Merge pull request #721 from cakephp/bugfix/token-auth

Fix token auth prefix removal.

Author: markstory

src/Authenticator/TokenAuthenticator.php

@@ -63,7 +63,12 @@ protected function getToken(ServerRequestInterface $request): ?string
      */
     protected function stripTokenPrefix(string $token, string $prefix): string
     {
-        return trim(str_ireplace($prefix, '', $token));
+        $prefixLength = mb_strlen($prefix);
+        if (mb_substr(mb_strtolower($token), 0, $prefixLength) === mb_strtolower($prefix)) {
+            $token = mb_substr($token, $prefixLength);
+        }
+
+        return trim($token);
     }
 
     /**

tests/TestCase/Authenticator/TokenAuthenticatorTest.php

@@ -150,6 +150,16 @@ public function testTokenPrefix()
         $result = $tokenAuth->authenticate($requestWithHeaders);
         $this->assertInstanceOf(Result::class, $result);
         $this->assertSame(Result::FAILURE_IDENTITY_NOT_FOUND, $result->getStatus());
+
+        // should not remove prefix from token
+        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'mari mariano');
+        $tokenAuth = new TokenAuthenticator($this->identifiers, [
+            'header' => 'X-Dipper-Auth',
+            'tokenPrefix' => 'mari',
+        ]);
+        $result = $tokenAuth->authenticate($requestWithHeaders);
+        $this->assertInstanceOf(Result::class, $result);
+        $this->assertSame(Result::SUCCESS, $result->getStatus());
     }
 
     /**