From 15809cd54544dd6d81c0c18e3b112d86ad947e7a Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Fri, 21 Feb 2020 10:05:25 +0800 Subject: [PATCH] user: auth header should have Bearer prefix --- src/tests.rs | 4 ++-- src/user.rs | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/tests.rs b/src/tests.rs index 849e6be..7cacd14 100644 --- a/src/tests.rs +++ b/src/tests.rs @@ -207,7 +207,7 @@ fn should_fail_authorize() { #[test] fn should_fail_authorize_2() { let resp = CLIENT.get("/auth/ping") - .header(Header::new("Authorization", "iwoe0nvie0bv024ibv043bv")) + .header(Header::new("Authorization", "Bearer iwoe0nvie0bv024ibv043bv")) .dispatch(); assert_eq!(resp.status(), Status::Unauthorized); } @@ -229,7 +229,7 @@ fn should_success_authorize() { .replace("{\"token\":\"", "") .replace("\"}", ""); let mut resp = CLIENT.get("/auth/ping") - .header(Header::new("Authorization", token)) + .header(Header::new("Authorization", format!("Bearer {}", token))) .dispatch(); assert_eq!(resp.status(), Status::Ok); assert_eq!(resp.body_string().unwrap(), "\"test7@example.com\""); diff --git a/src/user.rs b/src/user.rs index d1df3e5..ce923ee 100644 --- a/src/user.rs +++ b/src/user.rs @@ -203,8 +203,12 @@ impl<'a, 'r> request::FromRequest<'a, 'r> for User { match token { None => request::Outcome::Failure((Status::Unauthorized, "Token missing".into())), Some(token) => { + if !token.starts_with("Bearer ") { + return request::Outcome::Failure((Status::Unauthorized, "Malformed Token".into())); + } + let result = Self::find_user_by_token( - &request.guard::().unwrap(), token); + &request.guard::().unwrap(), &token[7..]); match result { Ok(u) => request::Outcome::Success(u), Err(err) => request::Outcome::Failure((Status::Unauthorized, err))