5

Currently utilizing a JWT authentication schema where the tokens have "Bearer: in the schema. Is it possible to remove the "Bearer" prefix so I wouldn't need to add it on the client side just to parse it out on the backend again? Is there a way to do this without implementing a custom scheme (So while still using the Bearer scheme) AND without having to parse the actual token for the "Bearer: " text?

Right now, the code looks like:

var token = req.headers.authorization;
var newToken = token.replace("Bearer ", "");
jwt.verify(newToken, jwtSecret, function (err, success) {
 if (err) {
  return res.
          status(401).
          end('Unauthorized, invalidtoken');
 } else {
  return next();
 }
})

Ideally it would be implemented as such:

var token = req.headers.authorization;
jwt.verify(token, jwtSecret, function (err, success) {
 if (err) {
  return res.
          status(401).
          end('Unauthorized, invalidtoken');
} else {
  return next();
}
})

Would this be okay? What are the implications of removing "Bearer" from the jwt authorization headers ?

Thanks

kimj39
  • 91
  • 1
  • 1
  • 7
  • 1
    no, it's within https://tools.ietf.org/html/rfc7235#section-2 As a side note, you are confusing "header" and "token". The `var token` is actually an HTTP header which contains schema and token. Instead of replacing, you need to split the header, compare actual schema with expected "Bearer", and reject request instantly if it doesn't match. – Alex Blex May 31 '18 at 14:37
  • 1
    Doesn't seem you can remove `Bearer`. See previously asked and beautifully answered: https://stackoverflow.com/a/33281233/1870891 further reference: https://stackoverflow.com/a/47157391/1870891 – Marko Bajlovic May 31 '18 at 17:58
  • @MarkoBajlovic You can remove / omit it. Question from here is whether it is a good idea. While it follows best practice, what are the repercussions of not using it. – Dap May 31 '18 at 18:20
  • 1
    Thanks for the help – kimj39 Jun 14 '18 at 16:14

1 Answers1

4

There is no programmatic difference from removing Bearer token in formatting the request header. If you do choose to do so, you are violating RFC and HTTP standards. It would be like sending a payload in a GET response and saving data to the database.

Use of bearer tokens derived from the Oauth design so have a look at here for standards.

Erfan Bahramali
  • 392
  • 3
  • 13
kimj39
  • 91
  • 1
  • 1
  • 7