actionpack 3.2.22.5 → 4.0.0.beta1

data/lib/action_controller/metal/data_streaming.rb

@@ -1,4 +1,3 @@
-require 'active_support/core_ext/file/path'
 require 'action_controller/metal/exceptions'
 
 module ActionController #:nodoc:
@@ -9,15 +8,13 @@ module ActionController #:nodoc:
 
     include ActionController::Rendering
 
-    DEFAULT_SEND_FILE_OPTIONS = {
-      :type         => 'application/octet-stream'.freeze,
-      :disposition  => 'attachment'.freeze,
-    }.freeze
+    DEFAULT_SEND_FILE_TYPE        = 'application/octet-stream'.freeze #:nodoc:
+    DEFAULT_SEND_FILE_DISPOSITION = 'attachment'.freeze #:nodoc:
 
     protected
       # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
       # via the Rack::Sendfile middleware. The header to use is set via
-      # config.action_dispatch.x_sendfile_header.
+      # +config.action_dispatch.x_sendfile_header+.
       # Your server can also configure this for you by setting the X-Sendfile-Type header.
       #
       # Be careful to sanitize the path parameter if it is coming from a web
@@ -50,11 +47,11 @@ module ActionController #:nodoc:
       #
       # Show a JPEG in the browser:
       #
-      #   send_file '/path/to.jpeg', :type => 'image/jpeg', :disposition => 'inline'
+      #   send_file '/path/to.jpeg', type: 'image/jpeg', disposition: 'inline'
       #
       # Show a 404 page in the browser:
       #
-      #   send_file '/path/to/404.html', :type => 'text/html; charset=utf-8', :status => 404
+      #   send_file '/path/to/404.html', type: 'text/html; charset=utf-8', status: 404
       #
       # Read about the other Content-* HTTP headers if you'd like to
       # provide the user with more information (such as Content-Description) in
@@ -99,7 +96,7 @@ module ActionController #:nodoc:
       end
 
       # Sends the given binary data to the browser. This method is similar to
-      # <tt>render :text => data</tt>, but also allows you to specify whether
+      # <tt>render text: data</tt>, but also allows you to specify whether
       # the browser should display the response as a file attachment (i.e. in a
       # download dialog) or as inline data. You may also set the content type,
       # the apparent file name, and other things.
@@ -120,15 +117,15 @@ module ActionController #:nodoc:
       #
       # Download a dynamically-generated tarball:
       #
-      #   send_data generate_tgz('dir'), :filename => 'dir.tgz'
+      #   send_data generate_tgz('dir'), filename: 'dir.tgz'
       #
       # Display an image Active Record in the browser:
       #
-      #   send_data image.data, :type => image.content_type, :disposition => 'inline'
+      #   send_data image.data, type: image.content_type, disposition: 'inline'
       #
       # See +send_file+ for more information on HTTP Content-* headers and caching.
       def send_data(data, options = {}) #:doc:
-        send_file_headers! options.dup
+        send_file_headers! options
         render options.slice(:status, :content_type).merge(:text => data)
       end
 
@@ -136,15 +133,8 @@ module ActionController #:nodoc:
       def send_file_headers!(options)
         type_provided = options.has_key?(:type)
 
-        options.update(DEFAULT_SEND_FILE_OPTIONS.merge(options))
-        [:type, :disposition].each do |arg|
-          raise ArgumentError, ":#{arg} option required" if options[arg].nil?
-        end
-
-        disposition = options[:disposition].to_s
-        disposition += %(; filename="#{options[:filename]}") if options[:filename]
-
-        content_type = options[:type]
+        content_type = options.fetch(:type, DEFAULT_SEND_FILE_TYPE)
+        raise ArgumentError, ":type option required" if content_type.nil?
 
         if content_type.is_a?(Symbol)
           extension = Mime[content_type]
@@ -153,15 +143,19 @@ module ActionController #:nodoc:
         else
           if !type_provided && options[:filename]
             # If type wasn't provided, try guessing from file extension.
-            content_type = Mime::Type.lookup_by_extension(File.extname(options[:filename]).downcase.tr('.','')) || content_type
+            content_type = Mime::Type.lookup_by_extension(File.extname(options[:filename]).downcase.delete('.')) || content_type
           end
           self.content_type = content_type
         end
 
