From b4c4a32205417397778e30284d28e5b9934ee675 Mon Sep 17 00:00:00 2001 From: Donal McBreen Date: Wed, 1 Apr 2026 09:09:00 +0100 Subject: [PATCH] Return 401 for bearer tokens on non-JSON requests Rather than silently ignoring bearer tokens on HTML requests (which breaks the audit console's error handling), explicitly reject them with 401. Bearer tokens on JSON requests continue to authenticate normally. --- app/controllers/concerns/authentication.rb | 12 ++++++++---- test/controllers/users_controller_test.rb | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 760ee81cb..a269fc2d6 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -56,11 +56,15 @@ module Authentication end def authenticate_by_bearer_token - if request.authorization.to_s.include?("Bearer") && request.format.json? - authenticate_or_request_with_http_token do |token| - if identity = Identity.find_by_permissable_access_token(token, method: request.method) - Current.identity = identity + if request.authorization.to_s.include?("Bearer") + if request.format.json? + authenticate_or_request_with_http_token do |token| + if identity = Identity.find_by_permissable_access_token(token, method: request.method) + Current.identity = identity + end end + else + request_http_token_authentication end end end diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb index 1e49f0d9c..7fd9fd28d 100644 --- a/test/controllers/users_controller_test.rb +++ b/test/controllers/users_controller_test.rb @@ -152,7 +152,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" } get user_path(users(:jason)), env: bearer - assert_response :redirect + assert_response :unauthorized end test "bearer token authenticates JSON requests" do