#7624 accept empty bearer authorization token. (#7685)

* Fix #7624 accept empty bearer authorization token.

* add changes file

changes/bug-7624-sso-login-button-not-working

@@ -0,0 +1 @@
+- Fix Single Sign On button not working after a failed authorization attempt.

server/contexts/token/token.go

@@ -20,14 +20,17 @@ type Token string
 func FromHTTPRequest(r *http.Request) Token {
 	headers := r.Header.Get("Authorization")
 	headerParts := strings.Split(headers, " ")
-	if len(headerParts) != 2 || strings.ToUpper(headerParts[0]) != "BEARER" {
-		if err := r.ParseForm(); err != nil {
-			return ""
+	if len(headerParts) > 0 && strings.ToUpper(headerParts[0]) == "BEARER" {
+		if len(headerParts) == 2 {
+			return Token(headerParts[1])
 		}
-
-		return Token(r.FormValue("token"))
+		// This indicates "no token". We don't want to read the request-body here.
+		return ""
 	}
-	return Token(headerParts[1])
+	if err := r.ParseForm(); err != nil {
+		return ""
+	}
+	return Token(r.FormValue("token"))
 }
 
 // NewContext returns a new context carrying the Authorization Bearer token.

server/contexts/token/token_test.go

@@ -0,0 +1,70 @@
+package token
+
+import (
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestFromHTTPRequest(t *testing.T) {
+	tests := []struct {
+		name string
+		r    *http.Request
+		want Token
+	}{
+		{
+			name: "no auth",
+			want: "",
+			r:    &http.Request{},
+		}, {
+			name: "empty auth",
+			r: &http.Request{
+				Header: map[string][]string{
+					"Authorization": {""},
+				},
+			},
+			want: "",
+		}, {
+			name: "BEARER no data",
+			r: &http.Request{
+				Header: map[string][]string{
+					"Authorization": {"BEARER"},
+					"Content-Type":  {"application/x-www-form-urlencoded"},
+				},
+				Method: http.MethodPost,
+				Body:   io.NopCloser(strings.NewReader("token=bar")),
+			},
+			want: "",
+		}, {
+			name: "BEARER foobar",
+			r: &http.Request{
+				Header: map[string][]string{
+					"Authorization": {"BEARER foobar"},
+					"Content-Type":  {"application/x-www-form-urlencoded"},
+				},
+				Method: http.MethodPost,
+				Body:   io.NopCloser(strings.NewReader("token=bar")),
+			},
+			want: "foobar",
+		}, {
+			name: "from body",
+			r: &http.Request{
+				Header: map[string][]string{
+					"Authorization": {"FOOBAR foobar"},
+					"Content-Type":  {"application/x-www-form-urlencoded"},
+				},
+				Method: http.MethodPost,
+				Body:   io.NopCloser(strings.NewReader("token=bar")),
+			},
+			want: "bar",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := FromHTTPRequest(tt.r); got != tt.want {
+				t.Errorf("FromHTTPRequest() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}