@@ -2047,6 +2047,7 @@ def test_extract_field_from_www_auth_valid_cases(
20472047 # Header without requested field
20482048 ('Bearer realm="api", error="insufficient_scope"' , "scope" , "no scope parameter" ),
20492049 ('Bearer realm="api", scope="read write"' , "resource_metadata" , "no resource_metadata parameter" ),
2050+ ("Bearer" , "scope" , "no auth parameters" ),
20502051 # Malformed field (empty value)
20512052 ("Bearer scope=" , "scope" , "malformed scope parameter" ),
20522053 ("Bearer resource_metadata=" , "resource_metadata" , "malformed resource_metadata parameter" ),
@@ -2166,6 +2167,38 @@ def test_extract_field_from_www_auth_handles_escaped_quote_inside_quoted_value(
21662167 result = extract_field_from_www_auth (init_response , "scope" )
21672168 assert result == "read write"
21682169
2170+ def test_extract_field_from_www_auth_ignores_empty_comma_segments (
2171+ self ,
2172+ client_metadata : OAuthClientMetadata ,
2173+ mock_storage : MockTokenStorage ,
2174+ ):
2175+ """Test empty segments between commas are ignored while parsing."""
2176+
2177+ init_response = httpx .Response (
2178+ status_code = 401 ,
2179+ headers = {"WWW-Authenticate" : 'Bearer scope="read write", , error="insufficient_scope"' },
2180+ request = httpx .Request ("GET" , "https://api.example.com/test" ),
2181+ )
2182+
2183+ result = extract_field_from_www_auth (init_response , "scope" )
2184+ assert result == "read write"
2185+
2186+ def test_extract_field_from_www_auth_ignores_trailing_comma (
2187+ self ,
2188+ client_metadata : OAuthClientMetadata ,
2189+ mock_storage : MockTokenStorage ,
2190+ ):
2191+ """Test a trailing comma does not create a malformed final param."""
2192+
2193+ init_response = httpx .Response (
2194+ status_code = 401 ,
2195+ headers = {"WWW-Authenticate" : 'Bearer scope="read write",' },
2196+ request = httpx .Request ("GET" , "https://api.example.com/test" ),
2197+ )
2198+
2199+ result = extract_field_from_www_auth (init_response , "scope" )
2200+ assert result == "read write"
2201+
21692202 def test_extract_resource_metadata_from_www_auth_ignores_quoted_value_decoy (
21702203 self ,
21712204 client_metadata : OAuthClientMetadata ,
0 commit comments