-        headers.merge!(
-          'Content-Disposition'       => disposition,
-          'Content-Transfer-Encoding' => 'binary'
-        )
+        disposition = options.fetch(:disposition, DEFAULT_SEND_FILE_DISPOSITION)
+        unless disposition.nil?
+          disposition  = disposition.to_s
+          disposition += %(; filename="#{options[:filename]}") if options[:filename]
+          headers['Content-Disposition'] = disposition
+        end
+
+        headers['Content-Transfer-Encoding'] = 'binary'
 
         response.sending_file = true
 

data/lib/action_controller/metal/exceptions.rb

@@ -2,6 +2,18 @@ module ActionController
   class ActionControllerError < StandardError #:nodoc:
   end
 
+  class BadRequest < ActionControllerError #:nodoc:
+    attr_reader :original_exception
+
+    def initialize(type = nil, e = nil)
+      return super() unless type && e
+
+      super("Invalid #{type} parameters: #{e.message}")
+      @original_exception = e
+      set_backtrace e.backtrace
+    end
+  end
+
   class RenderError < ActionControllerError #:nodoc:
   end
 
@@ -13,9 +25,10 @@ module ActionController
     end
   end
 
-  class MethodNotAllowed < ActionControllerError #:nodoc:
-    attr_reader :allowed_methods
+  class ActionController::UrlGenerationError < RoutingError #:nodoc:
+  end
 
+  class MethodNotAllowed < ActionControllerError #:nodoc:
     def initialize(*allowed_methods)
       super("Only #{allowed_methods.to_sentence(:locale => :en)} requests are allowed.")
     end
@@ -30,9 +43,6 @@ module ActionController
   class MissingFile < ActionControllerError #:nodoc:
   end
 
-  class RenderError < ActionControllerError #:nodoc:
-  end
-
   class SessionOverflowError < ActionControllerError #:nodoc:
     DEFAULT_MESSAGE = 'Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data.'
 
@@ -43,4 +53,7 @@ module ActionController
 
   class UnknownHttpMethod < ActionControllerError #:nodoc:
   end
-end
+
+  class UnknownFormat < ActionControllerError #:nodoc:
+  end
+end

data/lib/action_controller/metal/flash.rb

@@ -3,19 +3,34 @@ module ActionController #:nodoc:
     extend ActiveSupport::Concern
 
     included do
-      delegate :flash, :to => :request
-      delegate :alert, :notice, :to => "request.flash"
-      helper_method :alert, :notice
+      class_attribute :_flash_types, instance_accessor: false
+      self._flash_types = []
+
+      delegate :flash, to: :request
+      add_flash_types(:alert, :notice)
     end
 
-    protected
-      def redirect_to(options = {}, response_status_and_flash = {}) #:doc:
-        if alert = response_status_and_flash.delete(:alert)
-          flash[:alert] = alert
+    module ClassMethods
+      def add_flash_types(*types)
+        types.each do |type|
+          next if _flash_types.include?(type)
+
+          define_method(type) do
+            request.flash[type]
+          end
+          helper_method type
+
+          _flash_types << type
         end
+      end
+    end
 
-        if notice = response_status_and_flash.delete(:notice)
-          flash[:notice] = notice
+    protected
+      def redirect_to(options = {}, response_status_and_flash = {}) #:doc:
+        self.class._flash_types.each do |flash_type|
+          if type = response_status_and_flash.delete(flash_type)
+            flash[flash_type] = type
+          end
         end
 
         if other_flashes = response_status_and_flash.delete(:flash)

