Permalink
Browse files

Don't raise an error if http auth token isn't well formatted

When someone sends malformed authorization header, like:

    Authorization: Token foobar

given token should be just ignored and resource should not be authorized,
instead of raising error. Before this patch controller would return 401 header
only for well formed tokens, like:

    Authorization: Token token=foobar

and would return 500 in former case.
  • Loading branch information...
1 parent afa68eb commit df40d79fdc376eae307830e1607ea7455e51280f @drogus drogus committed Jul 10, 2012
@@ -436,10 +436,12 @@ def token_and_options(request)
values = Hash[$1.split(',').map do |value|
value.strip! # remove any spaces between commas and values
key, value = value.split(/\=\"?/) # split key=value pairs
- value.chomp!('"') # chomp trailing " in value
- value.gsub!(/\\\"/, '"') # unescape remaining quotes
- [key, value]
- end]
+ if value
+ value.chomp!('"') # chomp trailing " in value
+ value.gsub!(/\\\"/, '"') # unescape remaining quotes
+ [key, value]
+ end
+ end.compact]
[values.delete("token"), values.with_indifferent_access]
end
end
@@ -79,6 +79,14 @@ def authenticate_long_credentials
end
end
+ test "authentication request with badly formatted header" do
+ @request.env['HTTP_AUTHORIZATION'] = "Token foobar"
+ get :index
+
+ assert_response :unauthorized
+ assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
@carlosantoniodasilva

carlosantoniodasilva Jul 11, 2012

Owner

Ahm, wrong indent somehow? :)

@drogus

drogus Jul 11, 2012

Member

Damn! That's what you get when you practice copy&paste programming ;) fixed here: 542637e

@carlosantoniodasilva

carlosantoniodasilva Jul 11, 2012

Owner

Hahaha c&p programming is life! 😄

+ end
+
test "authentication request without credential" do
get :display

0 comments on commit df40d79

Please sign in to comment.