conformance(www-authenticate): quoted-value Payment keyword vectors#30
Merged
brendanjryan merged 1 commit intoJun 17, 2026
Conversation
Add two parse scenarios asserting that the word 'Payment' inside a quoted parameter value (realm, description) is treated as an opaque string and not mistaken for a second auth scheme / scheme boundary. Same family as the existing escaped/unescaped quoted-string scenarios; verified against the python adapter (32/32 parse). Codifies the behaviour fixed in stripe/mpp-rb#11.
mablr
reviewed
Jun 15, 2026
mablr
left a comment
Contributor
There was a problem hiding this comment.
Sounds good. To be rechecked after stripe/mpp-rb#11 and stripe/mpp-rb#14 comments are addressed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
Two parse scenarios to
conformance/vectors/www-authenticate.jsonasserting that the literal wordPaymentappearing inside a quoted parameter value is treated as an opaque string, not a second auth scheme or a scheme boundary:payment_keyword_in_quoted_realm—realm="contact Payment support"payment_keyword_in_quoted_description—description="Pay with the Payment scheme"Both are happy-path parses: the challenge decodes with the full quoted value intact.
Why
A merged or proxy-rewritten
WWW-Authenticateheader can carry the wordPaymentinside a quoted parameter, and a parser that scans for the scheme name without respecting quoted strings can mis-detect a boundary and pick the wrong challenge (or none). This is the behaviour fixed in stripe/mpp-rb#11; these vectors codify it as cross-SDK truth so every adapter is held to it.They sit in the same family as the existing
escaped_quotes_in_description/unescaped_quotes_in_descriptionscenarios (quoted values are opaque), so conformant parsers already satisfy them.Verification
python3 scripts/vector_runner.py --adapter python --vector www-authenticate-> 32 passed, 32 total (the two new vectors included). Diff is additive only (no reformatting of existing scenarios).Note
A companion concern from the same review (stripe/mpp-rb#14, stricter rejection of malformed auth-params) is intentionally NOT added here: the SDKs are not yet aligned on malformed-param strictness (the Python parser is currently lenient where Ruby now rejects), so a rejection vector would need that cross-SDK alignment first. Happy to follow up with it once the implementations converge.
Review by GPT-5.5 (xhigh, via Codex)
Codex independently re-ran the python adapter on the new
scheme-boundarytag (vector_runner.py --tag scheme-boundary): 2/2 pass.