From 9b9a743884abae8a09a2dfb74b3a4281cd23e3af Mon Sep 17 00:00:00 2001
From: mscherer <dereuromark@web.de>
Date: Fri, 2 May 2025 15:04:11 +0200
Subject: [PATCH 1/3] Fix token auth prefix removal.

---
 src/Authenticator/TokenAuthenticator.php               |  7 ++++++-
 .../TestCase/Authenticator/TokenAuthenticatorTest.php  | 10 ++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/Authenticator/TokenAuthenticator.php b/src/Authenticator/TokenAuthenticator.php
index 6ef6075b..385a9c5c 100644
--- a/src/Authenticator/TokenAuthenticator.php
+++ b/src/Authenticator/TokenAuthenticator.php
@@ -63,7 +63,12 @@ protected function getToken(ServerRequestInterface $request): ?string
      */
     protected function stripTokenPrefix(string $token, string $prefix): string
     {
-        return trim(str_ireplace($prefix, '', $token));
+        $prefixLength = mb_strlen($prefix);
+        if (mb_substr(mb_strtolower($token), 0, $prefixLength) === mb_strtolower($prefix)) {
+            $token = mb_substr($token, $prefixLength);
+        }
+
+        return trim($token);
     }
 
     /**
diff --git a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
index 05874da3..c5e25646 100644
--- a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
+++ b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
@@ -150,6 +150,16 @@ public function testTokenPrefix()
         $result = $tokenAuth->authenticate($requestWithHeaders);
         $this->assertInstanceOf(Result::class, $result);
         $this->assertSame(Result::FAILURE_IDENTITY_NOT_FOUND, $result->getStatus());
+
+        // should not modify in between
+        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'auth-token-13');
+        $tokenAuth = new TokenAuthenticator($this->identifiers, [
+            'header' => 'X-Dipper-Auth',
+            'tokenPrefix' => 'token_',
+        ]);
+        $result = $tokenAuth->authenticate($requestWithHeaders);
+        $this->assertInstanceOf(Result::class, $result);
+        $this->assertSame(Result::SUCCESS, $result->getStatus());
     }
 
     /**

From f9be25e24ebda248ab0853e8b35c0f459b5851cb Mon Sep 17 00:00:00 2001
From: Mark Scherer <dereuromark@users.noreply.github.com>
Date: Wed, 7 May 2025 19:53:25 +0200
Subject: [PATCH 2/3] Update
 tests/TestCase/Authenticator/TokenAuthenticatorTest.php

Co-authored-by: Mark Story <mark@mark-story.com>
---
 tests/TestCase/Authenticator/TokenAuthenticatorTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
index c5e25646..26b445f2 100644
--- a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
+++ b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
@@ -152,7 +152,7 @@ public function testTokenPrefix()
         $this->assertSame(Result::FAILURE_IDENTITY_NOT_FOUND, $result->getStatus());
 
         // should not modify in between
-        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'auth-token-13');
+        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'token_auth-token-13');
         $tokenAuth = new TokenAuthenticator($this->identifiers, [
             'header' => 'X-Dipper-Auth',
             'tokenPrefix' => 'token_',

From f5d38f935a94f9157f2813642c5f73e76338d462 Mon Sep 17 00:00:00 2001
From: Mark Story <mark@mark-story.com>
Date: Wed, 7 May 2025 15:58:06 -0400
Subject: [PATCH 3/3] Update test

---
 tests/TestCase/Authenticator/TokenAuthenticatorTest.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
index 26b445f2..f471fb38 100644
--- a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
+++ b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
@@ -151,11 +151,11 @@ public function testTokenPrefix()
         $this->assertInstanceOf(Result::class, $result);
         $this->assertSame(Result::FAILURE_IDENTITY_NOT_FOUND, $result->getStatus());
 
-        // should not modify in between
-        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'token_auth-token-13');
+        // should not remove prefix from token
+        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'mari mariano');
         $tokenAuth = new TokenAuthenticator($this->identifiers, [
             'header' => 'X-Dipper-Auth',
-            'tokenPrefix' => 'token_',
+            'tokenPrefix' => 'mari',
         ]);
         $result = $tokenAuth->authenticate($requestWithHeaders);
         $this->assertInstanceOf(Result::class, $result);