diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-05-20 18:12:13 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-05-20 18:12:13 -0300 |
| commit | ef00bb719641c93fd7a4670a00e300efbc2c571d (patch) | |
| tree | 4e3be941c37bcbfa153994781844c5655755b980 | |
| parent | 52b558695d5a1b33ff21516cbc71d1ae1dee4632 (diff) | |
| parent | 15a98a88c08a30234ece4ba0bf697f18474c04bf (diff) | |
| download | rails-ef00bb719641c93fd7a4670a00e300efbc2c571d.tar.gz rails-ef00bb719641c93fd7a4670a00e300efbc2c571d.tar.bz2 rails-ef00bb719641c93fd7a4670a00e300efbc2c571d.zip | |
Merge pull request #11346 from tomykaira/fix_10257
Check authentication scheme in Basic auth
| -rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 16 | ||||
| -rw-r--r-- | actionpack/test/controller/http_basic_authentication_test.rb | 7 |
2 files changed, 21 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 2eb7853aa6..3111992f82 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -90,17 +90,29 @@ module ActionController end def authenticate(request, &login_procedure) - unless request.authorization.blank? + if has_basic_credentials?(request) login_procedure.call(*user_name_and_password(request)) end end + def has_basic_credentials?(request) + request.authorization.present? && (auth_scheme(request) == 'Basic') + end + def user_name_and_password(request) decode_credentials(request).split(':', 2) end def decode_credentials(request) - ::Base64.decode64(request.authorization.split(' ', 2).last || '') + ::Base64.decode64(auth_param(request) || '') + end + + def auth_scheme(request) + request.authorization.split(' ', 2).first + end + + def auth_param(request) + request.authorization.split(' ', 2).second end def encode_credentials(user_name, password) diff --git a/actionpack/test/controller/http_basic_authentication_test.rb b/actionpack/test/controller/http_basic_authentication_test.rb index 90548d4294..9052fc6962 100644 --- a/actionpack/test/controller/http_basic_authentication_test.rb +++ b/actionpack/test/controller/http_basic_authentication_test.rb @@ -129,6 +129,13 @@ class HttpBasicAuthenticationTest < ActionController::TestCase assert_response :unauthorized end + test "authentication request with wrong scheme" do + header = 'Bearer ' + encode_credentials('David', 'Goliath').split(' ', 2)[1] + @request.env['HTTP_AUTHORIZATION'] = header + get :search + assert_response :unauthorized + end + private def encode_credentials(username, password) |