Skip to content

Refactor: extract bearer token parsing#261

Merged
r-log merged 3 commits into
mainfrom
refactor/extract-bearer-token
Apr 26, 2026
Merged

Refactor: extract bearer token parsing#261
r-log merged 3 commits into
mainfrom
refactor/extract-bearer-token

Conversation

@r-log

@r-log r-log commented Apr 12, 2026

Copy link
Copy Markdown
Owner

Centralizes Bearer token extraction into a utility function with proper validation.

Extract duplicated Bearer token parsing logic from auth routes and
decorators into a single `extract_bearer_token()` utility function.
Previously, token extraction used inconsistent approaches (split vs
replace) across multiple locations, risking subtle parsing bugs.
@gita-agents

gita-agents Bot commented Apr 12, 2026

Copy link
Copy Markdown

GITA review for PR #261: Refactor: extract bearer token parsing

The refactoring introduces a medium-severity bug in token validation logic where whitespace-only bearer tokens are incorrectly treated as valid, bypassing the 'Invalid token format' error. Additionally, two endpoints unnecessarily duplicate token extraction by calling extract_bearer_token after the @token_required decorator has already validated and extracted the token.

Verdict: CHANGES REQUESTED

backend/app/utils/decorators.py

  • [MEDIUM] bug — line 36: The extract_bearer_token function returns None when token is empty after stripping, but the calling code in _extract_and_validate_token (line 36) checks if token is None and request.headers['Authorization'] which will incorrectly treat a header with only whitespace after 'Bearer' as valid. This creates an inconsistency: extract_bearer_token('Bearer ') returns None, but the condition allows it to proceed to token validation instead of returning the 'Invalid token format' error.
    Fix: Adjust the error-handling logic in _extract_and_validate_token to properly distinguish between missing headers and malformed headers, or ensure extract_bearer_token is called only when a header exists and validate the result consistently.

backend/app/api/auth/routes.py

  • [LOW] quality — line 54: The logout endpoint is decorated with @token_required, which already validates and extracts the token via _extract_and_validate_token. However, the endpoint then calls extract_bearer_token again on the same header, duplicating token extraction logic. The token should be retrieved from request.current_user instead.
    Fix: Use the token that was already validated by the @token_required decorator rather than re-extracting it from the Authorization header.
  • [LOW] quality — line 89: The refresh_token endpoint is decorated with @token_required, which already validates and extracts the token via _extract_and_validate_token. However, the endpoint then calls extract_bearer_token again on the same header, duplicating token extraction logic. The token should be retrieved from request.current_user instead.
    Fix: Use the token that was already validated by the @token_required decorator rather than re-extracting it from the Authorization header.

Generated by GITA v0.1.0 PR reviewer. Confidence: 0.85.

r-log added 2 commits April 14, 2026 14:38
- Add `.claude/` and `docs/` to `.gitignore` to exclude AI session state and documentation from version control
- Reformat cross-cutting concerns table in `ARCHITECTURE.md` with aligned column padding for improved readability
@r-log r-log merged commit ca1beae into main Apr 26, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant