@@ -1997,6 +1997,16 @@ class TestWWWAuthenticate:
19971997 "scope" ,
19981998 "admin:write resource:read" ,
19991999 ),
2000+ (
2001+ 'Bearer error_scope="decoy", scope="read write"' ,
2002+ "scope" ,
2003+ "read write" ,
2004+ ),
2005+ (
2006+ 'Bearer realm="api, scope=decoy", scope="read write"' ,
2007+ "scope" ,
2008+ "read write" ,
2009+ ),
20002010 (
20012011 'Bearer realm="api", resource_metadata="https://api.example.com/.well-known/oauth-protected-resource", '
20022012 'error="insufficient_scope"' ,
@@ -2047,6 +2057,19 @@ def test_extract_field_from_www_auth_valid_cases(
20472057 # Header without requested field
20482058 ('Bearer realm="api", error="insufficient_scope"' , "scope" , "no scope parameter" ),
20492059 ('Bearer realm="api", scope="read write"' , "resource_metadata" , "no resource_metadata parameter" ),
2060+ ('Bearer custom_scope="leaked"' , "scope" , "substring auth-param should not match scope" ),
2061+ ('Bearer realm="api scope=leaked"' , "scope" , "auth-param inside quoted value should not match scope" ),
2062+ ('Bearer realm="api, scope=leaked"' , "scope" , "auth-param after quoted comma should not match scope" ),
2063+ (
2064+ 'Bearer x_resource_metadata="https://decoy.example.com"' ,
2065+ "resource_metadata" ,
2066+ "substring auth-param should not match resource_metadata" ,
2067+ ),
2068+ (
2069+ 'Bearer realm="api, resource_metadata=https://decoy.example.com"' ,
2070+ "resource_metadata" ,
2071+ "auth-param after quoted comma should not match resource_metadata" ,
2072+ ),
20502073 # Malformed field (empty value)
20512074 ("Bearer scope=" , "scope" , "malformed scope parameter" ),
20522075 ("Bearer resource_metadata=" , "resource_metadata" , "malformed resource_metadata parameter" ),
0 commit comments