Fix JWT request-resource-path to include query string#163
Open
webdz9r wants to merge 1 commit intoCyberSource:masterfrom
Open
Fix JWT request-resource-path to include query string#163webdz9r wants to merge 1 commit intoCyberSource:masterfrom
webdz9r wants to merge 1 commit intoCyberSource:masterfrom
Conversation
The extractResourcePath method was stripping query parameters from the request target before signing the JWT. This causes UNAUTHORIZED_USER 401 errors on endpoints that require query params (e.g. GET /uw/v1/applications?status=New) because the signed path no longer matches the actual request URL. Return the full request_target as-is so the signed path exactly matches the URL the server receives.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
extractResourcePathstrips query parameters from the request target before signing the JWTrequest-resource-pathclaim. This causes anUNAUTHORIZED_USER401 response on any endpoint where the actual HTTP request includes query params, because the signed path no longer matches the URL the server receives.Example: a GET to
/uw/v1/applications?status=Newsigns the path as/uw/v1/applications, but the server validates against/uw/v1/applications?status=New— they don't match, so auth fails.Fix
Return
request_targetas-is inextractResourcePathso the signed path exactly matches the full request URL including query string. The Visa Acceptance Solutions JWT specification states thatrequest-resource-pathshould be "the complete URL path for the HTTP request."Verified
Confirmed with the Visa UAPI underwriting sandbox (
apitest.cybersource.com):GET /uw/v1/applications?status=New→ 401 UNAUTHORIZED_USERGET /uw/v1/applications?status=New→ 200 with encrypted MLE response