Fixed issue with AuthHeaders parser stripping trailing hyphens from tokens (#1926)

seguer · web-flow · commit ab00f2d7cce5 · 2021-02-02T14:44:28.000Z
diff --git a/src/Http/Parser/AuthHeaders.php b/src/Http/Parser/AuthHeaders.php
@@ -53,8 +53,10 @@ public function parse(Request $request)
     {
         $header = $request->headers->get($this->header) ?: $this->fromAltHeaders($request);
 
-        if ($header && preg_match('/'.$this->prefix.'\s*(\S+)\b/i', $header, $matches)) {
-            return $matches[1];
+        if ($header) {
+            $start = strlen($this->prefix);
+
+            return trim(substr($header, $start));
         }
     }
 
diff --git a/tests/Http/ParserTest.php b/tests/Http/ParserTest.php
@@ -108,6 +108,62 @@ public function it_should_return_the_token_from_the_alt_authorization_headers()
         $this->assertTrue($parser->hasToken());
     }
 
+    /** @test */
+    public function it_should_not_strip_trailing_hyphens_from_the_authorization_header()
+    {
+        $request = Request::create('foo', 'POST');
+        $request->headers->set('Authorization', 'Bearer foobar--');
+
+        $parser = new Parser($request);
+
+        $parser->setChain([
+            new QueryString,
+            new InputSource,
+            new AuthHeaders,
+            new RouteParams,
+        ]);
+
+        $this->assertSame($parser->parseToken(), 'foobar--');
+        $this->assertTrue($parser->hasToken());
+    }
+
+    /**
+     * @test
+     * @dataProvider whitespaceProvider
+     */
+    public function it_should_handle_excess_whitespace_from_the_authorization_header($whitespace)
+    {
+        $request = Request::create('foo', 'POST');
+        $request->headers->set('Authorization', "Bearer{$whitespace}foobar{$whitespace}");
+
+        $parser = new Parser($request);
+
+        $parser->setChain([
+            new QueryString,
+            new InputSource,
+            new AuthHeaders,
+            new RouteParams,
+        ]);
+
+        $this->assertSame($parser->parseToken(), 'foobar');
+        $this->assertTrue($parser->hasToken());
+    }
+
+    public function whitespaceProvider()
+    {
+        return [
+            'space' => [' '],
+            'multiple spaces' => ['    '],
+            'tab' => ["\t"],
+            'multiple tabs' => ["\t\t\t"],
+            'new line' => ["\n"],
+            'multiple new lines' => ["\n\n\n"],
+            'carriage return' => ["\r"],
+            'carriage returns' => ["\r\r\r"],
+            'mixture of whitespace' => ["\t \n \r \t \n"],
+        ];
+    }
+
     /** @test */
     public function it_should_return_the_token_from_query_string()
     {

Original file line number	Diff line number	Diff line change
`@@ -53,8 +53,10 @@ public function parse(Request $request)`
`53`	`53`	`{`
`54`	`54`	`$header = $request->headers->get($this->header) ?: $this->fromAltHeaders($request);`
`55`	`55`
`56`		`- if ($header && preg_match('/'.$this->prefix.'\s*(\S+)\b/i', $header, $matches)) {`
`57`		`- return $matches[1];`
	`56`	`+ if ($header) {`
	`57`	`+ $start = strlen($this->prefix);`
	`58`	`+`
	`59`	`+ return trim(substr($header, $start));`
`58`	`60`	`}`
`59`	`61`	`}`
`60`	`62`