Merge pull request #88 from 5apps/bugfix/87-empty_bearer_token

Return 401 when getting an empty bearer token
2016-07-20 18:05:16 +02:00 · 2016-07-20 18:05:16 +02:00 · 4cd32b2e1b
commit 4cd32b2e1b
parent 14d462be41 ad0ea12059
2 changed files with 11 additions and 2 deletions
--- a/lib/remote_storage/swift.rb
+++ b/lib/remote_storage/swift.rb
@ -24,7 +24,7 @@ module RemoteStorage
        return true if ["GET", "HEAD"].include?(request_method) && !listing
      end

-      server.halt 401, "Unauthorized" if token.empty?
+      server.halt 401, "Unauthorized" if token.nil? || token.empty?

      authorizations = redis.smembers("authorizations:#{user}:#{token}")
      permission = directory_permission(authorizations, directory)
--- a/spec/swift/app_spec.rb
+++ b/spec/swift/app_spec.rb
@ -280,7 +280,6 @@ describe "App" do
    end

    context "not authorized" do
-
      describe "with no token" do
        it "says it's not authorized" do
          delete "/phil/food/aguacate"
@ -290,6 +289,16 @@ describe "App" do
        end
      end

+      describe "with empty token" do
+        it "says it's not authorized" do
+          header "Authorization", "Bearer "
+          delete "/phil/food/aguacate"
+
+          last_response.status.must_equal 401
+          last_response.body.must_equal "Unauthorized"
+        end
+      end
+
      describe "with wrong token" do
        it "says it's not authorized" do
          header "Authorization", "Bearer wrongtoken"