Merge pull request doorkeeper-gem#84 from miyagawa/bug-authorization-…

…header-gsub Don't modify the Authorization: header so that its value won't be modified.
jaimeiniesta · May 2, 2012 · 839f0d2 · 839f0d2
2 parents c3c0c04 + 53c8a4f
commit 839f0d2
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/doorkeeper/doorkeeper_for.rb b/lib/doorkeeper/doorkeeper_for.rb
@@ -109,7 +109,7 @@ def get_doorkeeper_token
 
     def authorization_bearer_token
       header = request.env['HTTP_AUTHORIZATION']
-      header.gsub!(/^Bearer /, '') unless header.nil?
+      header.gsub(/^Bearer /, '') if header && header.match(/^Bearer /)
     end
 
     def doorkeeper_unauthorized_render_options

diff --git a/spec/controllers/protected_resources_controller_spec.rb b/spec/controllers/protected_resources_controller_spec.rb
@@ -99,6 +99,13 @@ def index
       request.env["HTTP_AUTHORIZATION"] = "Basic #{Base64.encode64("foo:bar")}"
       get :index
     end
+
+    it "doesn't change Authorization header value" do
+      Doorkeeper::AccessToken.should_receive(:find_by_token).exactly(2).times
+      request.env["HTTP_AUTHORIZATION"] = "Bearer #{token_string}"
+      get :index
+      get :index
+    end
   end
 
   context "defined for all actions" do