diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index a9b7eb896c6b6..0bf5cc2e5059d 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -484,7 +484,7 @@ def rewrite_param_values(array_params) def raw_params(auth) _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/) - if !_raw_params.first.start_with?(TOKEN_KEY) + if !_raw_params.first&.start_with?(TOKEN_KEY) _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}" end diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb index 57b78154bc54e..59408581972c2 100644 --- a/actionpack/test/controller/http_token_authentication_test.rb +++ b/actionpack/test/controller/http_token_authentication_test.rb @@ -155,7 +155,7 @@ def authenticate_long_credentials assert_equal(expected, actual) end - test "token_and_options returns correct token with nounce option" do + test "token_and_options returns correct token with nonce option" do token = "rcHu+HzSFw89Ypyhn/896A=" nonce_hash = { nonce: "123abc" } actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token, nonce_hash)) @@ -177,6 +177,20 @@ def authenticate_long_credentials assert_equal(expected, actual) end + test "raw_params returns a tuple of key value pair strings when auth does not contain a token key" do + auth = sample_request_without_token_key("rcHu+HzSFw89Ypyhn/896A=").authorization.to_s + actual = ActionController::HttpAuthentication::Token.raw_params(auth) + expected = ["token=rcHu+HzSFw89Ypyhn/896A="] + assert_equal(expected, actual) + end + + test "raw_params returns a tuple of key strings when auth does not contain a token key and value" do + auth = sample_request_without_token_key(nil).authorization.to_s + actual = ActionController::HttpAuthentication::Token.raw_params(auth) + expected = ["token="] + assert_equal(expected, actual) + end + test "token_and_options returns right token when token key is not specified in header" do token = "rcHu+HzSFw89Ypyhn/896A="