From 064a9cedbd205594fa529ff996b2cd359c5be07c Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Mon, 14 Dec 2020 13:07:39 +0100
Subject: [PATCH 01/19] No htlml encoding on server side

---
 .../HttpServer/Security/AuthorizationContext.cs           | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 024404ceb0..ce2644b8db 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -275,17 +275,11 @@ namespace Emby.Server.Implementations.HttpServer.Security
 
                 if (param.Length == 2)
                 {
-                    var value = NormalizeValue(param[1].Trim('"'));
-                    result[param[0]] = value;
+                    result[param[0]] = param[1].Trim('"');
                 }
             }
 
             return result;
         }
-
-        private static string NormalizeValue(string value)
-        {
-            return string.IsNullOrEmpty(value) ? value : WebUtility.HtmlEncode(value);
-        }
     }
 }

From 13bc57ecc39ebd485634f64f90ed526b134a521c Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Mon, 14 Dec 2020 13:08:07 +0100
Subject: [PATCH 02/19] No need to double check param length

---
 .../HttpServer/Security/AuthorizationContext.cs              | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index ce2644b8db..f335aa5c56 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -273,10 +273,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             {
                 var param = item.Trim().Split('=', 2);
 
-                if (param.Length == 2)
-                {
-                    result[param[0]] = param[1].Trim('"');
-                }
+                result[param[0]] = param[1].Trim('"');
             }
 
             return result;

From 305e5ebaf40d02f15664c49c26391531a548608d Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Mon, 14 Dec 2020 13:14:18 +0100
Subject: [PATCH 03/19] Allow commas in auth values when wappred in a double
 quote

---
 .../HttpServer/Security/AuthorizationContext.cs                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index f335aa5c56..354e037153 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -265,7 +265,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
 
             // Remove uptil the first space
             authorizationHeader = parts[1];
-            parts = authorizationHeader.Split(',');
+            parts = authorizationHeader.Split("\",\"");
 
             var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
 

From b611a108f89ab77b219aecc6d6155540f772cf32 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Mon, 14 Dec 2020 13:15:21 +0100
Subject: [PATCH 04/19] -fix split on comma and double quotes

---
 .../HttpServer/Security/AuthorizationContext.cs                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 354e037153..5d85facab8 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -265,7 +265,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
 
             // Remove uptil the first space
             authorizationHeader = parts[1];
-            parts = authorizationHeader.Split("\",\"");
+            parts = authorizationHeader.Split("\",");
 
             var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
 

From 6e2cfc6569044251a7968fdeb16f245cecc46fe6 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Mon, 14 Dec 2020 14:05:53 +0100
Subject: [PATCH 05/19] Url decode for auth value

---
 .../HttpServer/Security/AuthorizationContext.cs           | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 5d85facab8..0f8011495f 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -273,10 +273,16 @@ namespace Emby.Server.Implementations.HttpServer.Security
             {
                 var param = item.Trim().Split('=', 2);
 
-                result[param[0]] = param[1].Trim('"');
+                var value =param[1].Trim('"');
+                result[param[0]] = value;
             }
 
             return result;
         }
+
+        private static string NormalizeValue(string value)
+        {
+            return string.IsNullOrEmpty(value) ? value : WebUtility.UrlDecode(value);
+        }
     }
 }

From c6eefaac0975c351cfb20ace1c67d837dc0b7393 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Tue, 15 Dec 2020 21:01:42 +0100
Subject: [PATCH 06/19] Added function to split the authorization header parts

---
 .../Security/AuthorizationContext.cs          | 45 ++++++++++++++++++-
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 0f8011495f..74a678aa62 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -265,7 +265,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
 
