Add credentials for bearer token authentication

Closes #60048

GitOrigin-RevId: bbed1f2
Change-Id: I22c5141f942d2986d0927f13e31beca0ffcc36ba
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/408241
Reviewed-by: Alexander Aprelev <[email protected]>
Commit-Queue: Brian Quinlan <[email protected]>

Author: brianquinlan

CHANGELOG.md

@@ -8,6 +8,10 @@
 
 - Added `Iterable.withIterator` constructor.
 
+#### `dart:io`
+
+- Added support `HttpClientBearerCredentials`.
+
 #### `dart:html`
 
 - **Breaking change**: Native classes in `dart:html`, like `HtmlElement`, can no

sdk/lib/_http/http.dart

@@ -2054,6 +2054,13 @@ abstract final class HttpClientBasicCredentials
       _HttpClientBasicCredentials(username, password);
 }
 
+/// Represents credentials for bearer token authentication.
+abstract final class HttpClientBearerCredentials
+    implements HttpClientCredentials {
+  factory HttpClientBearerCredentials(String token) =>
+      _HttpClientBearerCredentials(token);
+}
+
 /// Represents credentials for digest authentication. Digest
 /// authentication is only supported for servers using the MD5
 /// algorithm and quality of protection (qop) of either "none" or

sdk/lib/_http/http_impl.dart

@@ -3900,18 +3900,21 @@ class _AuthenticationScheme {
 
   static const UNKNOWN = _AuthenticationScheme(-1);
   static const BASIC = _AuthenticationScheme(0);
-  static const DIGEST = _AuthenticationScheme(1);
+  static const BEARER = _AuthenticationScheme(1);
+  static const DIGEST = _AuthenticationScheme(2);
 
   const _AuthenticationScheme(this._scheme);
 
   factory _AuthenticationScheme.fromString(String scheme) {
     if (scheme.toLowerCase() == "basic") return BASIC;
+    if (scheme.toLowerCase() == "bearer") return BEARER;
     if (scheme.toLowerCase() == "digest") return DIGEST;
     return UNKNOWN;
   }
 
   String toString() {
     if (this == BASIC) return "Basic";
+    if (this == BEARER) return "Bearer";
     if (this == DIGEST) return "Digest";
     return "Unknown";
   }
@@ -4038,6 +4041,33 @@ final class _HttpClientBasicCredentials extends _HttpClientCredentials
   }
 }
 
+final class _HttpClientBearerCredentials extends _HttpClientCredentials
+    implements HttpClientBearerCredentials {
+  String token;
+
+  _HttpClientBearerCredentials(this.token) {
+    // verify token according to RFC-6750 section 2.1
+    // https://www.rfc-editor.org/rfc/rfc6750.html#section-2.1
+    if (RegExp(r'[^0-9A-Za-z\-._~+/=]').hasMatch(token)) {
+      throw ArgumentError.value(token, "token", "Invalid characters");
+    }
+  }
+
+  _AuthenticationScheme get scheme => _AuthenticationScheme.BEARER;
+
+  String authorization() {
+    return "Bearer $token";
+  }
+
+  void authorize(_Credentials _, HttpClientRequest request) {
+    request.headers.set(HttpHeaders.authorizationHeader, authorization());
+  }
+
+  void authorizeProxy(_ProxyCredentials _, HttpClientRequest request) {
+    request.headers.set(HttpHeaders.proxyAuthorizationHeader, authorization());
+  }
+}
+
 final class _HttpClientDigestCredentials extends _HttpClientCredentials
     implements HttpClientDigestCredentials {
   String username;

sdk/lib/io/io.dart

@@ -228,6 +228,7 @@ export 'dart:_http'
         HttpClientResponseCompressionState,
         HttpClientCredentials,
         HttpClientBasicCredentials,
+        HttpClientBearerCredentials,
         HttpClientDigestCredentials,
         HttpConnectionInfo,
         RedirectInfo,

