From 27d432e7e60c03a9a7ec4a33961359a03558b77d Mon Sep 17 00:00:00 2001 From: Arnaud Mesureur Date: Fri, 29 Jan 2016 01:22:00 +1100 Subject: [PATCH 1/2] Revert to a more flexible authorization header parsing - Do not enforce presence of Bearer prefix - Update changelog - Fixes #36 --- CHANGELOG.md | 6 ++++++ lib/knock/authenticable.rb | 4 +--- .../protected_resources_controller_test.rb | 16 ++++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index edd7682..9c37436 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). +## [Unreleased] +### Fixed +- Allow use of any or no prefix in authorization header. +This fixes an unwanted breaking change introduced in `1.4.0` forcing the use +of the `Bearer` prefix. + ## [1.4.1] - 2016-01-08 ### Fixed - Use lambda for audience verification diff --git a/lib/knock/authenticable.rb b/lib/knock/authenticable.rb index b1f5cf5..b021f40 100644 --- a/lib/knock/authenticable.rb +++ b/lib/knock/authenticable.rb @@ -1,9 +1,7 @@ module Knock::Authenticable def current_user @current_user ||= begin - token = params[:token] || - request.headers['Authorization'].match(/^Bearer (.*)$/)[1] - + token = params[:token] || request.headers['Authorization'].split.last Knock::AuthToken.new(token: token).current_user rescue nil diff --git a/test/dummy/test/controllers/protected_resources_controller_test.rb b/test/dummy/test/controllers/protected_resources_controller_test.rb index e1a3f5c..496fc2a 100644 --- a/test/dummy/test/controllers/protected_resources_controller_test.rb +++ b/test/dummy/test/controllers/protected_resources_controller_test.rb @@ -43,4 +43,20 @@ def authenticate token: @token assert_response :success assert @controller.current_user.id == @user.id end + + test "accepts any prefix in the authorization header" do + @request.env['HTTP_AUTHORIZATION'] = "Other #{@token}" + + get :index + + assert_response :success + end + + test "accepts authorization header without prefix" do + @request.env['HTTP_AUTHORIZATION'] = "#{@token}" + + get :index + + assert_response :success + end end From a670271268fc3d8db5ecd43cf05ea8d07af5a841 Mon Sep 17 00:00:00 2001 From: Arnaud Mesureur Date: Fri, 29 Jan 2016 09:57:58 +1100 Subject: [PATCH 2/2] Patch version 1.4.2 - Update Changelog - Change version from 1.4.1 to 1.4.2 --- CHANGELOG.md | 2 +- lib/knock/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c37436..82d8ea0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased] +## [1.4.2] - 2016-01-29 ### Fixed - Allow use of any or no prefix in authorization header. This fixes an unwanted breaking change introduced in `1.4.0` forcing the use diff --git a/lib/knock/version.rb b/lib/knock/version.rb index f0796d9..6b94fcc 100644 --- a/lib/knock/version.rb +++ b/lib/knock/version.rb @@ -1,3 +1,3 @@ module Knock - VERSION = "1.4.1" + VERSION = "1.4.2" end