Don't alter the Authorization: header so that its value won't be modi…

…fied. The code directly modifies the value of `request.env['HTTP_AUTHORIZATION']` with `gsub!`, leading to a weird case where your Authorization token can't be authenticated more than once (because the prefix "Bearer " is stripped off in the first call). This probably only affects the use case with Rack::Test.
jaimeiniesta · May 1, 2012 · 53c8a4f · 53c8a4f
1 parent 614bea6
commit 53c8a4f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/doorkeeper/doorkeeper_for.rb b/lib/doorkeeper/doorkeeper_for.rb
@@ -109,7 +109,7 @@ def get_doorkeeper_token
 
     def authorization_bearer_token
       header = request.env['HTTP_AUTHORIZATION']
-      header.gsub!(/^Bearer /, '') unless header.nil?
+      header.gsub(/^Bearer /, '') if header && header.match(/^Bearer /)
     end
 
     def doorkeeper_unauthorized_render_options

diff --git a/spec/controllers/protected_resources_controller_spec.rb b/spec/controllers/protected_resources_controller_spec.rb
@@ -99,6 +99,13 @@ def index
       request.env["HTTP_AUTHORIZATION"] = "Basic #{Base64.encode64("foo:bar")}"
       get :index
     end
+
+    it "doesn't change Authorization header value" do
+      Doorkeeper::AccessToken.should_receive(:find_by_token).exactly(2).times
+      request.env["HTTP_AUTHORIZATION"] = "Bearer #{token_string}"
+      get :index
+      get :index
+    end
   end
 
   context "defined for all actions" do