Skip to content

conformance(www-authenticate): quoted-value Payment keyword vectors#30

Merged
brendanjryan merged 1 commit into
tempoxyz:mainfrom
EfeDurmaz16:conformance/quoted-payment-scheme-boundary
Jun 17, 2026
Merged

conformance(www-authenticate): quoted-value Payment keyword vectors#30
brendanjryan merged 1 commit into
tempoxyz:mainfrom
EfeDurmaz16:conformance/quoted-payment-scheme-boundary

Conversation

@EfeDurmaz16

@EfeDurmaz16 EfeDurmaz16 commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

What this adds

Two parse scenarios to conformance/vectors/www-authenticate.json asserting that the literal word Payment appearing inside a quoted parameter value is treated as an opaque string, not a second auth scheme or a scheme boundary:

  • payment_keyword_in_quoted_realmrealm="contact Payment support"
  • payment_keyword_in_quoted_descriptiondescription="Pay with the Payment scheme"

Both are happy-path parses: the challenge decodes with the full quoted value intact.

Why

A merged or proxy-rewritten WWW-Authenticate header can carry the word Payment inside a quoted parameter, and a parser that scans for the scheme name without respecting quoted strings can mis-detect a boundary and pick the wrong challenge (or none). This is the behaviour fixed in stripe/mpp-rb#11; these vectors codify it as cross-SDK truth so every adapter is held to it.

They sit in the same family as the existing escaped_quotes_in_description / unescaped_quotes_in_description scenarios (quoted values are opaque), so conformant parsers already satisfy them.

Verification

python3 scripts/vector_runner.py --adapter python --vector www-authenticate -> 32 passed, 32 total (the two new vectors included). Diff is additive only (no reformatting of existing scenarios).

Note

A companion concern from the same review (stripe/mpp-rb#14, stricter rejection of malformed auth-params) is intentionally NOT added here: the SDKs are not yet aligned on malformed-param strictness (the Python parser is currently lenient where Ruby now rejects), so a rejection vector would need that cross-SDK alignment first. Happy to follow up with it once the implementations converge.


Review by GPT-5.5 (xhigh, via Codex)

The change only adds two focused WWW-Authenticate parse vectors for quoted values containing the Payment token. I found no actionable correctness issue in the added scenarios.

Codex independently re-ran the python adapter on the new scheme-boundary tag (vector_runner.py --tag scheme-boundary): 2/2 pass.

Add two parse scenarios asserting that the word 'Payment' inside a quoted
parameter value (realm, description) is treated as an opaque string and not
mistaken for a second auth scheme / scheme boundary. Same family as the
existing escaped/unescaped quoted-string scenarios; verified against the
python adapter (32/32 parse). Codifies the behaviour fixed in stripe/mpp-rb#11.

@mablr mablr left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. To be rechecked after stripe/mpp-rb#11 and stripe/mpp-rb#14 comments are addressed.

@stevencartavia stevencartavia left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@brendanjryan brendanjryan merged commit dc76efa into tempoxyz:main Jun 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants