8 files changed, 90 insertions, 55 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index dfd5ddeedf..5474f5dd58 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,10 @@
+*   With authorization header `Authorization: Token token=`, `authenticate` now
+    recognize token as nil, instead of "token".
+
+    Fixes #14846.
+
+    *Larry Lv*
+
 *   Ensure the controller is always notified as soon as the client disconnects
     during live streaming, even when the controller is blocked on a write.
 
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 3111992f82..5b52c19802 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -121,8 +121,8 @@ module ActionController
 
       def authentication_request(controller, realm)
         controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
-        controller.response_body = "HTTP Basic: Access denied.\n"
         controller.status = 401
+        controller.response_body = "HTTP Basic: Access denied.\n"
       end
     end
 
@@ -256,8 +256,8 @@ module ActionController
       def authentication_request(controller, realm, message = nil)
         message ||= "HTTP Digest: Access denied.\n"
         authentication_header(controller, realm)
-        controller.response_body = message
         controller.status = 401
+        controller.response_body = message
       end
 
       def secret_token(request)
@@ -449,7 +449,7 @@ module ActionController
         authorization_request = request.authorization.to_s
         if authorization_request[TOKEN_REGEX]
           params = token_params_from authorization_request
-          [params.shift.last, Hash[params].with_indifferent_access]
+          [params.shift[1], Hash[params].with_indifferent_access]
         end
       end
 
@@ -464,7 +464,7 @@ module ActionController
 
       # This removes the `"` characters wrapping the value.
       def rewrite_param_values(array_params)
-        array_params.each { |param| param.last.gsub! %r/^"|"$/, '' }
+        array_params.each { |param| (param[1] || "").gsub! %r/^"|"$/, '' }
       end
 
       # This method takes an authorization body and splits up the key-value
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index e6695ffc90..849286a4a9 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -629,8 +629,11 @@ module ActionController
         @response.prepare!
 
         @assigns = @controller.respond_to?(:view_assigns) ? @controller.view_assigns : {}
-        @request.session['flash'] = @request.flash.to_session_value
-        @request.session.delete('flash') if @request.session['flash'].blank?
+
+        if flash_value = @request.flash.to_session_value
+          @request.session['flash'] = flash_value
+        end
+
         @response
       end
 
diff --git a/actionpack/lib/action_dispatch/http/url.rb b/actionpack/lib/action_dispatch/http/url.rb
index 4cba4f5f37..a5858758c6 100644
--- a/actionpack/lib/action_dispatch/http/url.rb
+++ b/actionpack/lib/action_dispatch/http/url.rb
@@ -5,27 +5,26 @@ module ActionDispatch
   module Http
     module URL
       IP_HOST_REGEXP  = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
-      HOST_REGEXP     = /(^.*:\/\/)?([^:]+)(?::(\d+$))?/
+      HOST_REGEXP     = /(^[^:]+:\/\/)?([^:]+)(?::(\d+$))?/
       PROTOCOL_REGEXP = /^([^:]+)(:)?(\/\/)?$/
 
       mattr_accessor :tld_length
       self.tld_length = 1
 
       class << self
-        def extract_domain(host, tld_length = @@tld_length)
-          host.split('.').last(1 + tld_length).join('.') if named_host?(host)
+        def extract_domain(host, tld_length)
+          extract_domain_from(host, tld_length) if named_host?(host)
         end
 
-        def extract_subdomains(host, tld_length = @@tld_length)
+        def extract_subdomains(host, tld_length)
           if named_host?(host)
-            parts = host.split('.')
-            parts[0..-(tld_length + 2)]
+            extract_subdomains_from(host, tld_length)
           else
             []
           end
         end
 
-        def extract_subdomain(host, tld_length = @@tld_length)
+        def extract_subdomain(host, tld_length)
           extract_subdomains(host, tld_length).join('.')
         end
 
@@ -60,6 +59,15 @@ module ActionDispatch
 
         private
 
+        def extract_domain_from(host, tld_length)
+          host.split('.').last(1 + tld_length).join('.')
+        end
+
+        def extract_subdomains_from(host, tld_length)
+          parts = host.split('.')
+          parts[0..-(tld_length + 2)]
+        end
+
         def add_trailing_slash(path)
           # includes querysting
           if path.include?('?')
@@ -73,38 +81,38 @@ module ActionDispatch
         end
 
         def build_host_url(options)
-          if match = options[:host].match(HOST_REGEXP)
-            options[:protocol] ||= match[1] unless options[:protocol] == false
-            options[:host]       = match[2]
-            options[:port]       = match[3] unless options.key?(:port)
+          protocol = options[:protocol]
+          host     = options[:host]
+          port     = options[:port]
+          if match = host.match(HOST_REGEXP)
+            protocol           ||= match[1] unless protocol == false
+            host                 = match[2]
+            port                 = match[3] unless options.key? :port
           end
 
-          options[:protocol] = normalize_protocol(options)
-          options[:host]     = normalize_host(options)
-          options[:port]     = normalize_port(options)
+          protocol       = normalize_protocol protocol
+          host           = normalize_host(host, options)
 
-          result = options[:protocol]
+          result = protocol.dup
 
           if options[:user] && options[:password]
             result << "#{Rack::Utils.escape(options[:user])}:#{Rack::Utils.escape(options[:password])}@"
           end
 
