From ad0ea12059c072e4e232378388ae97d69682e154 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 20 Jul 2016 17:27:44 +0200
Subject: [PATCH] Return 401 when getting an empty bearer token

For example:

Authorization: Bearer

The cause of the empty bearer also needs to be investigated
---
 lib/remote_storage/swift.rb |  2 +-
 spec/swift/app_spec.rb      | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/remote_storage/swift.rb b/lib/remote_storage/swift.rb
index 0a41055..4efa8ed 100644
--- a/lib/remote_storage/swift.rb
+++ b/lib/remote_storage/swift.rb
@@ -24,7 +24,7 @@ module RemoteStorage
         return true if ["GET", "HEAD"].include?(request_method) && !listing
       end
 
-      server.halt 401, "Unauthorized" if token.empty?
+      server.halt 401, "Unauthorized" if token.nil? || token.empty?
 
       authorizations = redis.smembers("authorizations:#{user}:#{token}")
       permission = directory_permission(authorizations, directory)
diff --git a/spec/swift/app_spec.rb b/spec/swift/app_spec.rb
index eadbc68..5c8d24f 100644
--- a/spec/swift/app_spec.rb
+++ b/spec/swift/app_spec.rb
@@ -280,7 +280,6 @@ describe "App" do
     end
 
     context "not authorized" do
-
       describe "with no token" do
         it "says it's not authorized" do
           delete "/phil/food/aguacate"
@@ -290,6 +289,16 @@ describe "App" do
         end
       end
 
+      describe "with empty token" do
+        it "says it's not authorized" do
+          header "Authorization", "Bearer "
+          delete "/phil/food/aguacate"
+
+          last_response.status.must_equal 401
+          last_response.body.must_equal "Unauthorized"
+        end
+      end
+
       describe "with wrong token" do
         it "says it's not authorized" do
           header "Authorization", "Bearer wrongtoken"