What’s the correct way to remove the authorization header from an incoming request?
I’ve created a RegisterTypedRequestFilter< Authenticate>() but I run up against a System.NotSupportedException when I try to remove and/or set the value for the key HttpHeaders.Authorization.
We’ve run into an issue where the incoming Bearer token gets used to create the initial session within that Authenticate Post. This results in the ability to post a bearer token of User A, while authenticating User B, and the session coming back is a blend of both.
I’d like to strip all auth headers from the authenticate endpoint to ensure the session that gets created is an empty blank session and not based on the incoming bearer token (should one be present).
BTW: We are undergoing penetration testing where the engineer is trying things that wouldn’t normally be tried and/or expected, looking for vulnerabilities.
I just tested that this fix works for our solution (JWT) as attempting to authenticate User B with User A authorization header results in correct User B session (no signs of User A).
Not sure how this would effect others, but assuming that the GetSession() that is called when the user is authenticating is looking for session data from the request coming in, perhaps it’s something that should be baked into Service Stack, i.e prevent a hacker trying to post to the authenticate end-point with some session data for a different authenticated user.