🐛 Strip whitespaces from `Authorization` header credentials (#14786)

2026-02-04 14:46:46 +01:00 · 2026-02-04 14:46:46 +01:00 · 1d96b3e3f1
parent 3675e284ab
commit 1d96b3e3f1
3 changed files with 13 additions and 1 deletions
--- a/fastapi/security/utils.py
+++ b/fastapi/security/utils.py
@ -7,4 +7,4 @@ def get_authorization_scheme_param(
    if not authorization_header_value:
        return "", ""
    scheme, _, param = authorization_header_value.partition(" ")
-    return scheme, param
+    return scheme, param.strip()
--- a/tests/test_security_http_base.py
+++ b/tests/test_security_http_base.py
@ -21,6 +21,12 @@ def test_security_http_base():
    assert response.json() == {"scheme": "Other", "credentials": "foobar"}


+def test_security_http_base_with_whitespaces():
+    response = client.get("/users/me", headers={"Authorization": "Other  foobar "})
+    assert response.status_code == 200, response.text
+    assert response.json() == {"scheme": "Other", "credentials": "foobar"}
+
+
 def test_security_http_base_no_credentials():
    response = client.get("/users/me")
    assert response.status_code == 401, response.text
--- a/tests/test_security_oauth2_authorization_code_bearer.py
+++ b/tests/test_security_oauth2_authorization_code_bearer.py
@ -37,6 +37,12 @@ def test_token():
    assert response.json() == {"token": "testtoken"}


+def test_token_with_whitespaces():
+    response = client.get("/items", headers={"Authorization": "Bearer  testtoken "})
+    assert response.status_code == 200, response.text
+    assert response.json() == {"token": "testtoken"}
+
+
 def test_openapi_schema():
    response = client.get("/openapi.json")
    assert response.status_code == 200, response.text