cakephp · markstory · May 9, 2025 · May 2, 2025 · May 7, 2025 · May 7, 2025
diff --git a/src/Authenticator/TokenAuthenticator.php b/src/Authenticator/TokenAuthenticator.php
@@ -63,7 +63,12 @@ protected function getToken(ServerRequestInterface $request): ?string
      */
     protected function stripTokenPrefix(string $token, string $prefix): string
     {
-        return trim(str_ireplace($prefix, '', $token));
+        $prefixLength = mb_strlen($prefix);
+        if (mb_substr(mb_strtolower($token), 0, $prefixLength) === mb_strtolower($prefix)) {
+            $token = mb_substr($token, $prefixLength);
+        }
+
+        return trim($token);
     }
 
     /**

diff --git a/tests/TestCase/Authenticator/TokenAuthenticatorTest.php b/tests/TestCase/Authenticator/TokenAuthenticatorTest.php
@@ -150,6 +150,16 @@ public function testTokenPrefix()
         $result = $tokenAuth->authenticate($requestWithHeaders);
         $this->assertInstanceOf(Result::class, $result);
         $this->assertSame(Result::FAILURE_IDENTITY_NOT_FOUND, $result->getStatus());
+
+        // should not modify in between
+        $requestWithHeaders = $this->request->withAddedHeader('X-Dipper-Auth', 'auth-token-13');
+        $tokenAuth = new TokenAuthenticator($this->identifiers, [
+            'header' => 'X-Dipper-Auth',
+            'tokenPrefix' => 'token_',
+        ]);
+        $result = $tokenAuth->authenticate($requestWithHeaders);
+        $this->assertInstanceOf(Result::class, $result);
+        $this->assertSame(Result::SUCCESS, $result->getStatus());
     }
 
     /**