data/lib/action_controller/metal/force_ssl.rb

@@ -18,22 +18,45 @@ module ActionController
       # Force the request to this particular controller or specified actions to be
       # under HTTPS protocol.
       #
-      # Note that this method will not be effective on development environment.
+      # If you need to disable this for any reason (e.g. development) then you can use
+      # an +:if+ or +:unless+ condition.
+      #
+      #     class AccountsController < ApplicationController
+      #       force_ssl if: :ssl_configured?
+      #
+      #       def ssl_configured?
+      #         !Rails.env.development?
+      #       end
+      #     end
       #
       # ==== Options
+      # * <tt>host</tt>   - Redirect to a different host name
       # * <tt>only</tt>   - The callback should be run only for this action
-      # * <tt>except</tt>  - The callback should be run for all actions except this action
+      # * <tt>except</tt> - The callback should be run for all actions except this action
+      # * <tt>if</tt>     - A symbol naming an instance method or a proc; the callback
+      #                     will be called only when it returns a true value.
+      # * <tt>unless</tt> - A symbol naming an instance method or a proc; the callback
+      #                     will be called only when it returns a false value.
       def force_ssl(options = {})
         host = options.delete(:host)
-        before_filter(options) do
-          if !request.ssl? && !Rails.env.development?
-            redirect_options = {:protocol => 'https://', :status => :moved_permanently}
-            redirect_options.merge!(:host => host) if host
-            redirect_options.merge!(:params => request.query_parameters)
-            redirect_to redirect_options
-          end
+        before_action(options) do
+          force_ssl_redirect(host)
         end
       end
     end
+
+    # Redirect the existing request to use the HTTPS protocol.
+    #
+    # ==== Parameters
+    # * <tt>host</tt> - Redirect to a different host name
+    def force_ssl_redirect(host = nil)
+      unless request.ssl?
+        redirect_options = {:protocol => 'https://', :status => :moved_permanently}
+        redirect_options.merge!(:host => host) if host
+        redirect_options.merge!(:params => request.query_parameters)
+        flash.keep if respond_to?(:flash)
+        redirect_to redirect_options
+      end
+    end
   end
 end

data/lib/action_controller/metal/head.rb

@@ -7,9 +7,9 @@ module ActionController
     # This allows you to easily return a response that consists only of
     # significant headers:
     #
-    #   head :created, :location => person_path(@person)
+    #   head :created, location: person_path(@person)
     #
-    #   head :created, :location => @person
+    #   head :created, location: @person
     #
     # It can also be used to return exceptional conditions:
     #
@@ -28,8 +28,29 @@ module ActionController
 
       self.status = status
       self.location = url_for(location) if location
-      self.content_type = content_type || (Mime[formats.first] if formats)
-      self.response_body = " "
+
+      if include_content?(self.status)
+        self.content_type = content_type || (Mime[formats.first] if formats)
+        self.response.charset = false if self.response
+        self.response_body = " "
+      else
+        headers.delete('Content-Type')
+        headers.delete('Content-Length')
+        self.response_body = ""
+      end
+    end
+
+    private
+    # :nodoc:
+    def include_content?(status)
+      case status
+      when 100..199
+        false
+      when 204, 205, 304
+        false
+      else
+        true
+      end
     end
   end
 end

data/lib/action_controller/metal/helpers.rb

@@ -1,6 +1,3 @@
-require 'active_support/core_ext/array/wrap'
-require 'active_support/core_ext/class/attribute'
-
 module ActionController
   # The \Rails framework provides a large number of helpers for working with assets, dates, forms,
   # numbers and model objects, to name a few. These helpers are available to all templates
@@ -17,7 +14,6 @@ module ActionController
   # Additional helpers can be specified using the +helper+ class method in ActionController::Base or any
   # controller which inherits from it.
   #
-  # ==== Examples
   # The +to_s+ method from the \Time class can be wrapped in a helper method to display a custom message if
   # a \Time object is blank:
   #
@@ -53,6 +49,7 @@ module ActionController
   module Helpers
     extend ActiveSupport::Concern
 
+    class << self; attr_accessor :helpers_path; end
     include AbstractController::Helpers
 
     included do
@@ -93,12 +90,12 @@ module ActionController
       end
 
       def all_helpers_from_path(path)
-        helpers = []
-        Array.wrap(path).each do |_path|
-          extract  = /^#{Regexp.quote(_path.to_s)}\/?(.*)_helper.rb$/
-          helpers += Dir["#{_path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1') }
+        helpers = Array(path).flat_map do |_path|
+          extract = /^#{Regexp.quote(_path.to_s)}\/?(.*)_helper.rb$/
+          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1') }
+          names.sort!
+          names
         end
-        helpers.sort!
         helpers.uniq!
         helpers
       end

data/lib/action_controller/metal/hide_actions.rb

@@ -1,4 +1,3 @@
-require 'active_support/core_ext/class/attribute'
 
 module ActionController
   # Adds the ability to prevent public methods on a controller to be called as actions.
@@ -28,7 +27,7 @@ module ActionController
       end
 
       def visible_action?(action_name)
-        not hidden_actions.include?(action_name)
+        action_methods.include?(action_name)
       end
 
