From 13e2c7492940ace16f359a7b53b9928c37119edb Mon Sep 17 00:00:00 2001 From: Donal McBreen Date: Wed, 1 Apr 2026 08:35:30 +0100 Subject: [PATCH] Restrict bearer token authentication to JSON requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bearer tokens are for API/SDK/CLI access — they should only authenticate JSON requests. --- app/controllers/concerns/authentication.rb | 2 +- test/controllers/users_controller_test.rb | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 05efbf4fc..760ee81cb 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -56,7 +56,7 @@ module Authentication end def authenticate_by_bearer_token - if request.authorization.to_s.include?("Bearer") + if request.authorization.to_s.include?("Bearer") && request.format.json? authenticate_or_request_with_http_token do |token| if identity = Identity.find_by_permissable_access_token(token, method: request.method) Current.identity = identity diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb index 094a2310c..1e49f0d9c 100644 --- a/test/controllers/users_controller_test.rb +++ b/test/controllers/users_controller_test.rb @@ -145,6 +145,26 @@ class UsersControllerTest < ActionDispatch::IntegrationTest assert_response :no_content end + test "bearer token does not authenticate HTML requests" do + sign_in_as :jason + sign_out + + bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" } + get user_path(users(:jason)), env: bearer + + assert_response :redirect + end + + test "bearer token authenticates JSON requests" do + sign_in_as :jason + sign_out + + bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" } + get user_path(users(:jason)), env: bearer, as: :json + + assert_response :success + end + test "index avoids N+1 queries on identity" do sign_in_as :kevin