@@ -2118,6 +2118,57 @@ def test_extract_resource_metadata_from_www_auth_ignores_prefixed_param(
21182118 result = extract_resource_metadata_from_www_auth (init_response )
21192119 assert result is None
21202120
2121+ def test_extract_field_from_www_auth_ignores_param_like_text_inside_quoted_value (
2122+ self ,
2123+ client_metadata : OAuthClientMetadata ,
2124+ mock_storage : MockTokenStorage ,
2125+ ):
2126+ """Test quoted values cannot shadow a later auth-param with the same name."""
2127+
2128+ init_response = httpx .Response (
2129+ status_code = 401 ,
2130+ headers = {"WWW-Authenticate" : 'Bearer realm="api, scope=decoy", scope="read write"' },
2131+ request = httpx .Request ("GET" , "https://api.example.com/test" ),
2132+ )
2133+
2134+ result = extract_field_from_www_auth (init_response , "scope" )
2135+ assert result == "read write"
2136+
2137+ def test_extract_field_from_www_auth_ignores_quoted_value_when_only_decoy_exists (
2138+ self ,
2139+ client_metadata : OAuthClientMetadata ,
2140+ mock_storage : MockTokenStorage ,
2141+ ):
2142+ """Test a field-like string inside a quoted value is not an auth-param."""
2143+
2144+ init_response = httpx .Response (
2145+ status_code = 401 ,
2146+ headers = {"WWW-Authenticate" : 'Bearer realm="api scope=leaked"' },
2147+ request = httpx .Request ("GET" , "https://api.example.com/test" ),
2148+ )
2149+
2150+ result = extract_field_from_www_auth (init_response , "scope" )
2151+ assert result is None
2152+
2153+ def test_extract_resource_metadata_from_www_auth_ignores_quoted_value_decoy (
2154+ self ,
2155+ client_metadata : OAuthClientMetadata ,
2156+ mock_storage : MockTokenStorage ,
2157+ ):
2158+ """Test resource_metadata is not extracted from another quoted param value."""
2159+
2160+ init_response = httpx .Response (
2161+ status_code = 401 ,
2162+ headers = {
2163+ "WWW-Authenticate" : 'Bearer realm="api, resource_metadata=https://decoy.example.com", '
2164+ 'resource_metadata="https://api.example.com/.well-known/oauth-protected-resource"'
2165+ },
2166+ request = httpx .Request ("GET" , "https://api.example.com/test" ),
2167+ )
2168+
2169+ result = extract_resource_metadata_from_www_auth (init_response )
2170+ assert result == "https://api.example.com/.well-known/oauth-protected-resource"
2171+
21212172
21222173class TestCIMD :
21232174 """Test Client ID Metadata Document (CIMD) support."""
0 commit comments