             // Remove uptil the first space
             authorizationHeader = parts[1];
-            parts = authorizationHeader.Split("\",");
+            parts = GetParts(authorizationHeader);
 
             var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
 
@@ -274,7 +274,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                 var param = item.Trim().Split('=', 2);
 
                 var value =param[1].Trim('"');
-                result[param[0]] = value;
+                result[param[0]] = NormalizeValue(value);
             }
 
             return result;
@@ -284,5 +284,46 @@ namespace Emby.Server.Implementations.HttpServer.Security
         {
             return string.IsNullOrEmpty(value) ? value : WebUtility.UrlDecode(value);
         }
+
+        public static string[] GetParts(string authtorizationHeader)
+        {
+            var result = new List<string>();
+            var escapeChars = new[] {'"', ','};
+            var escaped = false;
+            var authtorizationHeaderChars = authtorizationHeader.ToCharArray();
+            var value = new List<char>();
+
+            for(var i = 0; i < authtorizationHeaderChars.Length; i++)
+            {
+                if(!escapeChars.Contains(authtorizationHeaderChars[i]))
+                {
+                    value = value.Append(authtorizationHeaderChars[i]).ToList();
+                }
+                else
+                {
+                    escaped = (!escaped) == (authtorizationHeaderChars[i] == '"');
+                    if(authtorizationHeaderChars[i] == ',')
+                    {
+                        if(escaped)
+                        {
+                            value = value.Append(authtorizationHeaderChars[i]).ToList();
+                        }
+                        else
+                        {
+                            result.Add(new string(value.ToArray()));
+                            value = new List<char>();
+                        }
+                    }
+                    else
+                    {
+                        value = value.Append(authtorizationHeaderChars[i]).ToList();
+                    }
+                }
+            }
+            // Add last value
+            result.Add(new string(value.ToArray()));
+
+            return result.ToArray();
+        }
     }
 }

From 7c7f2316faa36fbdd6044ae27e05823e317d167f Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Tue, 15 Dec 2020 21:06:47 +0100
Subject: [PATCH 07/19] Added comments

---
 .../HttpServer/Security/AuthorizationContext.cs            | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 74a678aa62..855c616826 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -285,6 +285,11 @@ namespace Emby.Server.Implementations.HttpServer.Security
             return string.IsNullOrEmpty(value) ? value : WebUtility.UrlDecode(value);
         }
 
+        /// <summary>
+        /// Get the authorization header components.
+        /// </summary>
+        /// <param name="authtorizationHeader">The authorization header.</param>
+        /// <returns>string</returns>
         public static string[] GetParts(string authtorizationHeader)
         {
             var result = new List<string>();
@@ -301,6 +306,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                 }
                 else
                 {
+                    // Applying a XOR logic to evaluate wether it is opening or closing a value
                     escaped = (!escaped) == (authtorizationHeaderChars[i] == '"');
                     if(authtorizationHeaderChars[i] == ',')
                     {
@@ -310,6 +316,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                         }
                         else
                         {
+                            // Meeting a comma after a closing escape char means the value is complete
                             result.Add(new string(value.ToArray()));
                             value = new List<char>();
                         }

From a03880b687cf1b69c25bd8d207b2ebfb0c420571 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Sat, 2 Jan 2021 18:18:47 +0100
Subject: [PATCH 08/19] Improve get auth header parts using substring

---
 .../Security/AuthorizationContext.cs          | 49 +++++++++----------
 1 file changed, 22 insertions(+), 27 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 855c616826..8fa20aea9a 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -273,7 +273,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             {
                 var param = item.Trim().Split('=', 2);
 
-                var value =param[1].Trim('"');
+                var value = param[1].Trim('"');
                 result[param[0]] = NormalizeValue(value);
             }
 
