Token prefix not being stripped

[utdrmac]

In src/Application.php

        $service->loadAuthenticator('Authentication.Token', [
            'header' => 'X-Dipper-Auth',
            'tokenPrefix' => 'dipper_',
        ]);

Testing like this:

$ curl --verbose -H 'X-Dipper-Auth: dipper_sdfasdfadsf' https://domain.com/

dipper_ is the token prefix. It is not being stripped before being passed to my identifier. Looking at the code in vendor/cakephp/authentication/src/Authenticator/TokenAuthenticator.php, I found the function stripTokenPrefix() which does something odd:

     	return str_ireplace($prefix . ' ', '', $token);

Why is the replace concatenated with an empty space? That's not part of my prefix.

[markstory]

Why is the replace concatenated with an empty space? That's not part of my prefix.

Because it is meant to handle value prefixes like

Authorization: Bearer foo_abc123

[utdrmac]

Ok, but what about prefixes like: (foo_ is the prefix)

Authorization: foo_abc123

If you have a space in your prefix, then include that in the config; don't force it upon everyone.

[markstory]

If you have a space in your prefix, then include that in the config; don't force it upon everyone.

That's not how the class was designed/built though. Changing it now will break existing usage and can't be done. We could add another option to remove the prefix on the token value 🤷

[ADmad]

Changing

return str_ireplace($prefix . ' ', '', $token);

to

return trim(str_ireplace($prefix, '', $token));

would retain the current behavior and also allow what @utdrmac expects.