How to work with Bearer Token authorization #308

broddo · 2025-10-09T03:01:32Z

broddo
Oct 9, 2025

Hi Team - I'm delighted this project is up and running again! I'm currently refactoring one of my bigger projects to make use of the new features. I'm currently investigating the various authorization middlewares which is a fantastic addition. I have a question about how you intended bearer token authorization to work.

I see that in AsyncWebServerRequest::_parseReqHeader() that _authMethod should hold the auth method and _authorization should hold the token if the correct header is present. It would be convenient if something like this were possible in my custom middleware:

class BearerTokenMiddleware : public AsyncMiddleware {
 public:
  void run(AsyncWebServerRequest *request, ArMiddlewareNext next) override {
    // Skip authentication for the login path
    if (request->url().startsWith("/api/auth/login")) {
      return next();
    }

    if (request->_authMethod != AUTH_BEARER) {
      return request->send(401, "application/json", "{\"error\":\"Authorization required\"}");
    }

    auto user = SessionManager.verify(request->_authorization.c_str());

    if (!user) {
      return request->send(403, "application/json", "{\"error\":\"Invalid or expired token\"}");
    }

    // Token is valid, proceed with the request
    request->setAttribute("userId", static_cast<long>(user->id()));
    request->setAttribute("userRole", static_cast<long>(user->role()));

    next(); 
  }
};

However, since both _authMethod and _authorization are private in AsyncWebServerRequest and there don’t appear to be any public getters, I’m wondering:

Did you have another intended way for middleware to access the bearer token or auth method?

mathieucarbou · 2025-10-09T09:10:35Z

mathieucarbou
Oct 9, 2025
Maintainer

Hi,

You are right, these fields should be public in order to allow custom implementations of middleware.

Historically the bearer token support was not there.
When I introduced middleware, I extracted this value to expose it but as the code was done it only supported a private shared key because the lib was only checking against an expected fixed hash.

But you are right that for a bearer token, especially like JWT tokens, it would need to be decoded and parsed in the middleware to extract its content, or, validated against an external system.

I have sent a PR here to fix all that: #309

With this PR you have the ability to create your own middleware like you did and access the fields now, or use like in the Auth example the provided one and add a callback (easier).

You can try the branch:

lib_deps = https://github.com/ESP32Async/ESPAsyncWebServer#auth

0 replies

broddo · 2025-10-10T04:15:24Z

broddo
Oct 10, 2025
Author

Wow that was an impressively fast turn around, well done! I'll give this a whirl tomorrow and get back to you if I've any issues, but by the looks of it, you've hit everything I was looking for. My session manager is basic at the moment (just randomly generated tokens and a table to match tokens with users) but I want to experiment with JWT as that is obviously superior (as long as the signing process can be hardware accelerated).

If I get something tidy together I'll share it so that you can update your auth example.

Cheers!

1 reply

mathieucarbou Oct 10, 2025
Maintainer

If I get something tidy together I'll share it so that you can update your auth example.

That would be awesome yes! If you do, you can even create a JWT.ino class (copied from the Auth example) but just keep inside only one example with JWT, the token decoding, etc.

JWT is a use case I know others are using on ESP32 so I think it deserves its own example because that's pretty cool since it can handle session data also which avoids each time going to a DB or file system 👍

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to work with Bearer Token authorization #308

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to work with Bearer Token authorization #308

Uh oh!

broddo Oct 9, 2025

Replies: 2 comments · 1 reply

Uh oh!

Uh oh!

mathieucarbou Oct 9, 2025 Maintainer

Uh oh!

broddo Oct 10, 2025 Author

Uh oh!

mathieucarbou Oct 10, 2025 Maintainer

broddo
Oct 9, 2025

Replies: 2 comments 1 reply

mathieucarbou
Oct 9, 2025
Maintainer

broddo
Oct 10, 2025
Author

mathieucarbou Oct 10, 2025
Maintainer