Return 401 for bearer tokens on non-JSON requests
Rather than silently ignoring bearer tokens on HTML requests (which breaks the audit console's error handling), explicitly reject them with 401. Bearer tokens on JSON requests continue to authenticate normally.
This commit is contained in:
@@ -56,12 +56,16 @@ module Authentication
|
||||
end
|
||||
|
||||
def authenticate_by_bearer_token
|
||||
if request.authorization.to_s.include?("Bearer") && request.format.json?
|
||||
if request.authorization.to_s.include?("Bearer")
|
||||
if request.format.json?
|
||||
authenticate_or_request_with_http_token do |token|
|
||||
if identity = Identity.find_by_permissable_access_token(token, method: request.method)
|
||||
Current.identity = identity
|
||||
end
|
||||
end
|
||||
else
|
||||
request_http_token_authentication
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -152,7 +152,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
|
||||
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
|
||||
get user_path(users(:jason)), env: bearer
|
||||
|
||||
assert_response :redirect
|
||||
assert_response :unauthorized
|
||||
end
|
||||
|
||||
test "bearer token authenticates JSON requests" do
|
||||
|
||||
Reference in New Issue
Block a user