diff options
| author | Piotr Sarnacki <drogus@gmail.com> | 2012-07-11 01:56:38 +0200 |
|---|---|---|
| committer | Piotr Sarnacki <drogus@gmail.com> | 2012-07-11 01:56:38 +0200 |
| commit | df40d79fdc376eae307830e1607ea7455e51280f (patch) | |
| tree | 5a8ed721d6aee818b20ccb59b265a4754727f5d4 /actionpack/test/controller | |
| parent | afa68eb1766d8893a1bb79bf989061f3d8f98049 (diff) | |
| download | rails-df40d79fdc376eae307830e1607ea7455e51280f.tar.gz rails-df40d79fdc376eae307830e1607ea7455e51280f.tar.bz2 rails-df40d79fdc376eae307830e1607ea7455e51280f.zip | |
Don't raise an error if http auth token isn't well formatted
When someone sends malformed authorization header, like:
Authorization: Token foobar
given token should be just ignored and resource should not be authorized,
instead of raising error. Before this patch controller would return 401 header
only for well formed tokens, like:
Authorization: Token token=foobar
and would return 500 in former case.
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/http_token_authentication_test.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb index 3054c1684c..6282ad8a1d 100644 --- a/actionpack/test/controller/http_token_authentication_test.rb +++ b/actionpack/test/controller/http_token_authentication_test.rb @@ -79,6 +79,14 @@ class HttpTokenAuthenticationTest < ActionController::TestCase end end + test "authentication request with badly formatted header" do + @request.env['HTTP_AUTHORIZATION'] = "Token foobar" + get :index + + assert_response :unauthorized + assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" + end + test "authentication request without credential" do get :display |