tests/standalone/io/http_auth_bearer_test.dart

@@ -0,0 +1,263 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'dart:async';
+import 'dart:convert';
+import 'dart:io';
+
+import "package:expect/async_helper.dart";
+import "package:expect/expect.dart";
+
+class Server {
+  late HttpServer server;
+
+  Future<Server> start() async {
+    server = await HttpServer.bind(InternetAddress.loopbackIPv4.address, 0);
+    server.listen((request) {
+      final response = request.response;
+
+      // WARNING: this authenticate header is malformed because of missing
+      // commas between the arguments
+      if (request.uri.path == "/malformedAuthenticate") {
+        response.statusCode = HttpStatus.unauthorized;
+        response.headers.set(
+          HttpHeaders.wwwAuthenticateHeader,
+          "Bearer realm=\"realm\" error=\"invalid_token\"",
+        );
+        response.close();
+        return;
+      }
+
+      // NOTE: see RFC6750 section 3 regarding the authenticate response header
+      // field:
+      // https://www.rfc-editor.org/rfc/rfc6750.html#section-3
+      if (request.headers[HttpHeaders.authorizationHeader] != null) {
+        final token = base64.encode(utf8.encode(request.uri.path.substring(1)));
+        Expect.equals(
+          1,
+          request.headers[HttpHeaders.authorizationHeader]!.length,
+        );
+        final authorizationHeaderParts = request
+            .headers[HttpHeaders.authorizationHeader]![0]
+            .split(" ");
+        Expect.equals("Bearer", authorizationHeaderParts[0]);
+        if (token != authorizationHeaderParts[1]) {
+          response.statusCode = HttpStatus.unauthorized;
+          response.headers.set(
+            HttpHeaders.wwwAuthenticateHeader,
+            "Bearer realm=\"realm\", error=\"invalid_token\"",
+          );
+        }
+      } else {
+        response.statusCode = HttpStatus.unauthorized;
+        response.headers.set(
+          HttpHeaders.wwwAuthenticateHeader,
+          "Bearer realm=\"realm\"",
+        );
+      }
+      response.close();
+    });
+    return this;
+  }
+
+  void shutdown() {
+    server.close();
+  }
+
+  String get host => server.address.address;
+
+  int get port => server.port;
+}
+
+void testCreateValidBearerTokens() {
+  HttpClientBearerCredentials("977ce44bc56dc5000c9d2c329e682547");
+  HttpClientBearerCredentials("dGVzdHRlc3R0ZXN0dGVzdA==");
+  HttpClientBearerCredentials("mF_9.B5f-4.1JqM");
+}
+
+void testCreateInvalidBearerTokens() {
+  Expect.throws(() => HttpClientBearerCredentials("#(&%)"));
+  Expect.throws(() => HttpClientBearerCredentials("áéîöü"));
+  Expect.throws(() => HttpClientBearerCredentials("あいうえお"));
+  Expect.throws(() => HttpClientBearerCredentials("     "));
+}
+
+void testBearerWithoutCredentials() async {
+  final server = await Server().start();
+  final client = HttpClient();
+
+  Future makeRequest(Uri url) async {
+    final request = await client.getUrl(url);
+    final response = await request.close();
+    Expect.equals(HttpStatus.unauthorized, response.statusCode);
+    return response.drain();
+  }
+
+  await Future.wait([
+    for (int i = 0; i < 5; i++) ...[
+      makeRequest(Uri.parse("http://${server.host}:${server.port}/test$i")),
+    ],
+  ]);
+
+  server.shutdown();
+  client.close();
+}
+
+void testBearerWithCredentials() async {
+  final server = await Server().start();
+  final client = HttpClient();
+
+  Future makeRequest(Uri url) async {
+    final request = await client.getUrl(url);
+    final response = await request.close();
+    Expect.equals(HttpStatus.ok, response.statusCode);
+    return response.drain();
+  }
+
+  for (int i = 0; i < 5; i++) {
+    final token = base64.encode(utf8.encode("test$i"));
+    client.addCredentials(
+      Uri.parse("http://${server.host}:${server.port}/test$i"),
+      "realm",
+      HttpClientBearerCredentials(token),
+    );
+  }
+
+  await Future.wait([
+    for (int i = 0; i < 5; i++) ...[
+      makeRequest(Uri.parse("http://${server.host}:${server.port}/test$i")),
