fix: normalize client header parsing

haasonsaas · haasonsaas · commit 97001058f5a0 · 2025-11-01T20:48:12.000-07:00
diff --git a/app/main.py b/app/main.py
@@ -16,6 +16,24 @@
 F = TypeVar("F", bound=Callable[..., ResponseReturnValue])
 
 
+def _coerce_header(value: str | None) -> str:
+    if value is None:
+        return "unknown"
+    cleaned = value.strip()
+    return cleaned if cleaned else "unknown"
+
+
+def _normalize_cert_subject(value: str | None) -> str:
+    subject = _coerce_header(value)
+    if subject == "unknown":
+        return subject
+    prefix = "subject="
+    if subject.lower().startswith(prefix):
+        remainder = subject[len(prefix) :].lstrip()
+        return remainder or "unknown"
+    return subject
+
+
 def route(rule: str, **options: Any) -> Callable[[F], F]:
     return cast(Callable[[F], F], app.route(rule, **options))
 
@@ -42,10 +60,8 @@ def health() -> Dict[str, str]:
 @route("/")
 def index() -> str:
     with record_route_metrics("index"):
-        cert_subject = request.headers.get("X-Client-Subject", "unknown") or "unknown"
-        if cert_subject.startswith("Subject="):
-            cert_subject = cert_subject.replace("Subject=", "", 1)
-        device_id = request.headers.get("X-Device-ID", "unknown") or "unknown"
+        cert_subject = _normalize_cert_subject(request.headers.get("X-Client-Subject"))
+        device_id = _coerce_header(request.headers.get("X-Device-ID"))
         return (
             f"Hello from keep protected app!\n"
             f"Client cert subject: {cert_subject}\n"
diff --git a/app/tests/test_main.py b/app/tests/test_main.py
@@ -127,3 +127,24 @@ def test_empty_headers(client: TestClient) -> None:
     # Empty headers should fall back to "unknown"
     assert "Client cert subject: unknown" in text
     assert "Device ID: unknown" in text
+
+
+def test_headers_whitespace_only(client: TestClient) -> None:
+    """Whitespace-only headers should be treated as unknown."""
+    headers = {"X-Client-Subject": "   ", "X-Device-ID": " \t"}
+    response = client.get("/", headers=headers)
+    assert response.status_code == 200
+
+    text = response.get_data(as_text=True)
+    assert "Client cert subject: unknown" in text
+    assert "Device ID: unknown" in text
+
+
+def test_client_subject_case_insensitive_prefix(client: TestClient) -> None:
+    """Subject prefix removal should be case-insensitive and trim spacing."""
+    headers = {"X-Client-Subject": "subject= CN=case@example.com"}
+    response = client.get("/", headers=headers)
+    assert response.status_code == 200
+
+    text = response.get_data(as_text=True)
+    assert "Client cert subject: CN=case@example.com" in text
