Authorization header not parsed correctly if it contains extra spaces

Author: harrisiirak

lib/passport-http-oauth/strategies/consumer.js

@@ -144,9 +144,12 @@ ConsumerStrategy.prototype.authenticate = function(req) {
 
   if (req.headers && req.headers['authorization']) {
     var parts = req.headers['authorization'].split(' ');
-    if (parts.length == 2) {
-      var scheme = parts[0]
-        , credentials = parts[1];
+    if (parts.length >= 2) {
+      var scheme = parts[0];
+      var credentials = null;
+
+      parts.shift();
+      credentials = parts.join(' ');
 
       if (/OAuth/i.test(scheme)) {
         params = utils.parseHeader(credentials);
@@ -233,6 +236,7 @@ ConsumerStrategy.prototype.authenticate = function(req) {
         return self.success(consumer, info);
       });
     } else {
+
       // An `oauth_token` is present, containing a request token.  In order to
       // validate the request, the corresponding token secret needs to be
       // retrieved.  The application can supply additional `info` about the

lib/passport-http-oauth/strategies/token.js

@@ -136,9 +136,12 @@ TokenStrategy.prototype.authenticate = function(req) {
 
   if (req.headers && req.headers['authorization']) {
     var parts = req.headers['authorization'].split(' ');
-    if (parts.length == 2) {
-      var scheme = parts[0]
-        , credentials = parts[1];
+    if (parts.length >= 2) {
+      var scheme = parts[0];
+      var credentials = null;
+
+      parts.shift();
+      credentials = parts.join(' ');
 
       if (/OAuth/i.test(scheme)) {
         params = utils.parseHeader(credentials);