Giters

danieleteti / delphimvcframework

DMVCFramework (for short) is a popular and powerful framework for WEB API in Delphi. Supports RESTful and JSON-RPC WEB APIs development.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TMVCJWTAuthenticationMiddleware: Exception will prevent authentication with a json object

LucienClement opened this issue · comments

commented

Hello,
in procedure TMVCJWTAuthenticationMiddleware.OnBeforeRouting (unit MVCFramework.Middleware.JWT) , if one tries to pass the jwtusername and jwtpassword as a json object, an exception will be raised because it will attempt first to evaluate the content as ampersand separated name=values.
On line 288 (LUsername := AContext.Request.ContentFields[FUserNameHeaderName]) an exception will be raised because FUserNameHeaderName does not exist (obviously) in AContext.Request.ContentFields dictionnary.
Now, if you change the code:

      if LUsername.IsEmpty then
      begin
        LUsername := AContext.Request.ContentFields[FUserNameHeaderName];
        LPassword := AContext.Request.ContentFields[FPasswordHeaderName];
      end;

to:

      if LUsername.IsEmpty then
      begin
        AContext.Request.ContentFields.TryGetValue(FUserNameHeaderName,LUsername);
        AContext.Request.ContentFields.TryGetValue(FPasswordHeaderName,LPassword);
      end;

You might still get an exception if your json content is written on more that one line, because you will attempt to add two empty names to the ContentFields dictionnary.
One solution would be to write :

      if LUsername.IsEmpty then
      try
        AContext.Request.ContentFields.TryGetValue(FUserNameHeaderName,LUsername);
        AContext.Request.ContentFields.TryGetValue(FPasswordHeaderName,LPassword);
     except   
     end;

I think it would be even better to check if the content-type is application/json and go directly to the json reader.

Regards,