fix: Auth header not ignoring other auth schemes

Author: tymondesigns

src/Http/Parser/AuthHeaders.php

@@ -51,11 +51,19 @@ public function parse(Request $request)
     {
         $header = $request->headers->get($this->header) ?: $this->fromAltHeaders($request);
 
-        if ($header) {
-            $start = strlen($this->prefix);
+        if ($header !== null) {
+            $position = strripos($header, $this->prefix);
 
-            return trim(substr($header, $start));
+            if ($position !== false) {
+                $header = substr($header, $position + strlen($this->prefix));
+
+                return trim(
+                    strpos($header, ',') !== false ? strstr($header, ',', true) : $header
+                );
+            }
         }
+
+        return null;
     }
 
     /**

tests/Http/ParserTest.php

@@ -108,6 +108,25 @@ public function it_should_return_the_token_from_the_alt_authorization_headers()
         $this->assertTrue($parser->hasToken());
     }
 
+    /** @test */
+    public function it_should_ignore_non_bearer_tokens()
+    {
+        $request = Request::create('foo', 'POST');
+        $request->headers->set('Authorization', 'Basic OnBhc3N3b3Jk');
+
+        $parser = new Parser($request);
+
+        $parser->setChain([
+            new QueryString,
+            new InputSource,
+            new AuthHeaders,
+            new RouteParams,
+        ]);
+
+        $this->assertNull($parser->parseToken());
+        $this->assertFalse($parser->hasToken());
+    }
+
     /** @test */
     public function it_should_not_strip_trailing_hyphens_from_the_authorization_header()
     {