       # Overrides AbstractController::Base#action_methods to remove any methods

data/lib/action_controller/metal/http_authentication.rb

@@ -1,22 +1,21 @@
-require 'active_support/base64'
-require 'active_support/core_ext/object/blank'
-require 'active_support/security_utils'
+require 'base64'
 
 module ActionController
+  # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
   module HttpAuthentication
-    # Makes it dead easy to do HTTP \Basic and \Digest authentication.
+    # Makes it dead easy to do HTTP \Basic authentication.
     #
     # === Simple \Basic example
     #
     #   class PostsController < ApplicationController
-    #     http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
+    #     http_basic_authenticate_with name: "dhh", password: "secret", except: :index
     #
     #     def index
-    #       render :text => "Everyone can see me!"
+    #       render text: "Everyone can see me!"
     #     end
     #
     #     def edit
-    #       render :text => "I'm only accessible if you know the password"
+    #       render text: "I'm only accessible if you know the password"
     #     end
     #  end
     #
@@ -26,7 +25,7 @@ module ActionController
     # the regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
-    #     before_filter :set_account, :authenticate
+    #     before_action :set_account, :authenticate
     #
     #     protected
     #       def set_account
@@ -61,47 +60,6 @@ module ActionController
     #
     #     assert_equal 200, status
     #   end
-    #
-    # === Simple \Digest example
-    #
-    #   require 'digest/md5'
-    #   class PostsController < ApplicationController
-    #     REALM = "SuperSecret"
-    #     USERS = {"dhh" => "secret", #plain text password
-    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
-    #
-    #     before_filter :authenticate, :except => [:index]
-    #
-    #     def index
-    #       render :text => "Everyone can see me!"
-    #     end
-    #
-    #     def edit
-    #       render :text => "I'm only accessible if you know the password"
-    #     end
-    #
-    #     private
-    #       def authenticate
-    #         authenticate_or_request_with_http_digest(REALM) do |username|
-    #           USERS[username]
-    #         end
-    #       end
-    #   end
-    #
-    # === Notes
-    #
-    # The +authenticate_or_request_with_http_digest+ block must return the user's password
-    # or the ha1 digest hash so the framework can appropriately hash to check the user's
-    # credentials. Returning +nil+ will cause authentication to fail.
-    #
-    # Storing the ha1 hash: MD5(username:realm:password), is better than storing a plain password. If
-    # the password file or database is compromised, the attacker would be able to use the ha1 hash to
-    # authenticate as the user at this +realm+, but would not have the user's password to try using at
-    # other sites.
-    #
-    # In rare instances, web servers or front proxies strip authorization headers before
-    # they reach your application. You can debug this situation by logging all environment
-    # variables, and check for HTTP_AUTHORIZATION, amongst others.
     module Basic
       extend self
 
@@ -110,13 +68,9 @@ module ActionController
 
         module ClassMethods
           def http_basic_authenticate_with(options = {})
-            before_filter(options.except(:name, :password, :realm)) do
+            before_action(options.except(:name, :password, :realm)) do
               authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-                # This comparison uses & so that it doesn't short circuit and
-                # uses `variable_size_secure_compare` so that length information
-                # isn't leaked.
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+                name == options[:name] && password == options[:password]
               end
             end
           end
@@ -160,6 +114,48 @@ module ActionController
       end
     end
 
