Don't raise an error if http auth token isn't well formatted
When someone sends malformed authorization header, like: Authorization: Token foobar given token should be just ignored and resource should not be authorized, instead of raising error. Before this patch controller would return 401 header only for well formed tokens, like: Authorization: Token token=foobar and would return 500 in former case.
This commit is contained in:
parent
afa68eb176
commit
df40d79fdc
|
@ -436,10 +436,12 @@ module ActionController
|
|||
values = Hash[$1.split(',').map do |value|
|
||||
value.strip! # remove any spaces between commas and values
|
||||
key, value = value.split(/\=\"?/) # split key=value pairs
|
||||
value.chomp!('"') # chomp trailing " in value
|
||||
value.gsub!(/\\\"/, '"') # unescape remaining quotes
|
||||
[key, value]
|
||||
end]
|
||||
if value
|
||||
value.chomp!('"') # chomp trailing " in value
|
||||
value.gsub!(/\\\"/, '"') # unescape remaining quotes
|
||||
[key, value]
|
||||
end
|
||||
end.compact]
|
||||
[values.delete("token"), values.with_indifferent_access]
|
||||
end
|
||||
end
|
||||
|
|
|
@ -79,6 +79,14 @@ class HttpTokenAuthenticationTest < ActionController::TestCase
|
|||
end
|
||||
end
|
||||
|
||||
test "authentication request with badly formatted header" do
|
||||
@request.env['HTTP_AUTHORIZATION'] = "Token foobar"
|
||||
get :index
|
||||
|
||||
assert_response :unauthorized
|
||||
assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
|
||||
end
|
||||
|
||||
test "authentication request without credential" do
|
||||
get :display
|
||||
|
||||
|
|
Loading…
Reference in New Issue