-          result << options[:host]
-          result << ":#{options[:port]}" if options[:port]
+          result << host
+          normalize_port(port, protocol) { |normalized_port|
+            result << ":#{normalized_port}"
+          }
 
           result
         end
 
         def named_host?(host)
-          host && IP_HOST_REGEXP !~ host
+          IP_HOST_REGEXP !~ host
         end
 
-        def same_host?(options)
-          (options[:subdomain] == true || !options.key?(:subdomain)) && options[:domain].nil?
-        end
-
-        def normalize_protocol(options)
-          case options[:protocol]
+        def normalize_protocol(protocol)
+          case protocol
           when nil
             "http://"
           when false, "//"
@@ -112,36 +120,39 @@ module ActionDispatch
           when PROTOCOL_REGEXP
             "#{$1}://"
           else
-            raise ArgumentError, "Invalid :protocol option: #{options[:protocol].inspect}"
+            raise ArgumentError, "Invalid :protocol option: #{protocol.inspect}"
           end
         end
 
-        def normalize_host(options)
-          return options[:host] if !named_host?(options[:host]) || same_host?(options)
+        def normalize_host(_host, options)
+          return _host unless named_host?(_host)
 
           tld_length = options[:tld_length] || @@tld_length
+          subdomain  = options.fetch :subdomain, true
+          domain     = options[:domain]
 
           host = ""
-          if options[:subdomain] == true || !options.key?(:subdomain)
-            host << extract_subdomain(options[:host], tld_length).to_param
-          elsif options[:subdomain].present?
-            host << options[:subdomain].to_param
+          if subdomain == true
+            return _host if domain.nil?
+
+            host << extract_subdomains_from(_host, tld_length).join('.')
+          elsif subdomain
+            host << subdomain.to_param
           end
           host << "." unless host.empty?
-          host << (options[:domain] || extract_domain(options[:host], tld_length))
+          host << (domain || extract_domain_from(_host, tld_length))
           host
         end
 
-        def normalize_port(options)
-          return nil if options[:port].nil? || options[:port] == false
+        def normalize_port(port, protocol)
+          return unless port
 
-          case options[:protocol]
-          when "//"
-            options[:port]
+          case protocol
+          when "//" then yield port
           when "https://"
-            options[:port].to_i == 443 ? nil : options[:port]
+            yield port unless port.to_i == 443
           else
-            options[:port].to_i == 80 ? nil : options[:port]
+            yield port unless port.to_i == 80
           end
         end
       end
diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb
index 86b94652ce..ef90fff178 100644
--- a/actionpack/test/controller/http_token_authentication_test.rb
+++ b/actionpack/test/controller/http_token_authentication_test.rb
@@ -132,13 +132,30 @@ class HttpTokenAuthenticationTest < ActionController::TestCase
     assert_equal(expected, actual)
   end
 
-  private
-
-  def sample_request(token)
-    @sample_request ||= OpenStruct.new authorization: %{Token token="#{token}"}
+  test "token_and_options returns empty string with empty token" do
+    token = ''
+    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
+    expected = token
+    assert_equal(expected, actual)
   end
 
-  def encode_credentials(token, options = {})
-    ActionController::HttpAuthentication::Token.encode_credentials(token, options)
+  test "token_and_options returns nil with no value after the equal sign" do
+    actual = ActionController::HttpAuthentication::Token.token_and_options(malformed_request).first
+    expected = nil
+    assert_equal(expected, actual)
   end
+
+  private
+
+    def sample_request(token)
+      @sample_request ||= OpenStruct.new authorization: %{Token token="#{token}", nonce="def"}
+    end
+
+    def malformed_request
+      @malformed_request ||= OpenStruct.new authorization: %{Token token=}
+    end
+
+    def encode_credentials(token, options = {})
+      ActionController::HttpAuthentication::Token.encode_credentials(token, options)
+    end
 end
diff --git a/actionpack/test/controller/routing_test.rb b/actionpack/test/controller/routing_test.rb
index 660589a86e..721dad4dd9 100644
--- a/actionpack/test/controller/routing_test.rb
+++ b/actionpack/test/controller/routing_test.rb
@@ -256,7 +256,6 @@ class LegacyRouteSetTests < ActiveSupport::TestCase
   end
 
   def test_scoped_lambda_with_get_lambda
-    scope_called = false
     inner_called = false
 
     rs.draw do
diff --git a/actionpack/test/controller/url_for_test.rb b/actionpack/test/controller/url_for_test.rb
index f52f8be101..7210c68e73 100644
--- a/actionpack/test/controller/url_for_test.rb
+++ b/actionpack/test/controller/url_for_test.rb
@@ -95,7 +95,7 @@ module AbstractController
       end
 
       def test_subdomain_may_be_object
-        model = mock(:to_param => 'api')
+        model = Class.new { def self.to_param; 'api'; end }
         add_host!
         assert_equal('http://api.basecamphq.com/c/a/i',
           W.new.url_for(:subdomain => model, :controller => 'c', :action => 'a', :id => 'i')
diff --git a/actionpack/test/journey/router_test.rb b/actionpack/test/journey/router_test.rb
index e092432b01..2e7e8e1bea 100644
--- a/actionpack/test/journey/router_test.rb
+++ b/actionpack/test/journey/router_test.rb
@@ -213,8 +213,6 @@ module ActionDispatch
         route_set = Routing::RouteSet.new
         mapper = Routing::Mapper.new route_set
 
-        strexp = Router::Strexp.build("/", {}, ['/', '.', '?'], false)
-        path   = Path::Pattern.new strexp
         app    = lambda { |env| [200, {}, ['success!']] }
         mapper.get '/weblog', :to => app