+    ],
+  ]);
+
+  server.shutdown();
+  client.close();
+}
+
+void testBearerWithAuthenticateCallback() async {
+  final server = await Server().start();
+  final client = HttpClient();
+
+  final callbacks = <String>{};
+
+  client.authenticate = (url, scheme, realm) async {
+    Expect.equals("Bearer", scheme);
+    Expect.equals("realm", realm);
+    callbacks.add(url.path.substring(1));
+    String token = base64.encode(utf8.encode(url.path.substring(1)));
+    client.addCredentials(url, realm!, HttpClientBearerCredentials(token));
+    return true;
+  };
+
+  Future makeRequest(Uri url) async {
+    final request = await client.getUrl(url);
+    final response = await request.close();
+    Expect.equals(HttpStatus.ok, response.statusCode);
+    return response.drain();
+  }
+
+  await Future.wait([
+    for (int i = 0; i < 5; i++) ...[
+      makeRequest(Uri.parse("http://${server.host}:${server.port}/test$i")),
+    ],
+  ]);
+
+  // assert that all authenticate callbacks have actually been called
+  Expect.setEquals({for (int i = 0; i < 5; i++) "test$i"}, callbacks);
+
+  server.shutdown();
+  client.close();
+}
+
+void testMalformedAuthenticateHeaderWithoutCredentials() async {
+  final server = await Server().start();
+  final client = HttpClient();
+  final uri = Uri.parse(
+    "http://${server.host}:${server.port}/malformedAuthenticate",
+  );
+
+  // the request should resolve normally if no authentication is configured
+  final request = await client.getUrl(uri);
+  final response = await request.close();
+
+  server.shutdown();
+  client.close();
+}
+
+void testMalformedAuthenticateHeaderWithCredentials() async {
+  final server = await Server().start();
+  final client = HttpClient();
+  final uri = Uri.parse(
+    "http://${server.host}:${server.port}/malformedAuthenticate",
+  );
+  final token = base64.encode(utf8.encode("test"));
+
+  // the request should throw an exception if credentials have been added
+  client.addCredentials(uri, "realm", HttpClientBearerCredentials(token));
+  await asyncExpectThrows<HttpException>(
+    Future(() async {
+      final request = await client.getUrl(uri);
+      final response = await request.close();
+    }),
+  );
+
+  server.shutdown();
+  client.close();
+}
+
+void testMalformedAuthenticateHeaderWithAuthenticateCallback() async {
+  final server = await Server().start();
+  final client = HttpClient();
+  final uri = Uri.parse(
+    "http://${server.host}:${server.port}/malformedAuthenticate",
+  );
+
+  // the request should throw an exception if the authenticate handler is set
+  client.authenticate = (url, scheme, realm) async => false;
+  await asyncExpectThrows<HttpException>(
+    Future(() async {
+      final request = await client.getUrl(uri);
+      final response = await request.close();
+    }),
+  );
+
+  server.shutdown();
+  client.close();
+}
+
+void testLocalServerBearer() async {
+  final client = HttpClient();
+
+  client.authenticate = (url, scheme, realm) async {
+    final token = base64.encode(utf8.encode("test"));
+    client.addCredentials(
+      Uri.parse("http://127.0.0.1/bearer"),
+      "test",
+      HttpClientBearerCredentials(token),
+    );
+    return true;
+  };
+
+  final request = await client.getUrl(
+    Uri.parse("http://127.0.0.1/bearer/test"),
+  );
+  final response = await request.close();
+  Expect.equals(HttpStatus.ok, response.statusCode);
+  await response.drain();
+
+  client.close();
+}
+
+main() {
+  testCreateValidBearerTokens();
+  testCreateInvalidBearerTokens();
+  testBearerWithoutCredentials();
+  testBearerWithCredentials();
+  testBearerWithAuthenticateCallback();
+  testMalformedAuthenticateHeaderWithoutCredentials();
+  testMalformedAuthenticateHeaderWithCredentials();
+  testMalformedAuthenticateHeaderWithAuthenticateCallback();
+  // These tests are not normally run. They can be used for locally
+  // testing with another web server (e.g. Apache).
+  // testLocalServerBearer();
+}