Fix statelessSessions to only accept Authorization: Bearer prefixed tokens (#9786)

Author: dcousens

packages/core/src/session.ts

@@ -1,7 +1,7 @@
 import { randomBytes } from 'node:crypto'
 import * as cookie from 'cookie'
 import Iron from '@hapi/iron'
-import type { SessionStrategy, SessionStoreFunction } from '../types'
+import type { KeystoneContext, SessionStrategy, SessionStoreFunction } from '../types'
 
 // TODO: should we also accept httpOnly?
 type StatelessSessionsOptions = {
@@ -59,6 +59,17 @@ type StatelessSessionsOptions = {
   sameSite?: true | false | 'lax' | 'strict' | 'none'
 }
 
+function getToken(req: NonNullable<KeystoneContext['req']>, cookieName: string) {
+  const authorization = req.headers.authorization ?? ''
+
+  if (authorization.startsWith('Bearer')) {
+    return authorization.slice('Bearer '.length)
+  }
+
+  const cookies = cookie.parse(req.headers.cookie || '')
+  return cookies[cookieName]
+}
+
 export function statelessSessions<Session>({
   secret = randomBytes(32).toString('base64url'),
   maxAge = 60 * 60 * 8, // 8 hours,
@@ -78,9 +89,7 @@ export function statelessSessions<Session>({
     async get({ context }) {
       if (!context?.req) return
 
-      const cookies = cookie.parse(context.req.headers.cookie || '')
-      const bearer = context.req.headers.authorization?.replace('Bearer ', '')
-      const token = bearer || cookies[cookieName]
+      const token = getToken(context.req, cookieName)
       if (!token) return
       try {
         return await Iron.unseal(token, secret, ironOptions)