http: join authorization headers

marco-ippolito · Dec 26, 2022 · 17677bf · 17677bf
1 parent 28fe494
commit 17677bf
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 0 deletions.
diff --git a/doc/api/cli.md b/doc/api/cli.md
@@ -456,6 +456,11 @@ added: v12.3.0
 
 Enable experimental WebAssembly module support.
 
+### `--experimental-join-authorization-headers`
+
+Enable experimental joining of the field line values of
+multiple `Authorization` headers in a request.
+
 ### `--force-context-aware`
 
 <!-- YAML
@@ -1884,6 +1889,7 @@ Node.js options that are allowed are:
 * `--experimental-vm-modules`
 * `--experimental-wasi-unstable-preview1`
 * `--experimental-wasm-modules`
+* `--experimental-join-authorization-headers`
 * `--force-context-aware`
 * `--force-fips`
 * `--force-node-api-uncaught-exceptions-policy`

diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js
@@ -31,6 +31,9 @@ const {
 } = primordials;
 
 const { Readable, finished } = require('stream');
+const { getOptionValue } = require('internal/options');
+
+const joinAuthorizationHeaders = getOptionValue('--experimental-join-authorization-headers');
 
 const kHeaders = Symbol('kHeaders');
 const kHeadersDistinct = Symbol('kHeadersDistinct');
@@ -400,6 +403,16 @@ function _addHeaderLine(field, value, dest) {
     } else {
       dest['set-cookie'] = [value];
     }
+  } else if (joinAuthorizationHeaders && flag === 97) {
+    // RFC 9110 https://www.rfc-editor.org/rfc/rfc9110#section-5.2
+    // https://github.com/nodejs/node/issues/45699
+    // allow authorization multiple fields
+    // Make a delimited list
+    if (typeof dest[field] === 'string') {
+      dest[field] += ', ' + value;
+    } else {
+      dest[field] = value;
+    }
   } else if (dest[field] === undefined) {
     // Drop duplicates
     dest[field] = value;

diff --git a/src/node_options.cc b/src/node_options.cc
@@ -381,6 +381,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "experimental ES Module support for webassembly modules",
             &EnvironmentOptions::experimental_wasm_modules,
             kAllowedInEnvvar);
+  AddOption("--experimental-join-authorization-headers",
+            "experimental joining of the field line values "
+            "of multiple Authorization headers",
+            &EnvironmentOptions::experimental_join_authorization_headers,
+            kAllowedInEnvvar);
   AddOption("--experimental-import-meta-resolve",
             "experimental ES Module import.meta.resolve() support",
             &EnvironmentOptions::experimental_import_meta_resolve,

diff --git a/src/node_options.h b/src/node_options.h
@@ -115,6 +115,7 @@ class EnvironmentOptions : public Options {
   bool experimental_global_web_crypto = true;
   bool experimental_https_modules = false;
   bool experimental_wasm_modules = false;
+  bool experimental_join_authorization_headers = false;
   bool experimental_import_meta_resolve = false;
   std::string module_type;
   std::string experimental_policy;

diff --git a/test/parallel/test-http-request-merge-authorization-headers.js b/test/parallel/test-http-request-merge-authorization-headers.js
@@ -0,0 +1,24 @@
+// Flags: --experimental-join-authorization-headers
+
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+const http = require('http');
+
+{
+  const server = http.createServer({ requireHostHeader: false }, common.mustCall((req, res) => {
+    assert.strictEqual(req.headers.authorization, '1, 2');
+    res.writeHead(200, ['authorization', '3', 'authorization', '4']);
+    res.end();
+  }));
+
+  server.listen(0, common.mustCall(() => {
+    http.get({ port: server.address().port, headers: ['authorization', '1', 'authorization', '2'] }, (res) => {
+      assert.strictEqual(res.statusCode, 200);
+      assert.strictEqual(res.headers.authorization, '3, 4');
+      res.resume().on('end', common.mustCall(() => {
+        server.close();
+      }));
+    });
+  }));
+}