uwe.admin/oatpp-authkit
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

AuthInterceptor: strip query string before policy check

Browse source 
Request-target from getStartingLine().path includes the query string
(e.g. "/set-password?token=abc"), causing exact-match public-path
checks like `path == "/set-password"` in IAuthPolicy::isPublicPath
to fail and the request to be rejected with 401.

Strip the query string once at the top of intercept() so policies
and access logs see clean paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Uwe Schuster 2026-04-25 11:41:48 +02:00
parent 448cd9ef8c
commit 46971acf99
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
include/oatpp-authkit/auth/AuthInterceptor.hpp
View file

@ -104,8 +104,12 @@ public:
} }
} }
const std::string path = request->getStartingLine().path.std_str(); std::string path = request->getStartingLine().path.std_str();
const std::string method = request->getStartingLine().method.std_str(); const std::string method = request->getStartingLine().method.std_str();
// Strip query string — request-target includes it, but policy checks
// (and access logs) want just the path.
auto qpos = path.find('?');
if (qpos != std::string::npos) path.resize(qpos);
if (m_policy->isPublicPath(path)) return nullptr; if (m_policy->isPublicPath(path)) return nullptr;