From 6767588ee8245ee53d0badf0441e2f0bda146d91 Mon Sep 17 00:00:00 2001 From: Steve Astels Date: Tue, 26 Mar 2024 14:11:53 -0400 Subject: [PATCH] handle extra spaces in api key auth line (#2150) --- app/authentication/auth.py | 2 +- tests/app/authentication/test_authentication.py | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 260a3fc78e..5fe609a060 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -63,7 +63,7 @@ def get_auth_token(req): for el in AUTH_TYPES: scheme, auth_type, _ = el if auth_header.lower().startswith(scheme.lower()): - token = auth_header[len(scheme) + 1 :] + token = auth_header[len(scheme) + 1 :].strip() return auth_type, token raise AuthError( diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index 4937360871..40615fc6a6 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -141,6 +141,14 @@ def test_should_allow_auth_with_api_key_scheme(client, sample_api_key, scheme): assert response.status_code == 200 +def test_should_allow_auth_with_api_key_scheme_and_extra_spaces(client, sample_api_key): + api_key_secret = get_unsigned_secret(sample_api_key.id) + unsigned_secret = f"gcntfy-keyname-{sample_api_key.service_id}-{api_key_secret}" + response = client.get("/notifications", headers={"Authorization": f"ApiKey-v1 {unsigned_secret}"}) + + assert response.status_code == 200 + + def test_should_NOT_allow_auth_with_api_key_scheme_with_incorrect_format(client, sample_api_key): api_key_secret = "fhsdkjhfdsfhsd" + get_unsigned_secret(sample_api_key.id)