Merge pull request #53 from hmic/patch-1

Fix #43
ADmad · May 31, 2017 · b49fbc9 · b49fbc9
2 parents c010113 + 29bc9aa
commit b49fbc9
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 13 deletions.
diff --git a/src/Auth/JwtAuthenticate.php b/src/Auth/JwtAuthenticate.php
@@ -186,7 +186,7 @@ public function getToken($request = null)
         }
 
         $header = $request->header($config['header']);
-        if ($header) {
+        if ($header && stripos($header, $config['prefix']) === 0) {
             return $this->_token = str_ireplace($config['prefix'] . ' ', '', $header);
         }
 

diff --git a/tests/TestCase/Auth/JwtAuthenticateTest.php b/tests/TestCase/Auth/JwtAuthenticateTest.php
@@ -72,6 +72,10 @@ public function testAuthenticateTokenParameter()
         $request = new Request('posts/index?tokenname=' . $this->token);
         $result = $this->auth->getUser($request, $this->response);
         $this->assertEquals($expected, $result);
+
+        $request = new Request('posts/index?wrongtoken=' . $this->token);
+        $result = $this->auth->getUser($request, $this->response);
+        $this->assertFalse($result);
     }
 
     /**
@@ -95,6 +99,10 @@ public function testAuthenticateTokenHeader()
         $result = $this->auth->getUser($request, $this->response);
         $this->assertEquals($expected, $result);
 
+        $request->env('HTTP_AUTHORIZATION', 'WrongBearer ' . $this->token);
+        $result = $this->auth->getUser($request, $this->response);
+        $this->assertFalse($result);
+
         $this->setExpectedException('UnexpectedValueException');
         $request->env('HTTP_AUTHORIZATION', 'Bearer foobar');
         $result = $this->auth->getUser($request, $this->response);
@@ -117,6 +125,10 @@ public function testAuthenticateNoHeaderWithParameterDisabled()
 
         $result = $this->auth->getUser($request, $this->response);
         $this->assertFalse($result);
+
+        $request = new Request('posts/index?token=' . $this->token);
+        $result = $this->auth->getUser($request, $this->response);
+        $this->assertFalse($result);
     }
 
     /**
@@ -126,18 +138,20 @@ public function testAuthenticateNoHeaderWithParameterDisabled()
      */
     public function testQueryDatasourceFalse()
     {
-        $request = new Request('posts/index');
-
         $expected = [
-            'id' => 99,
-            'username' => 'ADmad',
-            'group' => ['name' => 'admin'],
+                'id' => 99,
+                'username' => 'ADmad',
+                'group' => ['name' => 'admin'],
         ];
-        $request->env(
-            'HTTP_AUTHORIZATION',
-            'Bearer ' . JWT::encode($expected, Security::salt())
-        );
+        $token = JWT::encode($expected, Security::salt());
         $this->auth->config('queryDatasource', false);
+
+        $request = new Request('posts/index');
+        $request->env('HTTP_AUTHORIZATION', 'Bearer ' . $token);
+        $result = $this->auth->getUser($request, $this->response);
+        $this->assertEquals($expected, $result);
+
+        $request = new Request('posts/index?token=' . $token);
         $result = $this->auth->getUser($request, $this->response);
         $this->assertEquals($expected, $result);
     }
@@ -149,12 +163,16 @@ public function testQueryDatasourceFalse()
      */
     public function testWithValidTokenButNoUserInDb()
     {
-        $request = new Request('posts/index');
-
         $token = JWT::encode(['id' => 4], Security::salt());
+
+        $request = new Request('posts/index');
         $request->env('HTTP_AUTHORIZATION', 'Bearer ' . $token);
         $result = $this->auth->getUser($request, $this->response);
         $this->assertFalse($result);
+
+        $request = new Request('posts/index?token=' . $token);
+        $result = $this->auth->getUser($request, $this->response);
+        $this->assertFalse($result);
     }
 
     /**
@@ -270,9 +288,13 @@ public function testCustomKey()
 
         $payload = ['sub' => 100];
         $token = Jwt::encode($payload, $key);
-        $request = new Request();
+
+        $request = new Request('posts/index');
         $request->env('HTTP_AUTHORIZATION', 'Bearer ' . $token);
+        $result = $auth->getUser($request, $this->response);
+        $this->assertEquals($payload, $result);
 
+        $request = new Request('posts/index?token=' . $token);
         $result = $auth->getUser($request, $this->response);
         $this->assertEquals($payload, $result);
     }