Browse files

Merge pull request #15683 from larrylv/fix-token-with-empty-value

Fix parsed token value with header `Authorization token=`.

Conflicts:
	actionpack/CHANGELOG.md
  • Loading branch information...
1 parent c1c32ae commit b9efc5704b7a9d2e8c5f8b1909085bfd06767ab7 @matthewd matthewd committed Jun 13, 2014
View
8 actionpack/CHANGELOG.md
@@ -1,3 +1,11 @@
+* With authorization header `Authorization: Token token=`, `authenticate` now
+ recognize token as nil, instead of "token".
+
+ Fixes #14846.
+
+ *Larry Lv*
+
+
## Rails 4.0.6 (unreleased) ##
* Fix URL generation with `:trailing_slash` such that it does not add
View
4 actionpack/lib/action_controller/metal/http_authentication.rb
@@ -437,7 +437,7 @@ def token_and_options(request)
authorization_request = request.authorization.to_s
if authorization_request[TOKEN_REGEX]
params = token_params_from authorization_request
- [params.shift.last, Hash[params].with_indifferent_access]
+ [params.shift[1], Hash[params].with_indifferent_access]
end
end
@@ -452,7 +452,7 @@ def params_array_from(raw_params)
# This removes the `"` characters wrapping the value.
def rewrite_param_values(array_params)
- array_params.each { |param| param.last.gsub! %r/^"|"$/, '' }
+ array_params.each { |param| (param[1] || "").gsub! %r/^"|"$/, '' }
end
# This method takes an authorization body and splits up the key-value
View
29 actionpack/test/controller/http_token_authentication_test.rb
@@ -132,13 +132,30 @@ def authenticate_long_credentials
assert_equal(expected, actual)
end
- private
-
- def sample_request(token)
- @sample_request ||= OpenStruct.new authorization: %{Token token="#{token}"}
+ test "token_and_options returns empty string with empty token" do
+ token = ''
+ actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
+ expected = token
+ assert_equal(expected, actual)
end
- def encode_credentials(token, options = {})
- ActionController::HttpAuthentication::Token.encode_credentials(token, options)
+ test "token_and_options returns nil with no value after the equal sign" do
+ actual = ActionController::HttpAuthentication::Token.token_and_options(malformed_request).first
+ expected = nil
+ assert_equal(expected, actual)
end
+
+ private
+
+ def sample_request(token)
+ @sample_request ||= OpenStruct.new authorization: %{Token token="#{token}", nonce="def"}
+ end
+
+ def malformed_request
+ @malformed_request ||= OpenStruct.new authorization: %{Token token=}
+ end
+
+ def encode_credentials(token, options = {})
+ ActionController::HttpAuthentication::Token.encode_credentials(token, options)
+ end
end

0 comments on commit b9efc57

Please sign in to comment.