🐛 Strip whitespaces from `Authorization` header credentials (#14786)

author Cecilia Madrid <61908819+WaveTheory1@users.noreply.github.com>

Wed, 4 Feb 2026 13:46:46 +0000 (14:46 +0100)

committer GitHub <noreply@github.com>

Wed, 4 Feb 2026 13:46:46 +0000 (14:46 +0100)
author Cecilia Madrid <61908819+WaveTheory1@users.noreply.github.com>
Wed, 4 Feb 2026 13:46:46 +0000 (14:46 +0100)
committer GitHub <noreply@github.com>
Wed, 4 Feb 2026 13:46:46 +0000 (14:46 +0100)
diff --git a/fastapi/security/utils.py b/fastapi/security/utils.py

index 002e68b4458a4e726dbaad493272fd3c6f71789c..fd349aec7430341314cb7da3d82eb8d810910997 100644 (file)
--- a/fastapi/security/utils.py
+++ b/fastapi/security/utils.py
@@ -7,4 +7,4 @@ def get_authorization_scheme_param(
      if not authorization_header_value:
          return "", ""
      scheme, _, param = authorization_header_value.partition(" ")
-    return scheme, param
+    return scheme, param.strip()
diff --git a/tests/test_security_http_base.py b/tests/test_security_http_base.py

index 8cf259a750ffbf8129f474184af55ff911495950..ac38ee718e3677fbf88bf58b79966a54172719bc 100644 (file)
--- a/tests/test_security_http_base.py
+++ b/tests/test_security_http_base.py
@@ -21,6 +21,12 @@ def test_security_http_base():
      assert response.json() == {"scheme": "Other", "credentials": "foobar"}
  
  
+def test_security_http_base_with_whitespaces():
+    response = client.get("/users/me", headers={"Authorization": "Other  foobar "})
+    assert response.status_code == 200, response.text
+    assert response.json() == {"scheme": "Other", "credentials": "foobar"}
+
+
  def test_security_http_base_no_credentials():
      response = client.get("/users/me")
      assert response.status_code == 401, response.text
diff --git a/tests/test_security_oauth2_authorization_code_bearer.py b/tests/test_security_oauth2_authorization_code_bearer.py

index f2097b14904a4e76f81a6d0d220f8bba4d6b8d26..66f53ab00db5c4a80166abe20b79c38bee20af0f 100644 (file)
--- a/tests/test_security_oauth2_authorization_code_bearer.py
+++ b/tests/test_security_oauth2_authorization_code_bearer.py
@@ -37,6 +37,12 @@ def test_token():
      assert response.json() == {"token": "testtoken"}
  
  
+def test_token_with_whitespaces():
+    response = client.get("/items", headers={"Authorization": "Bearer  testtoken "})
+    assert response.status_code == 200, response.text
+    assert response.json() == {"token": "testtoken"}
+
+
  def test_openapi_schema():
      response = client.get("/openapi.json")
      assert response.status_code == 200, response.text
author	Cecilia Madrid <61908819+WaveTheory1@users.noreply.github.com>
	Wed, 4 Feb 2026 13:46:46 +0000 (14:46 +0100)
committer	GitHub <noreply@github.com>
	Wed, 4 Feb 2026 13:46:46 +0000 (14:46 +0100)
fastapi/security/utils.py		patch \| blob \| blame \| history
tests/test_security_http_base.py		patch \| blob \| blame \| history
tests/test_security_oauth2_authorization_code_bearer.py		patch \| blob \| blame \| history