perf: quick way to validate token string

zhouyiheng.go · zhouyiheng.go · commit 6b99099ef253 · 2023-04-10T10:45:20.000+08:00
diff --git a/parser.go b/parser.go
@@ -130,7 +130,7 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 	// parse Header
 	var headerBytes []byte
 	if headerBytes, err = p.DecodeSegment(parts[0]); err != nil {
-		if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {
+		if len(tokenString) < 7 || strings.HasPrefix(strings.ToLower(tokenString[:7]), "bearer ") {
 			return token, parts, newError("tokenstring should not contain 'bearer '", ErrTokenMalformed)
 		}
 		return token, parts, newError("could not base64 decode header", ErrTokenMalformed, err)
diff --git a/request/extractor.go b/request/extractor.go
@@ -90,7 +90,7 @@ func (e BearerExtractor) ExtractToken(req *http.Request) (string, error) {
 	tokenHeader := req.Header.Get("Authorization")
 	// The usual convention is for "Bearer" to be title-cased. However, there's no
 	// strict rule around this, and it's best to follow the robustness principle here.
-	if tokenHeader == "" || !strings.HasPrefix(strings.ToLower(tokenHeader), "bearer ") {
+	if len(tokenHeader) < 7 || !strings.HasPrefix(strings.ToLower(tokenHeader[:7]), "bearer ") {
 		return "", ErrNoTokenInRequest
 	}
 	return tokenHeader[7:], nil

Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ func (p Parser) ParseUnverified(tokenString string, claims Claims) (token Toke`
`130`	`130`	`// parse Header`
`131`	`131`	`var headerBytes []byte`
`132`	`132`	`if headerBytes, err = p.DecodeSegment(parts[0]); err != nil {`
`133`		`- if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {`
	`133`	`+ if len(tokenString) < 7 \|\| strings.HasPrefix(strings.ToLower(tokenString[:7]), "bearer ") {`
`134`	`134`	`return token, parts, newError("tokenstring should not contain 'bearer '", ErrTokenMalformed)`
`135`	`135`	`}`
`136`	`136`	`return token, parts, newError("could not base64 decode header", ErrTokenMalformed, err)`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ func (e BearerExtractor) ExtractToken(req *http.Request) (string, error) {`
`90`	`90`	`tokenHeader := req.Header.Get("Authorization")`
`91`	`91`	`// The usual convention is for "Bearer" to be title-cased. However, there's no`
`92`	`92`	`// strict rule around this, and it's best to follow the robustness principle here.`
`93`		`- if tokenHeader == "" \|\| !strings.HasPrefix(strings.ToLower(tokenHeader), "bearer ") {`
	`93`	`+ if len(tokenHeader) < 7 \|\| !strings.HasPrefix(strings.ToLower(tokenHeader[:7]), "bearer ") {`
`94`	`94`	`return "", ErrNoTokenInRequest`
`95`	`95`	`}`
`96`	`96`	`return tokenHeader[7:], nil`