+    # Makes it dead easy to do HTTP \Digest authentication.
+    #
+    # === Simple \Digest example
+    #
+    #   require 'digest/md5'
+    #   class PostsController < ApplicationController
+    #     REALM = "SuperSecret"
+    #     USERS = {"dhh" => "secret", #plain text password
+    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
+    #
+    #     before_action :authenticate, except: [:index]
+    #
+    #     def index
+    #       render text: "Everyone can see me!"
+    #     end
+    #
+    #     def edit
+    #       render text: "I'm only accessible if you know the password"
+    #     end
+    #
+    #     private
+    #       def authenticate
+    #         authenticate_or_request_with_http_digest(REALM) do |username|
+    #           USERS[username]
+    #         end
+    #       end
+    #   end
+    #
+    # === Notes
+    #
+    # The +authenticate_or_request_with_http_digest+ block must return the user's password
+    # or the ha1 digest hash so the framework can appropriately hash to check the user's
+    # credentials. Returning +nil+ will cause authentication to fail.
+    #
+    # Storing the ha1 hash: MD5(username:realm:password), is better than storing a plain password. If
+    # the password file or database is compromised, the attacker would be able to use the ha1 hash to
+    # authenticate as the user at this +realm+, but would not have the user's password to try using at
+    # other sites.
+    #
+    # In rare instances, web servers or front proxies strip authorization headers before
+    # they reach your application. You can debug this situation by logging all environment
+    # variables, and check for HTTP_AUTHORIZATION, amongst others.
     module Digest
       extend self
 
@@ -197,7 +193,7 @@ module ActionController
           return false unless password
 
           method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
-          uri    = credentials[:uri][0,1] == '/' ? request.original_fullpath : request.original_url
+          uri    = credentials[:uri]
 
           [true, false].any? do |trailing_question_mark|
             [true, false].any? do |password_is_ha1|
@@ -232,7 +228,7 @@ module ActionController
       end
 
       def decode_credentials(header)
-        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+        ActiveSupport::HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/, '').split(',').map do |pair|
           key, value = pair.split('=', 2)
           [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
         end]
@@ -253,9 +249,9 @@ module ActionController
       end
 
       def secret_token(request)
-        secret = request.env["action_dispatch.secret_token"]
-        raise "You must set config.secret_token in your app's config" if secret.blank?
-        secret
+        key_generator  = request.env["action_dispatch.key_generator"]
+        http_auth_salt = request.env["action_dispatch.http_auth_salt"]
+        key_generator.generate_key(http_auth_salt)
       end
 
       # Uses an MD5 digest based on time to generate a value to be used only once.
@@ -268,7 +264,7 @@ module ActionController
       # The quality of the implementation depends on a good choice.
       # A nonce might, for example, be constructed as the base 64 encoding of
       #
-      # => time-stamp H(time-stamp ":" ETag ":" private-key)
+      #   time-stamp H(time-stamp ":" ETag ":" private-key)
       #
       # where time-stamp is a server-generated time or other non-repeating value,
       # ETag is the value of the HTTP ETag header associated with the requested entity,
@@ -284,7 +280,7 @@ module ActionController
       #
       # An implementation might choose not to accept a previously used nonce or a previously used digest, in order to
       # protect against a replay attack. Or, an implementation might choose to use one-time nonces or digests for
-      # POST or PUT requests and a time-stamp for GET requests. For more details on the issues involved see Section 4
+      # POST, PUT, or PATCH requests and a time-stamp for GET requests. For more details on the issues involved see Section 4
       # of this document.
       #
       # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
@@ -294,11 +290,11 @@ module ActionController
         t = time.to_i
         hashed = [t, secret_key]
         digest = ::Digest::MD5.hexdigest(hashed.join(":"))
-        ::Base64.encode64("#{t}:#{digest}").gsub("\n", '')
+        ::Base64.strict_encode64("#{t}:#{digest}")
       end
 
