


Bug #14071

Updated by dgames (Dax Games) over 6 years ago

Not sure if this is a bug or not but I know where it was introduced and when it worked. 

 My code that works: 

 ruby 2.3.1p112 
 ruby 2.3.4p301 2.4.1p111 
 ruby 2.4.1p111 2.3.4p301 

 # Start Working Code 

         url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe 
         url += "&Keywords=" + keywords if ! keywords.nil? 

         uri = URI.parse(url) 

         http =, uri.port) 
         http.use_ssl = true 

         request = 

         request["authorization"] = "Bearer #{pf_token}\r\nAuthorization: #{ck_token}" 
         request["oauth_clientid"] = pf_credentials['client_id'] 
         request["content-type"] = 'application/json' 

         # Send the request 
         http.set_debug_output $stderr 
         res = http.request(request) 

 I am no expert and the code above may be a hack but it works on sites where dual authentication is required, at least with some versions of Ruby.    I came to this solution by inspecting the http request by setting 'http.set_debug_output $stderr' and saw that header elements are separate by '\r\n' 

 This curl comand works: 

 curl -X GET 'https://xxxx/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=Safe1' -H 'authorization: Bearer xxxxxxxxxxxxxxxxxxx' -H 'authorization: YYYYYYYYYYY' -H 'content-type: application/json' -H 'oauth_clientid: clientid1' 

 The above code fails with 'header field value cannot include CR/LF' in: 

 ruby 2.3.5p376 
 ruby 2.4.2p198  

 This was most recently was re-introduced by this commit: 

 I have tried the following on the newer failing version of Ruby but these also fail with #<Net::HTTPUnauthorized:0x0000000003183780> => "1012116 - Invalid token." 

 # Start Failing Code 
         url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe 
         url += "&Keywords=" + keywords if ! keywords.nil? 

         uri = URI.parse(url) 

         http =, uri.port) 
         http.use_ssl = true 

         request = 

         request["authorization"] = ["Bearer #{pf_token}",    ck_token] 
         request["oauth_clientid"] = pf_credentials['client_id'] 
         request["content-type"] = 'application/json' 

         # Send the request 
         http.set_debug_output $stderr 
         res = http.request(request) 

 and this: 

 # Start Failing Code 
         url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe 
         url += "&Keywords=" + keywords if ! keywords.nil? 

         uri = URI.parse(url) 

         http =, uri.port) 
         http.use_ssl = true 

         request = 

         request.add_field("authorization", "Bearer #{pf_token}") 
         request.add_field("authorization", ck_token) 
         request.add_field("oauth_clientid", pf_credentials['client_id']) 
         request.add_field("content-type", 'application/json') 

         # Send the request 
         http.set_debug_output $stderr 
         res = http.request(request) 

 Another variation also fails with "undefined method `strip' for #<Array:0x00000000034ad910>" 

 # Begin Failing Code 
         url = my_url + "/PasswordVault/WebServices/PIMServices.svc/Accounts?Safe=" + safe 
         url += "&Keywords=" + keywords if ! keywords.nil? 

         uri = URI.parse(url) 

         http =, uri.port) 
         http.use_ssl = true 

         header = { 
           'authorization' => ["Bearer #{pf_token}", "#{ck_token}"], 
           'oauth_clientid' => pf_credentials['client_id'], 
           'content-type' => 'application/json' 

         # Send the request 
         http.set_debug_output $stderr 
         res = http.request_get(uri.path, header)       
