Return 401 for bearer tokens on non-JSON requests

Rather than silently ignoring bearer tokens on HTML requests
(which breaks the audit console's error handling), explicitly
reject them with 401. Bearer tokens on JSON requests continue
to authenticate normally.
This commit is contained in:
Donal McBreen
2026-04-01 09:09:00 +01:00
parent 13e2c74929
commit b4c4a32205
2 changed files with 9 additions and 5 deletions
+5 -1
View File
@@ -56,12 +56,16 @@ module Authentication
end
def authenticate_by_bearer_token
if request.authorization.to_s.include?("Bearer") && request.format.json?
if request.authorization.to_s.include?("Bearer")
if request.format.json?
authenticate_or_request_with_http_token do |token|
if identity = Identity.find_by_permissable_access_token(token, method: request.method)
Current.identity = identity
end
end
else
request_http_token_authentication
end
end
end
+1 -1
View File
@@ -152,7 +152,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
get user_path(users(:jason)), env: bearer
assert_response :redirect
assert_response :unauthorized
end
test "bearer token authenticates JSON requests" do