authn/bearer: Remove support for access_token in query or body params

Query params aren't safe for credentials because they often appear in access logs. Body params aren't necessary for our usage (and they're also logged sometimes, though more rarely). Supporting more authn code paths than we need only makes it harder to reason about the security of the system as a whole.
Priyaraj17 · Apr 9, 2021 · ad9b45a · ad9b45a
1 parent 87c474c
commit ad9b45a
Showing 1 changed file with 4 additions and 12 deletions.
diff --git a/src/authn/bearer.js b/src/authn/bearer.js
@@ -2,6 +2,9 @@
  * Originally copied from "lib/strategy.js" in the passport-http-bearer project.
  * The original copy is licensed under the MIT license.  See the
  * LICENSE.third-party file distributed alongside this project's own LICENSE file.
+ *
+ * Subsequent modifications have been made.  These and any future modifications
+ * are licensed under the same MIT license.
  */
 
 /* eslint-disable */
@@ -17,8 +20,7 @@ var passport = require('passport-strategy')
  * Creates an instance of `Strategy`.
  *
  * The HTTP Bearer authentication strategy authenticates requests based on
- * a bearer token contained in the `Authorization` header field, `access_token`
- * body parameter, or `access_token` query parameter.
+ * a bearer token contained in the `Authorization` header field.
  *
  * Applications must supply a `verify` callback, for which the function
  * signature is:
@@ -107,16 +109,6 @@ Strategy.prototype.authenticate = function(req) {
       return this.fail(400);
     }
   }
-
-  if (req.body && req.body.access_token) {
-    if (token) { return this.fail(400); }
-    token = req.body.access_token;
-  }
-
-  if (req.query && req.query.access_token) {
-    if (token) { return this.fail(400); }
-    token = req.query.access_token;
-  }
 
   if (!token) { return this.fail(this._challenge()); }