fix(api): trim whitespace from bearer token in logout
sessionTokenFromHTTP now matches extractBearerToken's trimming behavior. Without this, a bearer header with trailing whitespace (e.g. a buggy client or proxy) authenticates via RequireUser but hashes the padded value on logout, silently no-oping and leaving the server-side session alive. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -205,3 +205,35 @@ func TestHandleLogout_DeletesSessionAndClearsCookie(t *testing.T) {
|
||||
t.Error("session row still present after logout")
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleLogout_BearerHeaderWithTrailingWhitespaceDeletesSession(t *testing.T) {
|
||||
h, pool := testHandlers(t)
|
||||
user := seedUser(t, pool, "alice", "hunter2", false)
|
||||
|
||||
token, err := auth.MintSessionToken()
|
||||
if err != nil {
|
||||
t.Fatalf("mint: %v", err)
|
||||
}
|
||||
if _, err := dbq.New(pool).InsertSession(context.Background(), dbq.InsertSessionParams{
|
||||
UserID: user.ID,
|
||||
TokenHash: auth.HashSessionToken(token),
|
||||
}); err != nil {
|
||||
t.Fatalf("insert: %v", err)
|
||||
}
|
||||
|
||||
req := httptest.NewRequest(http.MethodPost, "/api/auth/logout", nil)
|
||||
// Trailing whitespace — RequireUser trims this, so logout must too.
|
||||
req.Header.Set("Authorization", "Bearer "+token+" ")
|
||||
req = req.WithContext(context.WithValue(req.Context(), userCtxKeyForTest(), user))
|
||||
w := httptest.NewRecorder()
|
||||
h.handleLogout(w, req)
|
||||
|
||||
if w.Code != http.StatusNoContent {
|
||||
t.Errorf("status = %d, want 204", w.Code)
|
||||
}
|
||||
|
||||
_, err = dbq.New(pool).GetSessionByTokenHash(context.Background(), auth.HashSessionToken(token))
|
||||
if err == nil {
|
||||
t.Error("session row still present after bearer logout with trailing whitespace")
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user