Better hints for malformed Token headers

2025-12-30 09:50:11 -06:00 · 2025-09-26 15:15:31 +02:00
parent afd31d2263
commit d0e7b75dbb
1 changed files with 8 additions and 1 deletions
--- a/bugsink/authentication.py
+++ b/bugsink/authentication.py
@@ -19,8 +19,15 @@ class BearerTokenAuthentication(BaseAuthentication):
            return None

        raw = header[len(self.keyword) + 1:].strip()
+
+        if " " in raw:
+            hint, _ = raw.split(" ", 1)
+            if len(hint) <= 20:  # arbitrary cutoff to lower chance of echoing tokens in error messages
+                # typically: 'Bearer Bearer abcd1234'
+                raise exceptions.AuthenticationFailed("Invalid Authorization: '%s %s ...'" % (self.keyword, hint))
+
        if len(raw) != 40 or any(c not in "0123456789abcdef" for c in raw):
-            raise exceptions.AuthenticationFailed("Invalid Bearer token.")
+            raise exceptions.AuthenticationFailed("Malformed Bearer token, must be 40 lowercase hex chars.")

        token_obj = AuthToken.objects.filter(token=raw).first()
        if not token_obj: