fix: actually enforce Bearer token scheme

wale · wale · commit 39a1cc7d1b11 · 2024-03-14T12:06:53.000+11:00
diff --git a/server/utils/protectRoute.ts b/server/utils/protectRoute.ts
@@ -13,7 +13,14 @@ const protectRoute = async (event: H3Event, role: Role = Role.USER) => {
         });
 
     // Authorization: Bearer [jwt....]
-    const [, bearerToken] = authHeaders.split(" ");
+    const [authType, bearerToken] = authHeaders.split(" ");
+
+    if (authType !== "Bearer")
+        throw createError({
+            statusCode: 400,
+            statusMessage: "Malformed `Authorization` header.",
+        });
+
     const bearerVerified = jwt.verify(
         bearerToken,
         runtimeConfig.jwtAccessSecret,
