Problem with URL Encoding in Login #667
Comments
danieleteti
added
the
accepted
danieleteti
added a commit
that referenced
this issue
Jun 21, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
when providing credentials as a body, e.g.
{
"jwtusername": "[email protected]",
"jwtpassword": "te6,w~JcYxWsO%SH281R9G~N@*AQv&,W"
}
TMVCJWTAuthenticationMiddleware.OnBeforeRouting tries to parse the username and password by calling
LUsername := AContext.Request.ContentParam(FUserNameHeaderName);LPassword := AContext.Request.ContentParam(FPasswordHeaderName);before actually parsing the request body as a JSON. The ContentParam function attempts to URL Decode the params, which will fail with the given example (password). You would have to URL Encode the content of this JSON, to not have the conversion error be raised, which is inconsistent with other routes that have a JSON body.
We propose changing the above code to
LUsername := AContext.Request.QueryStringParam(FUserNameHeaderName);LPassword := AContext.Request.QueryStringParam(FPasswordHeaderName)which will correctly parse the credentials exclusively from query parameters.
Parsing the JSON content at this point is not necessary, because this code is followed by a dedicated JSON body parsing routine.
Hope you find this useful :)
The text was updated successfully, but these errors were encountered: