Merge branch '3.x' into 3.next

ADmad · ADmad · commit ebaec2bb6476 · 2025-06-20T10:41:07.000+05:30
diff --git a/docs/en/testing.rst b/docs/en/testing.rst
@@ -51,15 +51,23 @@ Token based authentication
 With token based authentication you need to simulate the
 ``Authorization`` header. After getting valid token setup the request::
 
-   public function testGet()
-   {
-       $token = $this->getToken();
-       $this->configRequest([
-           'headers' => ['Authorization' => 'Bearer ' . $token]
-       ]);
-       $this->get('/api/bookmarks');
-       $this->assertResponseOk();
-   }
+    protected function getToken(): string
+    {
+        // Get a token for a known user
+        $user = $this->fetchTable('Users')->get(1, contain: ['ApiTokens']);
+
+        return $user->api_tokens[0]->token;
+    }
+
+    public function testGet()
+    {
+        $token = $this->getToken();
+        $this->configRequest([
+            'headers' => ['Authorization' => 'Bearer ' . $token]
+        ]);
+        $this->get('/api/bookmarks');
+        $this->assertResponseOk();
+    }
 
 
 Basic/Digest based authentication
diff --git a/src/Authenticator/TokenAuthenticator.php b/src/Authenticator/TokenAuthenticator.php
@@ -63,7 +63,12 @@ protected function getToken(ServerRequestInterface $request): ?string
      */
     protected function stripTokenPrefix(string $token, string $prefix): string
     {
-        return trim(str_ireplace($prefix, '', $token));
+        $prefixLength = mb_strlen($prefix);
+        if (mb_substr(mb_strtolower($token), 0, $prefixLength) === mb_strtolower($prefix)) {
+            $token = mb_substr($token, $prefixLength);
+        }
+
+        return trim($token);
     }
 
     /**
diff --git a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
@@ -150,6 +150,16 @@ public function testTokenPrefix()
         $result = $tokenAuth->authenticate($requestWithHeaders);
         $this->assertInstanceOf(Result::class, $result);
         $this->assertSame(Result::FAILURE_IDENTITY_NOT_FOUND, $result->getStatus());
+
+        // should not remove prefix from token
+        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'mari mariano');
+        $tokenAuth = new TokenAuthenticator($this->identifiers, [
+            'header' => 'X-Dipper-Auth',
+            'tokenPrefix' => 'mari',
+        ]);
+        $result = $tokenAuth->authenticate($requestWithHeaders);
+        $this->assertInstanceOf(Result::class, $result);
+        $this->assertSame(Result::SUCCESS, $result->getStatus());
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,12 @@ protected function getToken(ServerRequestInterface $request): ?string`
`63`	`63`	`*/`
`64`	`64`	`protected function stripTokenPrefix(string $token, string $prefix): string`
`65`	`65`	`{`
`66`		`- return trim(str_ireplace($prefix, '', $token));`
	`66`	`+ $prefixLength = mb_strlen($prefix);`
	`67`	`+ if (mb_substr(mb_strtolower($token), 0, $prefixLength) === mb_strtolower($prefix)) {`
	`68`	`+ $token = mb_substr($token, $prefixLength);`
	`69`	`+ }`
	`70`	`+`
	`71`	`+ return trim($token);`
`67`	`72`	`}`
`68`	`73`
`69`	`74`	`/**`