Tolerate Authorization headers in the form 'Bearer [token]'

[mwtrew]

Status

• Related to https://github.com/RaspberryPiFoundation/digital-editor-issues/issues/1532 (see comments)
• More context in Slack

Points for consideration:

• Security: we already assume everything in the Authorization header is a Bearer token, so no material change here.
• Performance: the regex will match once at the start of the string only, so should have minimal performance impact.

What's changed?

• Authorization headers are currently expected to be in the non-standard form Authorization: [token] - the auth scheme is missing. This change means the API will also tolerate the more correct form Authorization: Bearer [token] by normalising it to omit Bearer. Previously, the API would accept such headers, but they would cause errors when re-used to authenticate calls to other systems like Hydra.

[Copilot]

Pull request overview

This PR updates the API’s authentication header handling in the Identifiable controller concern so it can accept both the legacy non-standard Authorization: <token> format and the more standard Authorization: Bearer <token> format, preventing downstream reuse issues.

Changes:

• Strip and normalize the Authorization header before attempting token-based identification.
• Introduce extract_token to remove a Bearer prefix (case-insensitive).
• Add controller-concern unit specs covering raw-token and Bearer-prefixed headers.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
app/controllers/concerns/identifiable.rb	Normalizes Authorization header input and extracts a Bearer token before calling User.from_token.
spec/controllers/concerns/identifiable_spec.rb	Adds unit tests validating token extraction behavior for raw and Bearer-prefixed inputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Test coverage

92.04% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/28435666006

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.

^{Reviewed by Cursor Bugbot for commit e3274d7. Configure here.}