From 8c4019693b1a56e72e27826611bf0244dcdb712a Mon Sep 17 00:00:00 2001
From: Alex Bilbie <hello@alexbilbie.com>
Date: Fri, 10 May 2013 12:57:06 -0700
Subject: [PATCH] Updated @ziege's patch to overcome awkward access token
 definition requirement (i.e. access token can have a space in it) and also
 optimised code. Fixes #52

---
 src/League/OAuth2/Server/Resource.php | 11 +++----
 tests/resource/ResourceServerTest.php | 41 +++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 7 deletions(-)

diff --git a/src/League/OAuth2/Server/Resource.php b/src/League/OAuth2/Server/Resource.php
index d847aafc..be902208 100644
--- a/src/League/OAuth2/Server/Resource.php
+++ b/src/League/OAuth2/Server/Resource.php
@@ -250,15 +250,12 @@ class Resource
             // 1st request: Authorization: Bearer XXX
             // 2nd request: Authorization: Bearer XXX, Bearer XXX
             if (strpos($header, ',') !== false) {
-                $accessTokens = array();
-                foreach (explode(',', $header) as $header_part) {
-                    $accessTokens[] = trim(preg_replace('/^(?:\s+)?Bearer\s+/', '', $header_part));
-                }
-                // take always the first one
-                $accessToken = $accessTokens[0];
+                $headerPart = explode(',', $header);
+                $accessToken = preg_replace('/^(?:\s+)?Bearer(\s{1})/', '', $headerPart[0]);
             } else {
-                $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s+/', '', $header));
+                $accessToken = preg_replace('/^(?:\s+)?Bearer(\s{1})/', '', $header);
             }
+            $accessToken = ($accessToken === 'Bearer') ? '' : $accessToken;
         } else {
             $method = $this->getRequest()->server('REQUEST_METHOD');
             $accessToken = $this->getRequest()->{$method}($this->tokenKey);
diff --git a/tests/resource/ResourceServerTest.php b/tests/resource/ResourceServerTest.php
index 50856633..c05966bf 100644
--- a/tests/resource/ResourceServerTest.php
+++ b/tests/resource/ResourceServerTest.php
@@ -83,6 +83,24 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
 	    $method->invoke($s);
     }
 
+    /**
+     * @expectedException League\OAuth2\Server\Exception\InvalidAccessTokenException
+     */
+    public function test_determineAccessToken_brokenCurlRequest()
+    {
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer, Bearer abcdef';
+        $request = new League\OAuth2\Server\Util\Request(array(), array(), array(), array(), $_SERVER);
+
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $method->invoke($s);
+    }
+
     public function test_determineAccessToken_fromHeader()
     {
         $request = new League\OAuth2\Server\Util\Request();
@@ -106,6 +124,29 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
 	    $this->assertEquals('abcdef', $result);
     }
 
+    public function test_determineAccessToken_fromBrokenCurlHeader()
+    {
+        $request = new League\OAuth2\Server\Util\Request();
+
+        $requestReflector = new ReflectionClass($request);
+        $param = $requestReflector->getProperty('headers');
+        $param->setAccessible(true);
+        $param->setValue($request, array(
+            'Authorization' =>  'Bearer abcdef, Bearer abcdef'
+        ));
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $result = $method->invoke($s);
+
+        $this->assertEquals('abcdef', $result);
+    }
+
     public function test_determineAccessToken_fromMethod()
     {
     	$s = $this->returnDefault();