M_UNAUTHORIZED if 'Authorization' header value contains optional whitespace for federation requests (SYN-437)

[matrixbot]

It's a little unclear from the spec, but I believe the intention is that the federation Authorization header is supposed to follow RFC7235 format. To quote:

 Authorization = credentials

  credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param )
    *( OWS "," [ OWS auth-param ] ) ] ) ]

The OWS parts in there suggest that "optional whitespace" is allowed between comma-separated auth-param components.

However, while synapse is happy with

Authorization: X-Matrix origin="localhost:33515",key="ed25519:1",sig="hNMLqNd1T+JUVc53JxpRUtV8uTeAFiz/H8ewf5BffPz4Pem3EiIOq7L06B3fNHmWrW+ZVBkdG1tGEU9Fyl+lAA"

it breaks with

Authorization: X-Matrix origin="localhost:48078", key="ed25519:1", sig="24xkXS8iJE9dCdU5j0GRym4eps+vzUYvYaPosjdjU/G2etNQGVc1erInpmjJJHlJoJu1GDb8H3JzXQga47oADg"

In the latter case, the resulting error message is:

400 Bad Request
{"errcode":"M_UNAUTHORIZED","error":"Malformed Authorization header"}

(Imported from https://matrix.org/jira/browse/SYN-437)

(Reported by @leonerd)

[matrixbot]

Jira watchers: @leonerd

[DMRobertson]

The relevant function is

synapse/synapse/federation/transport/server/_base.py

Line 158 in 7bc110a

def _parse_auth_header(header_bytes: bytes) -> Tuple[str, str, str, Optional[str]]:

We'd accept a PR which

• adds test cases which demonstrate the failure here
• changes _parse_auth_header to fix those test cases.

[devender15]

@DMRobertson Hello, I want to work on this issue. Please assign this issue to me.

[DMRobertson]

@DMRobertson Hello, I want to work on this issue. Please assign this issue to me.

We don't assign issues outside of the core team, but we will gladly review a PR.

[haxshith]

iam a newbie to this.I am very enthusiastic to learn please help me out