HttpHeaders.Authorization.
We’ve run into an issue where the incoming Bearer token gets used to create the initial session within that Authenticate Post. This results in the ability to post a bearer token of User A, while authenticating User B, and the session coming back is a blend of both.
I’d like to strip all auth headers from the authenticate endpoint to ensure the session that gets created is an empty blank session and not based on the incoming bearer token (should one be present).
You shouldn’t attempt to mutate incoming Request Headers which should be considered immutable.
Instead logout the user before sending an Authentication request otherwise it considers the same Authenticated User is authenticating with an alternative sign in option.
You can “override” the Authorization Header by specifying a non empty (i.e. null || “”) in the IRequest.Items dictionary, e.g:
httpReq.Items[Keywords.Authorization] = "Ignore";
If it doesn’t start with a "Basic " or "Bearer " prefix it will be ignored by the Basic Auth and JWT + Api Key Auth providers.
BTW: We are undergoing penetration testing where the engineer is trying things that wouldn’t normally be tried and/or expected, looking for vulnerabilities.
I just tested that this fix works for our solution (JWT) as attempting to authenticate User B with User A authorization header results in correct User B session (no signs of User A).
Not sure how this would effect others, but assuming that the GetSession() that is called when the user is authenticating is looking for session data from the request coming in, perhaps it’s something that should be baked into Service Stack, i.e prevent a hacker trying to post to the authenticate end-point with some session data for a different authenticated user.