Describe the bug
The UserInfo endpoint extracts the Bearer token using a fragile string replacement method:
# app/oauth/views/user_info.py line 20
access_token = request.headers["AUTHORIZATION"].replace("Bearer ", "")This implementation has multiple issues:
- Case-sensitive prefix: RFC 6750 Section 2.1 specifies that the Bearer authentication scheme should be matched case-insensitively. Clients sending bearer or BEARER will fail to authenticate.
- Over-stripping: Using str.replace() replaces all occurrences of the substring. If a token somehow contained the string "Bearer ", it would be corrupted.
- Missing fallback: It does not gracefully fall back to the access_token query parameter if the header is missing or malformed.
Expected behavior
The Bearer token should be extracted using case-insensitive prefix matching per RFC 6750:
auth_header = request.headers.get("Authorization", "")
if auth_header.lower().startswith("bearer "):
access_token = auth_header[7:] # len("bearer ") == 7
else:
access_token = request.args.get("access_token")
Additional context
File: app/oauth/views/user_info.py line 20.
Describe the bug
The UserInfo endpoint extracts the Bearer token using a fragile string replacement method:
This implementation has multiple issues:
Expected behavior
The Bearer token should be extracted using case-insensitive prefix matching per RFC 6750:
Additional context
File: app/oauth/views/user_info.py line 20.