Merge 76f6dec into 75894bb

middleware/authentication.go

@@ -95,21 +95,16 @@ func MakeHTTPOIDCTokenValidationMW(keycloakClient KeycloakClient, audienceRequir
 				return
 			}
 
-			var matched, _ = regexp.MatchString(`^[Bb]earer *`, authorizationHeader)
-
-			if !matched {
+			var r = regexp.MustCompile(`^[Bb]earer +([^ ]+)$`)
+			var match = r.FindStringSubmatch(authorizationHeader)
+			if match == nil {
 				logger.Log("Authorization Error", "Missing bearer token")
 				httpErrorHandler(context.TODO(), http.StatusForbidden, fmt.Errorf("Missing bearer token"), w)
 				return
 			}
 
-			var splitToken = strings.Split(authorizationHeader, "Bearer ")
-
-			if len(splitToken) < 2 {
-				splitToken = strings.Split(authorizationHeader, "bearer ")
-			}
-
-			var accessToken = splitToken[1]
+			// match[0] is the global matched group. match[1] is the first captured group
+			var accessToken = match[1]
 
 			payload, _, err := jwt.Parse(accessToken)
 			if err != nil {

middleware/authentication_test.go

@@ -169,6 +169,17 @@ func TestHTTPOIDCTokenValidationMW(t *testing.T) {
 		assert.Equal(t, 403, result.StatusCode)
 	}
 
+	req.Header.Set("Authorization", "Bearer    AB CD")
+
+	// Invalid bearer token.
+	{
+		var w = httptest.NewRecorder()
+		mockLogger.EXPECT().Log("Authorization Error", "Missing bearer token").Return(nil).Times(1)
+		m.ServeHTTP(w, req)
+		var result = w.Result()
+		assert.Equal(t, 403, result.StatusCode)
+	}
+
 	req.Header.Set("Authorization", "Bearer "+tokenAudString)
 
 	// Valid authorization token.