From 4a3dfcc74e440aae2d798b8b582a4991344cb30a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 25 Sep 2024 11:24:49 +0200
Subject: [PATCH] Add comma to authenticate header

---
 lib_static/open_project/authentication.rb   |  4 +--
 spec/requests/api/v3/authentication_spec.rb | 31 +++++++++++++--------
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/lib_static/open_project/authentication.rb b/lib_static/open_project/authentication.rb
index b1d911e623db..d66e2d6b531a 100644
--- a/lib_static/open_project/authentication.rb
+++ b/lib_static/open_project/authentication.rb
@@ -270,8 +270,8 @@ def response_header(
                                   request_headers)
 
         header = %{#{scheme} realm="#{scope_realm(scope)}"}
-        header << %{ error="#{error}"}                         if error
-        header << %{ error_description="#{error_description}"} if error && error_description
+        header << %{, error="#{error}"}                         if error
+        header << %{, error_description="#{error_description}"} if error && error_description
         header
       end
 
diff --git a/spec/requests/api/v3/authentication_spec.rb b/spec/requests/api/v3/authentication_spec.rb
index 7683cd988607..045177706b6a 100644
--- a/spec/requests/api/v3/authentication_spec.rb
+++ b/spec/requests/api/v3/authentication_spec.rb
@@ -65,7 +65,7 @@
 
       it "returns unauthorized" do
         expect(last_response).to have_http_status :unauthorized
-        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="invalid_token"')
+        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API", error="invalid_token"')
         expect(JSON.parse(last_response.body)).to eq(error_response_body)
       end
     end
@@ -76,7 +76,7 @@
 
       it "returns unauthorized" do
         expect(last_response).to have_http_status :unauthorized
-        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="invalid_token"')
+        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API", error="invalid_token"')
         expect(JSON.parse(last_response.body)).to eq(error_response_body)
       end
     end
@@ -93,7 +93,7 @@
 
       it "returns unauthorized" do
         expect(last_response).to have_http_status :unauthorized
-        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="invalid_token"')
+        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API", error="invalid_token"')
         expect(JSON.parse(last_response.body)).to eq(error_response_body)
       end
     end
@@ -104,7 +104,7 @@
 
       it "returns forbidden" do
         expect(last_response).to have_http_status :forbidden
-        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="insufficient_scope"')
+        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API", error="insufficient_scope"')
         expect(JSON.parse(last_response.body)).to eq(error_response_body)
       end
     end
@@ -120,7 +120,7 @@
 
       it "returns unauthorized" do
         expect(last_response).to have_http_status :unauthorized
-        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="invalid_token"')
+        expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API", error="invalid_token"')
         expect(JSON.parse(last_response.body)).to eq(error_response_body)
       end
     end
@@ -414,7 +414,8 @@ def set_basic_auth_header(user, password)
       it do
         get resource
         expect(last_response).to have_http_status :unauthorized
-        expect(last_response.header["WWW-Authenticate"]).to eq("Bearer realm=\"OpenProject API\" error=\"invalid_token\" error_description=\"The access token issuer is unknown\"")
+        expect(last_response.header["WWW-Authenticate"])
+          .to eq(%{Bearer realm="OpenProject API", error="invalid_token", error_description="The access token issuer is unknown"})
         expect(JSON.parse(last_response.body)).to eq(error_response_body)
       end
     end
@@ -422,13 +423,16 @@ def set_basic_auth_header(user, password)
     context "when token is issued by provider configured in OP" do
       context "when token signature algorithm is not supported" do
         let(:token) do
-          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmxvY2FsL3JlYWxtcy9tYXN0ZXIifQ.Pwod8ZJqq3jWsbnrGw4ZU1-aLS2bSicb8PgiF78JHUc"
+          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5" \
+            "MDIyLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmxvY2FsL3JlYWxtcy9tYXN0ZXIifQ.Pwod8ZJqq3jWsbnrGw4ZU1-aLS2bSicb8PgiF78JHUc"
         end
 
         it do
           get resource
           expect(last_response).to have_http_status :unauthorized
-          expect(last_response.header["WWW-Authenticate"]).to eq("Bearer realm=\"OpenProject API\" error=\"invalid_token\" error_description=\"Token signature algorithm is not supported\"")
+          error = "Token signature algorithm is not supported"
+          expect(last_response.header["WWW-Authenticate"])
+            .to eq(%{Bearer realm="OpenProject API", error="invalid_token", error_description="#{error}"})
           expect(JSON.parse(last_response.body)).to eq(error_response_body)
         end
       end
@@ -455,7 +459,9 @@ def set_basic_auth_header(user, password)
                 get resource
               end
               expect(last_response).to have_http_status :unauthorized
-              expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="invalid_token" error_description="The access token audience claim is wrong"')
+              error = "The access token audience claim is wrong"
+              expect(last_response.header["WWW-Authenticate"])
+                .to eq(%{Bearer realm="OpenProject API", error="invalid_token", error_description="#{error}"})
               expect(JSON.parse(last_response.body)).to eq(error_response_body)
             end
           end
@@ -481,7 +487,8 @@ def set_basic_auth_header(user, password)
             end
 
             expect(last_response).to have_http_status :unauthorized
-            expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="invalid_token" error_description="The access token expired"')
+            expect(last_response.header["WWW-Authenticate"])
+              .to eq(%{Bearer realm="OpenProject API", error="invalid_token", error_description="The access token expired"})
             expect(JSON.parse(last_response.body)).to eq(error_response_body)
           end
 
@@ -521,7 +528,9 @@ def set_basic_auth_header(user, password)
           end
           expect(last_response).to have_http_status :unauthorized
           expect(JSON.parse(last_response.body)).to eq(error_response_body)
-          expect(last_response.header["WWW-Authenticate"]).to eq('Bearer realm="OpenProject API" error="invalid_token" error_description="The access token signature kid is unknown"')
+          error = "The access token signature kid is unknown"
+          expect(last_response.header["WWW-Authenticate"])
+            .to eq(%{Bearer realm="OpenProject API", error="invalid_token", error_description="#{error}"})
         end
       end
     end