getodk · alxndrsn · Nov 4, 2024 · Nov 9, 2024 · Nov 9, 2024 · alxndrsn
diff --git a/lib/http/middleware.js b/lib/http/middleware.js
@@ -17,6 +17,7 @@
 // we would like for the entire requestpath to run within a single Promise context,
 // so that we can manage the database transaction without awkward contortions.
 
+const { urlDecode } = require('../util/http');
 const Problem = require('../util/problem');
 const Option = require('../util/option');
 
@@ -40,10 +41,13 @@ const versionParser = (request, response, next) => {
 // TODO: we should probably reject as usual if multiple auth mechs are used
 // at once but that seems like a corner of a corner case here?
 const fieldKeyParser = (request, response, next) => {
+  let prefixKey;
   const match = /^\/key\/([^/]+)\//.exec(request.url);
-
-  const prefixKey = Option.of(match).map((m) => decodeURIComponent(m[1]));
-  prefixKey.ifDefined(() => { request.url = request.url.slice(match[0].length - 1); });
+  if (match != null) {
+    prefixKey = urlDecode(match[1]);
+    if (prefixKey.isEmpty()) return next(Problem.user.authenticationFailed());
+    request.url = request.url.slice(match[0].length - 1);
+  }
 
   const queryKey = Option.of(request.query.st);
   queryKey.ifDefined((token) => {
@@ -53,7 +57,7 @@ const fieldKeyParser = (request, response, next) => {
     request.originalUrl = `/v1/key/${token.replace(/\//g, '%2F')}${request.originalUrl.slice(3)}`;
   });
 
-  request.fieldKey = Option.of(prefixKey.orElse(queryKey));
+  request.fieldKey = Option.of(Option.of(prefixKey).orElse(queryKey));
 
   next();
 };

diff --git a/test/unit/http/middleware.js b/test/unit/http/middleware.js
@@ -80,6 +80,16 @@ describe('middleware', () => {
       });
     });
 
+    it('should return error for unparsable percent-encoded prefix keys', (done) => {
+      const request = createRequest({ url: '/key/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%eaaa!aaaaaaaaaaaaaaaaaa/users/23' });
+      fieldKeyParser(request, null, (error) => {
+        error.should.be.a.Problem();
+        error.problemCode.should.equal(401.2);
+        error.message.should.equal('Could not authenticate with the provided credentials.');
+        done();
+      });
+    });
+
     it('should pass through any query key content', (done) => {
       const request = createRequest({ url: '/v1/users/23?st=inva|id' });
       fieldKeyParser(request, null, () => {