Sending "Bearer" and "Bearer " resulted in a 500.

1 files changed, 7 insertions, 7 deletions

diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index da9ca510..887ef5d7 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -310,6 +310,13 @@ class OAuth2Authentication(BaseAuthentication):
 
         auth = get_authorization_header(request).split()
 
+        if len(auth) == 1:
+            msg = 'Invalid bearer header. No credentials provided.'
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
+            msg = 'Invalid bearer header. Token string should not contain spaces.'
+            raise exceptions.AuthenticationFailed(msg)
+
         if auth and auth[0].lower() == b'bearer':
             access_token = auth[1]
         elif 'access_token' in request.POST:
@@ -319,13 +326,6 @@ class OAuth2Authentication(BaseAuthentication):
         else:
             return None
 
-        if len(auth) == 1:
-            msg = 'Invalid bearer header. No credentials provided.'
-            raise exceptions.AuthenticationFailed(msg)
-        elif len(auth) > 2:
-            msg = 'Invalid bearer header. Token string should not contain spaces.'
-            raise exceptions.AuthenticationFailed(msg)
-
         return self.authenticate_credentials(request, access_token)
 
     def authenticate_credentials(self, request, access_token):