From 3884096f3f782ecec3bbf6feee235c28f1008e5d Mon Sep 17 00:00:00 2001
From: Alex Skrenchuk <alexskr@stanford.edu>
Date: Mon, 11 Dec 2023 16:47:24 -0800
Subject: [PATCH] fail auth if `token` string is missing; fixes #178

---
 lib/ontologies_linked_data/security/authorization.rb | 2 ++
 test/rack/test_request_authorization.rb              | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/lib/ontologies_linked_data/security/authorization.rb b/lib/ontologies_linked_data/security/authorization.rb
index e64fe9f9..7e246326 100644
--- a/lib/ontologies_linked_data/security/authorization.rb
+++ b/lib/ontologies_linked_data/security/authorization.rb
@@ -78,6 +78,8 @@ def find_apikey(env, params)
           apikey = params["apikey"]
         elsif apikey.nil? && header_auth
           token = Rack::Utils.parse_query(header_auth.split(" ")[1])
+          return unless token["token"]
+
           # Strip spaces from start and end of string
           apikey = token["token"].gsub(/\"/, "")
           # If the user apikey is passed, use that instead
diff --git a/test/rack/test_request_authorization.rb b/test/rack/test_request_authorization.rb
index 0852a4c1..ff75bb7c 100644
--- a/test/rack/test_request_authorization.rb
+++ b/test/rack/test_request_authorization.rb
@@ -61,6 +61,8 @@ def _delete_user
   def test_authorize
     get "/ontologies"
     assert last_response.status == 401
+    get "/ontologies", {}, {"Authorization" => "bogus auth header"} # W: Space inside } missing.
+    assert_equal 401, last_response.status
     get "/ontologies", {}, {"Authorization" => 'apikey token="'+@apikey+''+'"'}
     assert last_response.status == 200
     apikey = MultiJson.load(last_response.body)