Merge commit from fork

getToken() called decodeURIComponent() on the Authorization Bearer value
outside any error handling, so a request with a malformed percent-encoded
token (e.g. `Authorization: Bearer %`) threw an uncaught URIError to the
caller. Treat malformed encodings as an invalid token and return null,
matching how undecodable tokens are already handled.

Fixes GHSA-xmf8-cvqr-rfgj

Author: Bekacru

packages/core/src/jwt.ts

@@ -172,7 +172,12 @@ export async function getToken(
 
   if (!token && authorizationHeader?.split(" ")[0] === "Bearer") {
     const urlEncodedToken = authorizationHeader.split(" ")[1]
-    token = decodeURIComponent(urlEncodedToken)
+    try {
+      token = decodeURIComponent(urlEncodedToken)
+    } catch {
+      // Malformed percent-encoding makes the Bearer token invalid
+      return null
+    }
   }
 
   if (!token) return null

packages/core/test/jwt.test.ts

@@ -1,5 +1,6 @@
 import { describe, it, expect } from "vitest"
 import { encode, decode } from "../jwt"
+import { getToken } from "../src/jwt"
 
 describe("supports secret rotation", () => {
   const token = { foo: "bar" }
@@ -38,3 +39,35 @@ describe("supports secret rotation", () => {
     )
   })
 })
+
+describe("getToken", () => {
+  const secret = "secret"
+
+  it("returns null for a malformed percent-encoded Bearer token", async () => {
+    for (const value of ["%", "%A", "%ZZ"]) {
+      const req = {
+        headers: new Headers({ authorization: `Bearer ${value}` }),
+      }
+      await expect(getToken({ req, secret })).resolves.toBeNull()
+    }
+  })
+
+  it("returns null for a malformed Bearer token when raw is set", async () => {
+    const req = {
+      headers: new Headers({ authorization: "Bearer %" }),
+    }
+    await expect(getToken({ req, secret, raw: true })).resolves.toBeNull()
+  })
+
+  it("still reads a valid Bearer token", async () => {
+    const salt = "authjs.session-token"
+    const jwt = await encode({ salt, token: { foo: "bar" }, secret })
+    const req = {
+      headers: new Headers({
+        authorization: `Bearer ${encodeURIComponent(jwt)}`,
+      }),
+    }
+    const decoded = await getToken({ req, secret })
+    expect(decoded?.foo).toEqual("bar")
+  })
+})