fail auth if token string is missing; fixes #178

ncbo · Dec 12, 2023 · 3884096 · 3884096
1 parent 809c54f
commit 3884096
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/lib/ontologies_linked_data/security/authorization.rb b/lib/ontologies_linked_data/security/authorization.rb
@@ -78,6 +78,8 @@ def find_apikey(env, params)
           apikey = params["apikey"]
         elsif apikey.nil? && header_auth
           token = Rack::Utils.parse_query(header_auth.split(" ")[1])
+          return unless token["token"]
+
           # Strip spaces from start and end of string
           apikey = token["token"].gsub(/\"/, "")
           # If the user apikey is passed, use that instead

diff --git a/test/rack/test_request_authorization.rb b/test/rack/test_request_authorization.rb
@@ -61,6 +61,8 @@ def _delete_user
   def test_authorize
     get "/ontologies"
     assert last_response.status == 401
+    get "/ontologies", {}, {"Authorization" => "bogus auth header"} # W: Space inside } missing.
+    assert_equal 401, last_response.status
     get "/ontologies", {}, {"Authorization" => 'apikey token="'+@apikey+''+'"'}
     assert last_response.status == 200
     apikey = MultiJson.load(last_response.body)