From d0e7b75dbba1da2adf9241cdca0352471d659679 Mon Sep 17 00:00:00 2001
From: Klaas van Schelven <klaas@vanschelven.com>
Date: Fri, 26 Sep 2025 15:15:31 +0200
Subject: [PATCH] Better hints for malformed Token headers

---
 bugsink/authentication.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/bugsink/authentication.py b/bugsink/authentication.py
index 394ca28..e1d4b82 100644
--- a/bugsink/authentication.py
+++ b/bugsink/authentication.py
@@ -19,8 +19,15 @@ class BearerTokenAuthentication(BaseAuthentication):
             return None
 
         raw = header[len(self.keyword) + 1:].strip()
+
+        if " " in raw:
+            hint, _ = raw.split(" ", 1)
+            if len(hint) <= 20:  # arbitrary cutoff to lower chance of echoing tokens in error messages
+                # typically: 'Bearer Bearer abcd1234'
+                raise exceptions.AuthenticationFailed("Invalid Authorization: '%s %s ...'" % (self.keyword, hint))
+
         if len(raw) != 40 or any(c not in "0123456789abcdef" for c in raw):
-            raise exceptions.AuthenticationFailed("Invalid Bearer token.")
+            raise exceptions.AuthenticationFailed("Malformed Bearer token, must be 40 lowercase hex chars.")
 
         token_obj = AuthToken.objects.filter(token=raw).first()
         if not token_obj: