From ab00f2d7cce5f043067aef7849cdc792de2df635 Mon Sep 17 00:00:00 2001
From: Shawn Murphy <seguer@users.noreply.github.com>
Date: Wed, 3 Feb 2021 01:44:28 +1100
Subject: [PATCH] Fixed issue with AuthHeaders parser stripping trailing
 hyphens from tokens (#1926)

---
 src/Http/Parser/AuthHeaders.php |  6 ++--
 tests/Http/ParserTest.php       | 56 +++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 2 deletions(-)

diff --git a/src/Http/Parser/AuthHeaders.php b/src/Http/Parser/AuthHeaders.php
index 53808f032..40d2d5a64 100644
--- a/src/Http/Parser/AuthHeaders.php
+++ b/src/Http/Parser/AuthHeaders.php
@@ -53,8 +53,10 @@ public function parse(Request $request)
     {
         $header = $request->headers->get($this->header) ?: $this->fromAltHeaders($request);
 
-        if ($header && preg_match('/'.$this->prefix.'\s*(\S+)\b/i', $header, $matches)) {
-            return $matches[1];
+        if ($header) {
+            $start = strlen($this->prefix);
+
+            return trim(substr($header, $start));
         }
     }
 
diff --git a/tests/Http/ParserTest.php b/tests/Http/ParserTest.php
index a414be326..feea3ccb9 100644
--- a/tests/Http/ParserTest.php
+++ b/tests/Http/ParserTest.php
@@ -108,6 +108,62 @@ public function it_should_return_the_token_from_the_alt_authorization_headers()
         $this->assertTrue($parser->hasToken());
     }
 
+    /** @test */
+    public function it_should_not_strip_trailing_hyphens_from_the_authorization_header()
+    {
+        $request = Request::create('foo', 'POST');
+        $request->headers->set('Authorization', 'Bearer foobar--');
+
+        $parser = new Parser($request);
+
+        $parser->setChain([
+            new QueryString,
+            new InputSource,
+            new AuthHeaders,
+            new RouteParams,
+        ]);
+
+        $this->assertSame($parser->parseToken(), 'foobar--');
+        $this->assertTrue($parser->hasToken());
+    }
+
+    /**
+     * @test
+     * @dataProvider whitespaceProvider
+     */
+    public function it_should_handle_excess_whitespace_from_the_authorization_header($whitespace)
+    {
+        $request = Request::create('foo', 'POST');
+        $request->headers->set('Authorization', "Bearer{$whitespace}foobar{$whitespace}");
+
+        $parser = new Parser($request);
+
+        $parser->setChain([
+            new QueryString,
+            new InputSource,
+            new AuthHeaders,
+            new RouteParams,
+        ]);
+
+        $this->assertSame($parser->parseToken(), 'foobar');
+        $this->assertTrue($parser->hasToken());
+    }
+
+    public function whitespaceProvider()
+    {
+        return [
+            'space' => [' '],
+            'multiple spaces' => ['    '],
+            'tab' => ["\t"],
+            'multiple tabs' => ["\t\t\t"],
+            'new line' => ["\n"],
+            'multiple new lines' => ["\n\n\n"],
+            'carriage return' => ["\r"],
+            'carriage returns' => ["\r\r\r"],
+            'mixture of whitespace' => ["\t \n \r \t \n"],
+        ];
+    }
+
     /** @test */
     public function it_should_return_the_token_from_query_string()
     {