Updated @ziege's patch to overcome awkward access token definition requirement (i.e. access token can have a space in it) and also optimised code. Fixes #52

2024-11-01 16:33:07 +05:30 · 2013-05-10 12:57:06 -07:00 · 2013-05-10 12:57:06 -07:00 · 8c4019693b
commit 8c4019693b
parent b88ef82563
2 changed files with 45 additions and 7 deletions
--- a/src/League/OAuth2/Server/Resource.php
+++ b/src/League/OAuth2/Server/Resource.php
@ -250,15 +250,12 @@ class Resource
            // 1st request: Authorization: Bearer XXX
            // 2nd request: Authorization: Bearer XXX, Bearer XXX
            if (strpos($header, ',') !== false) {
-                $accessTokens = array();
-                foreach (explode(',', $header) as $header_part) {
-                    $accessTokens[] = trim(preg_replace('/^(?:\s+)?Bearer\s+/', '', $header_part));
-                }
-                // take always the first one
-                $accessToken = $accessTokens[0];
+                $headerPart = explode(',', $header);
+                $accessToken = preg_replace('/^(?:\s+)?Bearer(\s{1})/', '', $headerPart[0]);
            } else {
-                $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s+/', '', $header));
+                $accessToken = preg_replace('/^(?:\s+)?Bearer(\s{1})/', '', $header);
            }
+            $accessToken = ($accessToken === 'Bearer') ? '' : $accessToken;
        } else {
            $method = $this->getRequest()->server('REQUEST_METHOD');
            $accessToken = $this->getRequest()->{$method}($this->tokenKey);
--- a/tests/resource/ResourceServerTest.php
+++ b/tests/resource/ResourceServerTest.php
@ -83,6 +83,24 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
 	    $method->invoke($s);
    }

+    /**
+     * @expectedException League\OAuth2\Server\Exception\InvalidAccessTokenException
+     */
+    public function test_determineAccessToken_brokenCurlRequest()
+    {
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer, Bearer abcdef';
+        $request = new League\OAuth2\Server\Util\Request(array(), array(), array(), array(), $_SERVER);
+
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $method->invoke($s);
+    }
+
    public function test_determineAccessToken_fromHeader()
    {
        $request = new League\OAuth2\Server\Util\Request();
@ -106,6 +124,29 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
 	    $this->assertEquals('abcdef', $result);
    }

+    public function test_determineAccessToken_fromBrokenCurlHeader()
+    {
+        $request = new League\OAuth2\Server\Util\Request();
+
+        $requestReflector = new ReflectionClass($request);
+        $param = $requestReflector->getProperty('headers');
+        $param->setAccessible(true);
+        $param->setValue($request, array(
+            'Authorization' =>  'Bearer abcdef, Bearer abcdef'
+        ));
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $result = $method->invoke($s);
+
+        $this->assertEquals('abcdef', $result);
+    }
+
    public function test_determineAccessToken_fromMethod()
    {
    	$s = $this->returnDefault();