From 46971acf99fd8638cba47beb6054e7d4b292d48e Mon Sep 17 00:00:00 2001 From: Uwe Schuster Date: Sat, 25 Apr 2026 11:41:48 +0200 Subject: [PATCH] AuthInterceptor: strip query string before policy check Request-target from getStartingLine().path includes the query string (e.g. "/set-password?token=abc"), causing exact-match public-path checks like `path == "/set-password"` in IAuthPolicy::isPublicPath to fail and the request to be rejected with 401. Strip the query string once at the top of intercept() so policies and access logs see clean paths. Co-Authored-By: Claude Opus 4.7 (1M context) --- include/oatpp-authkit/auth/AuthInterceptor.hpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/include/oatpp-authkit/auth/AuthInterceptor.hpp b/include/oatpp-authkit/auth/AuthInterceptor.hpp index 101273c..cc2a4e5 100644 --- a/include/oatpp-authkit/auth/AuthInterceptor.hpp +++ b/include/oatpp-authkit/auth/AuthInterceptor.hpp @@ -104,8 +104,12 @@ public: } } - const std::string path = request->getStartingLine().path.std_str(); + std::string path = request->getStartingLine().path.std_str(); const std::string method = request->getStartingLine().method.std_str(); + // Strip query string — request-target includes it, but policy checks + // (and access logs) want just the path. + auto qpos = path.find('?'); + if (qpos != std::string::npos) path.resize(qpos); if (m_policy->isPublicPath(path)) return nullptr;