@@ -293,42 +293,37 @@ namespace Emby.Server.Implementations.HttpServer.Security
         public static string[] GetParts(string authtorizationHeader)
         {
             var result = new List<string>();
-            var escapeChars = new[] {'"', ','};
+            var escapeChars = new[] { '"', ',' };
             var escaped = false;
-            var authtorizationHeaderChars = authtorizationHeader.ToCharArray();
-            var value = new List<char>();
-
-            for(var i = 0; i < authtorizationHeaderChars.Length; i++)
+            int start = 0;
+            int i = 0;
+            while (i < authtorizationHeader.Length)
             {
-                if(!escapeChars.Contains(authtorizationHeaderChars[i]))
+                var token = authtorizationHeader[i];
+                if (escapeChars.Contains(token))
                 {
-                    value = value.Append(authtorizationHeaderChars[i]).ToList();
-                }
-                else
-                {
-                    // Applying a XOR logic to evaluate wether it is opening or closing a value
-                    escaped = (!escaped) == (authtorizationHeaderChars[i] == '"');
-                    if(authtorizationHeaderChars[i] == ',')
+                    // Applying a XOR logic to evaluate whether it is opening or closing a value
+                    escaped = (!escaped) == (token == '"');
+                    if (token == ',' && !escaped)
                     {
-                        if(escaped)
+                        // Meeting a comma after a closing escape char means the value is complete
+                        if (start < i)
                         {
-                            value = value.Append(authtorizationHeaderChars[i]).ToList();
+                            result.Add(authtorizationHeader[start..(i)]);
                         }
-                        else
-                        {
-                            // Meeting a comma after a closing escape char means the value is complete
-                            result.Add(new string(value.ToArray()));
-                            value = new List<char>();
-                        }
-                    }
-                    else
-                    {
-                        value = value.Append(authtorizationHeaderChars[i]).ToList();
+
+                        start = i + 1;
                     }
                 }
+
+                i++;
             }
+
             // Add last value
-            result.Add(new string(value.ToArray()));
+            if (start < i)
+            {
+                result.Add(authtorizationHeader[start..(i)]);
+            }
 
             return result.ToArray();
         }

From 452af30511a80e99e22794fc8009d7a6a9b9c904 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Sun, 3 Jan 2021 19:32:58 +0100
Subject: [PATCH 09/19] Added UrlDecode for authorization parts

---
 .../HttpServer/Security/AuthorizationContext.cs               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 8fa20aea9a..6b4588dbcf 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -309,7 +309,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                         // Meeting a comma after a closing escape char means the value is complete
                         if (start < i)
                         {
-                            result.Add(authtorizationHeader[start..(i)]);
+                            result.Add(WebUtility.UrlDecode(authtorizationHeader[start..(i)]));
                         }
 
                         start = i + 1;
@@ -322,7 +322,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             // Add last value
             if (start < i)
             {
-                result.Add(authtorizationHeader[start..(i)]);
+                result.Add(WebUtility.UrlDecode(authtorizationHeader[start..(i)]));
             }
 
             return result.ToArray();

From 414e918c01a2458aa28c654332a8bad4f79cfa90 Mon Sep 17 00:00:00 2001
From: BaronGreenback <jimcartlidge@yahoo.co.uk>
Date: Fri, 26 Feb 2021 14:30:00 +0000
Subject: [PATCH 10/19] Optimized and added test

---
 .../Security/AuthorizationContext.cs          | 39 +++++++------------
 .../DefaultAuthorizationHandlerTests.cs       | 14 ++++++-
 2 files changed, 28 insertions(+), 25 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 6b4588dbcf..7a83b72133 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -263,26 +263,9 @@ namespace Emby.Server.Implementations.HttpServer.Security
                 return null;
             }
 
-            // Remove uptil the first space
+            // Remove up until the first space
             authorizationHeader = parts[1];
-            parts = GetParts(authorizationHeader);
-
-            var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
-
-            foreach (var item in parts)
-            {
-                var param = item.Trim().Split('=', 2);
-
-                var value = param[1].Trim('"');
-                result[param[0]] = NormalizeValue(value);
-            }
-
-            return result;
-        }
-
-        private static string NormalizeValue(string value)
-        {
-            return string.IsNullOrEmpty(value) ? value : WebUtility.UrlDecode(value);
+            return GetParts(authorizationHeader);
         }
 
