From 8719d839958cbd92a3439f739af9fd19f0c47eed Mon Sep 17 00:00:00 2001
From: Francesco Stefanni <francesco.stefanni@gizeroenergie.it>
Date: Sun, 12 Dec 2021 12:10:11 +0100
Subject: [PATCH] Bearer regular expression matching in authenticate handler

---
 lib/handlers/authenticate-handler.js          |  2 +-
 .../handlers/authenticate-handler_test.js     | 28 +++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/lib/handlers/authenticate-handler.js b/lib/handlers/authenticate-handler.js
index b02b123..78fb611 100644
--- a/lib/handlers/authenticate-handler.js
+++ b/lib/handlers/authenticate-handler.js
@@ -140,7 +140,7 @@ AuthenticateHandler.prototype.getTokenFromRequest = function(request) {
 
 AuthenticateHandler.prototype.getTokenFromRequestHeader = function(request) {
   const token = request.get('Authorization');
-  const matches = token.match(/Bearer\s(\S+)/);
+  const matches = token.match(/^Bearer\s(\S+)/);
 
   if (!matches) {
     throw new InvalidRequestError('Invalid request: malformed authorization header');
diff --git a/test/unit/handlers/authenticate-handler_test.js b/test/unit/handlers/authenticate-handler_test.js
index 4d63428..ff0a924 100644
--- a/test/unit/handlers/authenticate-handler_test.js
+++ b/test/unit/handlers/authenticate-handler_test.js
@@ -5,6 +5,7 @@
  */
 
 const AuthenticateHandler = require('../../../lib/handlers/authenticate-handler');
+const InvalidRequestError = require('../../../lib/errors/invalid-request-error');
 const Request = require('../../../lib/request');
 const sinon = require('sinon');
 const should = require('chai').should();
@@ -16,6 +17,33 @@ const ServerError = require('../../../lib/errors/server-error');
 
 describe('AuthenticateHandler', function() {
   describe('getTokenFromRequest()', function() {
+    describe('with bearer token in the request authorization header', function() {
+      it('should throw an error if the token is malformed', () => {
+        const handler = new AuthenticateHandler({
+          model: { getAccessToken() {} },
+        });
+        const request = new Request({
+          body: {},
+          headers: {
+            Authorization: 'foo Bearer bar',
+          },
+          method: 'ANY',
+          query: {},
+        });
+
+        try {
+          handler.getTokenFromRequestHeader(request);
+
+          should.fail('should.fail', '');
+        } catch (e) {
+          e.should.be.an.instanceOf(InvalidRequestError);
+          e.message.should.equal(
+            'Invalid request: malformed authorization header',
+          );
+        }
+      });
+    });
+
     describe('with bearer token in the request authorization header', function() {
       it('should call `getTokenFromRequestHeader()`', function() {
         const handler = new AuthenticateHandler({ model: { getAccessToken: function() {} } });