From a2775ca2b83a2cd58c5f97df51535c8eac25e5b8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 6 Jun 2026 22:22:41 +0000
Subject: [PATCH] fix: handle malformed authorization header in hybrid auth
 backend

Co-authored-by: zurdi15 <34356590+zurdi15@users.noreply.github.com>
---
 backend/handler/auth/hybrid_auth.py       |  6 +++++-
 backend/tests/endpoints/test_heartbeat.py |  9 +++++++++
 backend/tests/handler/auth/test_auth.py   | 16 ++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/backend/handler/auth/hybrid_auth.py b/backend/handler/auth/hybrid_auth.py
index 5ec3923a9..42f84b4f6 100644
--- a/backend/handler/auth/hybrid_auth.py
+++ b/backend/handler/auth/hybrid_auth.py
@@ -25,7 +25,11 @@ class HybridAuthBackend(AuthenticationBackend):
 
         # Check if Authorization header exists
         if "Authorization" in conn.headers:
-            scheme, token = conn.headers["Authorization"].split()
+            auth_header_parts = conn.headers["Authorization"].split()
+            if len(auth_header_parts) != 2:
+                return None
+
+            scheme, token = auth_header_parts
 
             # Check if basic auth header is valid
             if scheme.lower() == "basic":
diff --git a/backend/tests/endpoints/test_heartbeat.py b/backend/tests/endpoints/test_heartbeat.py
index b322770d4..7548f0e97 100644
--- a/backend/tests/endpoints/test_heartbeat.py
+++ b/backend/tests/endpoints/test_heartbeat.py
@@ -1,5 +1,6 @@
 from unittest.mock import AsyncMock, MagicMock, patch
 
+import pytest
 from fastapi import status
 
 from exceptions.fs_exceptions import PlatformAlreadyExistsException
@@ -51,6 +52,14 @@ def test_heartbeat(client):
     assert isinstance(oidc["RP_INITIATED_LOGOUT"], bool)
 
 
+@pytest.mark.parametrize("authorization_header", ["Bearer ", "Foo", "a b c"])
+def test_heartbeat_with_malformed_authorization_header(client, authorization_header: str):
+    response = client.get(
+        "/api/heartbeat", headers={"Authorization": authorization_header}
+    )
+    assert response.status_code == status.HTTP_200_OK
+
+
 def test_heartbeat_metadata(client):
     response = client.get("/api/heartbeat/metadata/launchbox")
     assert response.status_code == status.HTTP_200_OK
diff --git a/backend/tests/handler/auth/test_auth.py b/backend/tests/handler/auth/test_auth.py
index 08fc7a37f..1c15b59c7 100644
--- a/backend/tests/handler/auth/test_auth.py
+++ b/backend/tests/handler/auth/test_auth.py
@@ -192,6 +192,22 @@ async def test_hybrid_auth_backend_invalid_scheme():
     assert result is None
 
 
+@pytest.mark.parametrize("authorization_header", ["Bearer ", "Foo", "a b c"])
+async def test_hybrid_auth_backend_malformed_authorization_header(
+    authorization_header: str,
+):
+    class MockConnection(HTTPConnection):
+        def __init__(self):
+            self.scope: dict[str, dict] = {"session": {}}
+            self._headers = {"Authorization": authorization_header}
+
+    backend = HybridAuthBackend()
+    conn = MockConnection()
+
+    result = await backend.authenticate(conn)
+    assert result is None
+
+
 async def test_hybrid_auth_backend_with_refresh_token(editor_user: User):
     refresh_token = oauth_handler.create_refresh_token(
         data={