         /// <summary>
@@ -290,13 +273,15 @@ namespace Emby.Server.Implementations.HttpServer.Security
         /// </summary>
         /// <param name="authtorizationHeader">The authorization header.</param>
         /// <returns>string</returns>
-        public static string[] GetParts(string authtorizationHeader)
+        public static Dictionary<string, string> GetParts(string authtorizationHeader)
         {
-            var result = new List<string>();
+            var result = new Dictionary<string, string>();
             var escapeChars = new[] { '"', ',' };
             var escaped = false;
             int start = 0;
             int i = 0;
+            string key = string.Empty;
+
             while (i < authtorizationHeader.Length)
             {
                 var token = authtorizationHeader[i];
@@ -309,12 +294,18 @@ namespace Emby.Server.Implementations.HttpServer.Security
                         // Meeting a comma after a closing escape char means the value is complete
                         if (start < i)
                         {
-                            result.Add(WebUtility.UrlDecode(authtorizationHeader[start..(i)]));
+                            result[key] = WebUtility.UrlDecode(authtorizationHeader[start..i].Trim('"'));
+                            key = string.Empty;
                         }
 
                         start = i + 1;
                     }
                 }
+                else if (!escaped && token == '=')
+                {
+                    key = authtorizationHeader[start.. i];
+                    start = i + 1;
+                }
 
                 i++;
             }
@@ -322,10 +313,10 @@ namespace Emby.Server.Implementations.HttpServer.Security
             // Add last value
             if (start < i)
             {
-                result.Add(WebUtility.UrlDecode(authtorizationHeader[start..(i)]));
+                result[key] = WebUtility.UrlDecode(authtorizationHeader[start..i].Trim('"'));
             }
 
-            return result.ToArray();
+            return result;
         }
     }
 }
diff --git a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
index a62fd8d5ae..5387922ab9 100644
--- a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
@@ -1,7 +1,8 @@
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using AutoFixture;
 using AutoFixture.AutoMoq;
+using Emby.Server.Implementations.HttpServer.Security;
 using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
 using Jellyfin.Api.Constants;
 using MediaBrowser.Common.Configuration;
@@ -49,5 +50,16 @@ namespace Jellyfin.Api.Tests.Auth.DefaultAuthorizationPolicy
             await _sut.HandleAsync(context);
             Assert.True(context.HasSucceeded);
         }
+
+        [Theory]
+        [InlineData("x=\"123,123\",y=\"123\"", "x", "123,123")]
+        [InlineData("x=\"ab\"", "x", "ab")]
+        [InlineData("param=Hörbücher", "param", "Hörbücher")]
+        [InlineData("param=%22%Hörbücher", "param", "\"%Hörbücher")]
+        public void TestAuthHeaders(string input, string key, string value)
+        {
+            var dict = AuthorizationContext.GetParts(input);
+            Assert.True(string.Equals(dict[key], value, System.StringComparison.Ordinal));
+        }
     }
 }

From 3951546b1f388cb7aa388a7d6daa5b84ae90b945 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Thu, 3 Jun 2021 17:07:25 +0200
Subject: [PATCH 11/19] Update
 Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs

Co-authored-by: artiume <siderite@gmail.com>
---
 .../HttpServer/Security/AuthorizationContext.cs                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 7a83b72133..f6c8976ecf 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -271,7 +271,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
         /// <summary>
         /// Get the authorization header components.
         /// </summary>
-        /// <param name="authtorizationHeader">The authorization header.</param>
+        /// <param name="authorizationHeader">The authorization header.</param>
         /// <returns>string</returns>
         public static Dictionary<string, string> GetParts(string authtorizationHeader)
         {

From 3c019d1324c6ec29bf96aab28b94208924bb317f Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Thu, 3 Jun 2021 17:10:19 +0200
Subject: [PATCH 12/19] Using for instead of while