       # Might want a shorter timeout depending on whether the request
-      # is a PUT or POST, and if client is browser or web service.
+      # is a PATCH, PUT, or POST, and if client is browser or web service.
       # Can be much shorter if the Stale directive is implemented. This would
       # allow a user to use new nonce without prompting user again for their
       # username and password.
@@ -321,14 +317,14 @@ module ActionController
     #   class PostsController < ApplicationController
     #     TOKEN = "secret"
     #
-    #     before_filter :authenticate, :except => [ :index ]
+    #     before_action :authenticate, except: [ :index ]
     #
     #     def index
-    #       render :text => "Everyone can see me!"
+    #       render text: "Everyone can see me!"
     #     end
     #
     #     def edit
-    #       render :text => "I'm only accessible if you know the password"
+    #       render text: "I'm only accessible if you know the password"
     #     end
     #
     #     private
@@ -344,7 +340,7 @@ module ActionController
     # the regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
-    #     before_filter :set_account, :authenticate
+    #     before_action :set_account, :authenticate
     #
     #     protected
     #       def set_account
@@ -375,7 +371,7 @@ module ActionController
     #   def test_access_granted_from_xml
     #     get(
     #       "/notes/1.xml", nil,
-    #       :authorization => ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
+    #       'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
     #     )
     #
     #     assert_equal 200, status
@@ -388,6 +384,8 @@ module ActionController
     #
     #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Token
+      TOKEN_REGEX = /^Token /
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
       extend self
 
       module ControllerMethods
@@ -404,16 +402,20 @@ module ActionController
         end
       end
 
-      # If token Authorization header is present, call the login procedure with
-      # the present token and options.
+      # If token Authorization header is present, call the login
+      # procedure with the present token and options.
       #
-      # controller      - ActionController::Base instance for the current request.
-      # login_procedure - Proc to call if a token is present. The Proc should
-      #                   take 2 arguments:
-      #                     authenticate(controller) { |token, options| ... }
+      # [controller]
+      #   ActionController::Base instance for the current request.
       #
-      # Returns the return value of `&login_procedure` if a token is found.
-      # Returns nil if no token is found.
+      # [login_procedure]
+      #   Proc to call if a token is present. The Proc should take two arguments:
+      #
+      #     authenticate(controller) { |token, options| ... }
+      #
+      # Returns the return value of <tt>login_procedure</tt> if a
+      # token is found. Returns <tt>nil</tt> if no token is found.
+
       def authenticate(controller, &login_procedure)
         token, options = token_and_options(controller.request)
         unless token.blank?
@@ -424,25 +426,41 @@ module ActionController
       # Parses the token and options out of the token authorization header. If
       # the header looks like this:
       #   Authorization: Token token="abc", nonce="def"
-      # Then the returned token is "abc", and the options is {:nonce => "def"}
+      # Then the returned token is "abc", and the options is {nonce: "def"}
       #
       # request - ActionDispatch::Request instance with the current headers.
       #
       # Returns an Array of [String, Hash] if a token is present.
       # Returns nil if no token is found.
       def token_and_options(request)
-        if request.authorization.to_s[/^Token (.*)/]
-          values = Hash[$1.split(',').map do |value|
-            value.strip!                      # remove any spaces between commas and values
-            key, value = value.split(/\=\"?/) # split key=value pairs
-            value.chomp!('"')                 # chomp trailing " in value
-            value.gsub!(/\\\"/, '"')          # unescape remaining quotes
-            [key, value]
-          end]
-          [values.delete("token"), values.with_indifferent_access]
+        authorization_request = request.authorization.to_s
+        if authorization_request[TOKEN_REGEX]
+          params = token_params_from authorization_request
+          [params.shift.last, Hash[params].with_indifferent_access]
         end
       end
 
+      def token_params_from(auth)
+        rewrite_param_values params_array_from raw_params auth
+      end
+
+      # Takes raw_params and turns it into an array of parameters
+      def params_array_from(raw_params)
+        raw_params.map { |param| param.split %r/=(.+)?/ }
+      end
+
+      # This removes the `"` characters wrapping the value.
+      def rewrite_param_values(array_params)
+        array_params.each { |param| param.last.gsub! %r/^"|"$/, '' }
+      end
+
+      # This method takes an authorization body and splits up the key-value
+      # pairs by the standardized `:`, `;`, or `\t` delimiters defined in
+      # `AUTHN_PAIR_DELIMITERS`.
+      def raw_params(auth)
+        auth.sub(TOKEN_REGEX, '').split(/"\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+      end
+
       # Encodes the given token and options into an Authorization header value.
       #
       # token   - String token.