user: auth header should have Bearer prefix

2020-02-21 10:05:25 +08:00 · 2020-02-21 10:05:25 +08:00 · 15809cd545
parent fea3fb235d
commit 15809cd545
2 changed files with 7 additions and 3 deletions
--- a/src/tests.rs
+++ b/src/tests.rs
@ -207,7 +207,7 @@ fn should_fail_authorize() {
 #[test]
 fn should_fail_authorize_2() {
    let resp = CLIENT.get("/auth/ping")
-        .header(Header::new("Authorization", "iwoe0nvie0bv024ibv043bv"))
+        .header(Header::new("Authorization", "Bearer iwoe0nvie0bv024ibv043bv"))
        .dispatch();
    assert_eq!(resp.status(), Status::Unauthorized);
 }
@ -229,7 +229,7 @@ fn should_success_authorize() {
        .replace("{\"token\":\"", "")
        .replace("\"}", "");
    let mut resp = CLIENT.get("/auth/ping")
-        .header(Header::new("Authorization", token))
+        .header(Header::new("Authorization", format!("Bearer {}", token)))
        .dispatch();
    assert_eq!(resp.status(), Status::Ok);
    assert_eq!(resp.body_string().unwrap(), "\"test7@example.com\"");
--- a/src/user.rs
+++ b/src/user.rs
@ -203,8 +203,12 @@ impl<'a, 'r> request::FromRequest<'a, 'r> for User {
        match token {
            None => request::Outcome::Failure((Status::Unauthorized, "Token missing".into())),
            Some(token) => {
+                if !token.starts_with("Bearer ") {
+                    return request::Outcome::Failure((Status::Unauthorized, "Malformed Token".into()));
+                }
+
                let result = Self::find_user_by_token(
-                    &request.guard::<crate::DbConn>().unwrap(), token);
+                    &request.guard::<crate::DbConn>().unwrap(), &token[7..]);
                match result {
                    Ok(u) => request::Outcome::Success(u),
                    Err(err) => request::Outcome::Failure((Status::Unauthorized, err))