---
 .../HttpServer/Security/AuthorizationContext.cs          | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 7a83b72133..26f3b8d68f 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -276,16 +276,15 @@ namespace Emby.Server.Implementations.HttpServer.Security
         public static Dictionary<string, string> GetParts(string authtorizationHeader)
         {
             var result = new Dictionary<string, string>();
-            var escapeChars = new[] { '"', ',' };
             var escaped = false;
             int start = 0;
-            int i = 0;
             string key = string.Empty;
 
-            while (i < authtorizationHeader.Length)
+            int i;
+            for (i = 0; i < authtorizationHeader.Length; i++)
             {
                 var token = authtorizationHeader[i];
-                if (escapeChars.Contains(token))
+                if (token == '"' || token == ',')
                 {
                     // Applying a XOR logic to evaluate whether it is opening or closing a value
                     escaped = (!escaped) == (token == '"');
@@ -306,8 +305,6 @@ namespace Emby.Server.Implementations.HttpServer.Security
                     key = authtorizationHeader[start.. i];
                     start = i + 1;
                 }
-
-                i++;
             }
 
             // Add last value

From dc261b815f4ce5fbace33e787902636c43618881 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Thu, 3 Jun 2021 17:12:16 +0200
Subject: [PATCH 13/19] -fix AuthorizationHeader parameter name

---
 .../HttpServer/Security/AuthorizationContext.cs      | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index c9b94cfdee..ab43e088b9 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -273,7 +273,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
         /// </summary>
         /// <param name="authorizationHeader">The authorization header.</param>
         /// <returns>string</returns>
-        public static Dictionary<string, string> GetParts(string authtorizationHeader)
+        public static Dictionary<string, string> GetParts(string authorizationHeader)
         {
             var result = new Dictionary<string, string>();
             var escaped = false;
@@ -281,9 +281,9 @@ namespace Emby.Server.Implementations.HttpServer.Security
             string key = string.Empty;
 
             int i;
-            for (i = 0; i < authtorizationHeader.Length; i++)
+            for (i = 0; i < authorizationHeader.Length; i++)
             {
-                var token = authtorizationHeader[i];
+                var token = authorizationHeader[i];
                 if (token == '"' || token == ',')
                 {
                     // Applying a XOR logic to evaluate whether it is opening or closing a value
@@ -293,7 +293,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                         // Meeting a comma after a closing escape char means the value is complete
                         if (start < i)
                         {
-                            result[key] = WebUtility.UrlDecode(authtorizationHeader[start..i].Trim('"'));
+                            result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"'));
                             key = string.Empty;
                         }
 
@@ -302,7 +302,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                 }
                 else if (!escaped && token == '=')
                 {
-                    key = authtorizationHeader[start.. i];
+                    key = authorizationHeader[start.. i];
                     start = i + 1;
                 }
             }
@@ -310,7 +310,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             // Add last value
             if (start < i)
             {
-                result[key] = WebUtility.UrlDecode(authtorizationHeader[start..i].Trim('"'));
+                result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"'));
             }
 
             return result;

From d1b34a1e9797f4d6bbfe104bed5c42bdc953a692 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Thu, 3 Jun 2021 17:37:42 +0200
Subject: [PATCH 14/19] -fix authorizationHeader is no longer a string

---
 .../HttpServer/Security/AuthorizationContext.cs               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 95be6552b0..f0a706ff52 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -264,8 +264,8 @@ namespace Emby.Server.Implementations.HttpServer.Security
             }
 
             // Remove up until the first space
-            authorizationHeader = parts[1];
-            return GetParts(authorizationHeader);
+            authorizationHeader = authorizationHeader[(firstSpace + 1)..];
+            return GetParts(authorizationHeader.ToString());
         }
 
         /// <summary>

From 2a72c33ba6ef257aff23c5281c9276d7a0258024 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Thu, 3 Jun 2021 17:43:50 +0200
Subject: [PATCH 15/19] authorizationheader as readonlyspan<char> instead of
 string

