CUMULUS-3285: Updated isAuthBearTokenRequest to handle non-Bearer aut…

…horization header (merge to master) (#3350) * CUMULUS-3285: Updated isAuthBearTokenRequest to handle non-Bearer authorization header (#3341)
nasa · Apr 26, 2023 · 2841c3c · 2841c3c
1 parent 086409d
commit 2841c3c
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -177,6 +177,21 @@ Users/clients that do not make use of these endpoints will not be impacted.
 - **CUMULUS-3165**
   - Update example/cumulus-tf/orca.tf to use orca v6.0.3
 
+## [v15.0.1] 2023-04-20
+
+### Changed
+
+- **CUMULUS-3279**
+  - Updated core dependencies on `xml2js` to `v0.5.0`
+  - Forcibly updated downstream dependency for `xml2js` in `saml2-js` to
+    `v0.5.0`
+  - Added audit-ci CVE override until July 1 to allow for Core package releases
+
+## Fixed
+
+- **CUMULUS-3285**
+  - Updated `api/lib/distribution.js isAuthBearTokenRequest` to handle non-Bearer authorization header
+
 ## [v15.0.0] 2023-03-10
 
 ### Breaking Changes
@@ -7079,7 +7094,8 @@ Note: There was an issue publishing 1.12.0. Upgrade to 1.12.1.
 
 ## [v1.0.0] - 2018-02-23
 
-[unreleased]: https://github.com/nasa/cumulus/compare/v15.0.0...HEAD
+[unreleased]: https://github.com/nasa/cumulus/compare/v15.0.1...HEAD
+[v15.0.1]: https://github.com/nasa/cumulus/compare/v15.0.0...v15.0.1
 [v15.0.0]: https://github.com/nasa/cumulus/compare/v14.1.0...v15.0.0
 [v14.1.0]: https://github.com/nasa/cumulus/compare/v14.0.0...v14.1.0
 [v14.0.0]: https://github.com/nasa/cumulus/compare/v13.4.0...v14.0.0

diff --git a/example/spec/parallel/s3Access/teaS3CredentialsSpec.js b/example/spec/parallel/s3Access/teaS3CredentialsSpec.js
@@ -2,6 +2,7 @@
 
 const { URL } = require('url');
 const { STS } = require('aws-sdk');
+const base64 = require('base-64');
 
 const { models: { AccessToken } } = require('@cumulus/api');
 const {
@@ -33,6 +34,18 @@ describe('When accessing s3credentials endpoint', () => {
     });
   });
 
+  describe('with basic authorization header', () => {
+    it('redirects to Earthdata login for requests on /s3credentials endpoint.', async () => {
+      const auth = base64.encode(`${process.env.EARTHDATA_USERNAME}:${process.env.EARTHDATA_PASSWORD}`);
+      const headers = { authorization: `Basic ${auth}` };
+      const response = await invokeS3CredentialsLambda('/s3credentials', headers);
+      const authorizeUrl = new URL(response.headers.location);
+      expect(authorizeUrl.origin).toEqual(process.env.EARTHDATA_BASE_URL);
+      expect(authorizeUrl.searchParams.get('state')).toEqual('/s3credentials');
+      expect(authorizeUrl.pathname).toEqual('/oauth/authorize');
+    });
+  });
+
   describe('with token associated with an Earthdata Login ID', () => {
     let accessToken;
     let accessTokensModel;

diff --git a/package.json b/package.json
@@ -97,6 +97,7 @@
     "babel-loader": "^8.2.2",
     "babel-plugin-source-map-support": "^2.1.1",
     "babel-preset-env": "^1.7.0",
+    "base-64": "^0.1.0",
     "cookie-parser": "^1.4.5",
     "copy-webpack-plugin": "^6.0.3",
     "coveralls": "^3.0.0",

diff --git a/packages/api/lib/distribution.js b/packages/api/lib/distribution.js
@@ -119,7 +119,7 @@ function isAuthBearTokenRequest(req) {
   const authHeader = req.headers.authorization;
   if (authHeader) {
     const match = authHeader.match(BEARER_TOKEN_REGEX);
-    if (match.length >= 2) return true;
+    if (match && match.length >= 2) return true;
   }
   return false;
 }