---
 .../HttpServer/Security/AuthorizationContext.cs        | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index f0a706ff52..7b9f72efda 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -265,7 +265,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
 
             // Remove up until the first space
             authorizationHeader = authorizationHeader[(firstSpace + 1)..];
-            return GetParts(authorizationHeader.ToString());
+            return GetParts(authorizationHeader);
         }
 
         /// <summary>
@@ -273,7 +273,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
         /// </summary>
         /// <param name="authorizationHeader">The authorization header.</param>
         /// <returns>string</returns>
-        public static Dictionary<string, string> GetParts(string authorizationHeader)
+        public static Dictionary<string, string> GetParts(ReadOnlySpan<char> authorizationHeader)
         {
             var result = new Dictionary<string, string>();
             var escaped = false;
@@ -293,7 +293,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                         // Meeting a comma after a closing escape char means the value is complete
                         if (start < i)
                         {
-                            result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"'));
+                            result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"').ToString());
                             key = string.Empty;
                         }
 
@@ -302,7 +302,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                 }
                 else if (!escaped && token == '=')
                 {
-                    key = authorizationHeader[start.. i];
+                    key = authorizationHeader[start.. i].ToString();
                     start = i + 1;
                 }
             }
@@ -310,7 +310,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             // Add last value
             if (start < i)
             {
-                result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"'));
+                result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"').ToString());
             }
 
             return result;

From 02a56d8cf73e6745f651fe230520182f0398fae3 Mon Sep 17 00:00:00 2001
From: Tommaso Stocchi <tommasostocchi@outlook.com>
Date: Thu, 3 Jun 2021 17:45:22 +0200
Subject: [PATCH 16/19] Changed return type desc in GetParts()  summary

---
 .../HttpServer/Security/AuthorizationContext.cs                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 7b9f72efda..bcdf71b326 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -272,7 +272,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
         /// Get the authorization header components.
         /// </summary>
         /// <param name="authorizationHeader">The authorization header.</param>
-        /// <returns>string</returns>
+        /// <returns>Dictionary{System.StringSystem.String}.</returns>
         public static Dictionary<string, string> GetParts(ReadOnlySpan<char> authorizationHeader)
         {
             var result = new Dictionary<string, string>();

From 60185f99c4329da7c93cc3769c4c017aab61b6bf Mon Sep 17 00:00:00 2001
From: cvium <clausvium@gmail.com>
Date: Fri, 3 Sep 2021 21:43:06 +0200
Subject: [PATCH 17/19] fix the build

---
 .../Security/AuthorizationContext.cs                          | 1 -
 .../DefaultAuthorizationHandlerTests.cs                       | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs b/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs
index d993ca2345..e559d698a3 100644
--- a/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs
+++ b/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs
@@ -5,7 +5,6 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Threading.Tasks;
-using Jellyfin.Extensions;
 using MediaBrowser.Controller.Library;
 using MediaBrowser.Controller.Net;
 using Microsoft.AspNetCore.Http;
diff --git a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
index 5387922ab9..312dffde23 100644
--- a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
@@ -1,10 +1,10 @@
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using AutoFixture;
 using AutoFixture.AutoMoq;
-using Emby.Server.Implementations.HttpServer.Security;
 using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
 using Jellyfin.Api.Constants;
+using Jellyfin.Server.Implementations.Security;
 using MediaBrowser.Common.Configuration;
 using MediaBrowser.Controller.Library;
 using Microsoft.AspNetCore.Authorization;

From 1172ece856d91d060ba5122269fc9ea55f336495 Mon Sep 17 00:00:00 2001
From: cvium <clausvium@gmail.com>
Date: Fri, 3 Sep 2021 23:56:19 +0200
Subject: [PATCH 18/19] remove leading and trailing whitespace from the key

---
 .../Security/AuthorizationContext.cs          |  2 +-
 .../DefaultAuthorizationHandlerTests.cs       | 59 +++++++++++++++++--
 2 files changed, 54 insertions(+), 7 deletions(-)

diff --git a/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs b/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs
index e559d698a3..244abf469e 100644
--- a/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs
+++ b/Jellyfin.Server.Implementations/Security/AuthorizationContext.cs
@@ -291,7 +291,7 @@ namespace Jellyfin.Server.Implementations.Security
                 }
                 else if (!escaped && token == '=')
                 {
-                    key = authorizationHeader[start.. i].ToString();
+                    key = authorizationHeader[start.. i].Trim().ToString();
                     start = i + 1;
                 }
             }
diff --git a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
index 312dffde23..ee4af34ad5 100644
--- a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
@@ -52,14 +52,61 @@ namespace Jellyfin.Api.Tests.Auth.DefaultAuthorizationPolicy
         }
 
         [Theory]
-        [InlineData("x=\"123,123\",y=\"123\"", "x", "123,123")]
-        [InlineData("x=\"ab\"", "x", "ab")]
-        [InlineData("param=Hörbücher", "param", "Hörbücher")]
-        [InlineData("param=%22%Hörbücher", "param", "\"%Hörbücher")]
-        public void TestAuthHeaders(string input, string key, string value)
+        [MemberData(nameof(GetParts_ValidAuthHeader_Success_Data))]
+        public void GetParts_ValidAuthHeader_Success(string input, Dictionary<string, string> parts)
         {
             var dict = AuthorizationContext.GetParts(input);
-            Assert.True(string.Equals(dict[key], value, System.StringComparison.Ordinal));
+            foreach (var (key, value) in parts)
+            {
+                Assert.Equal(dict[key], value);
+            }
+        }
+
+        private static TheoryData<string, Dictionary<string, string>> GetParts_ValidAuthHeader_Success_Data()
+        {
+            var data = new TheoryData<string, Dictionary<string, string>>();
+
+            data.Add(
+                "x=\"123,123\",y=\"123\"",
+                new Dictionary<string, string>
+                {
+                    { "x", "123,123" },
+                    { "y", "123" }
+                });
+
+            data.Add(
+                "x=\"123,123\",         y=\"123\",z=\"'hi'\"",
+                new Dictionary<string, string>
+                {
+                    { "x", "123,123" },
+                    { "y", "123" },
+                    { "z", "'hi'" }
+                });
+
+            data.Add(
+                "x=\"ab\"",
+                new Dictionary<string, string>
+                {
+                    { "x", "ab" }
+                });
+
+            data.Add(
+                "param=Hörbücher",
+                new Dictionary<string, string>
+                {
+                    { "param", "Hörbücher" }
+                }
+                );
+
+            data.Add(
+                "param=%22%Hörbücher",
+                new Dictionary<string, string>
+                {
+                    { "param", "\"%Hörbücher" }
+                }
+                );
+
+            return data;
         }
     }
 }

From 907d9fa195ccc7ca63229cc597ecaa591ed087c1 Mon Sep 17 00:00:00 2001
From: cvium <clausvium@gmail.com>
Date: Fri, 3 Sep 2021 23:58:07 +0200
Subject: [PATCH 19/19] remove some newlines

---
 .../DefaultAuthorizationHandlerTests.cs                     | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
index ee4af34ad5..23c51999fa 100644
--- a/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs
@@ -95,16 +95,14 @@ namespace Jellyfin.Api.Tests.Auth.DefaultAuthorizationPolicy
                 new Dictionary<string, string>
                 {
                     { "param", "Hörbücher" }
-                }
-                );
+                });
 
             data.Add(
                 "param=%22%Hörbücher",
                 new Dictionary<string, string>
                 {
                     { "param", "\"%Hörbücher" }
-                }
-                );
+                });
 
             return data;
         }