0ct0pu5/fess
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix #2801 Updated AccessTokenHelper to throw exception when only 'Bearer' is specified in Authorization header

Browse source
This commit is contained in:
Shinsuke Sugaya 2024-01-28 22:54:26 +09:00
parent d391949adf
commit cff8b1ccde
2 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java
View file

@ -27,6 +27,8 @@ import org.codelibs.fess.util.ComponentUtil;
public class AccessTokenHelper {
protected static final String BEARER = "Bearer";
protected Random random = new SecureRandom();
public String generateAccessToken() {
@ -37,10 +39,10 @@ public class AccessTokenHelper {
final String token = request.getHeader("Authorization");
if (token != null) {
final String[] values = token.trim().split(" ");
if (values.length == 2 && "Bearer".equals(values[0])) {
if (values.length == 2 && BEARER.equals(values[0])) {
return values[1];
}
if (values.length == 1) {
if (values.length == 1 && !BEARER.equals(values[0])) {
return values[0];
}
throw new InvalidAccessTokenException("invalid_request", "Invalid format: " + token);

12
src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java
View file

@ -63,16 +63,22 @@ public class AccessTokenHelperTest extends UnitFessTestCase {
assertEquals(token, accessTokenHelper.getAccessTokenFromRequest(req));
}
public void test_getAccessTokenFromRequest_ng0() {
final String token = accessTokenHelper.generateAccessToken();
public void test_getAccessTokenFromRequest_bad0() {
MockletHttpServletRequest req = getMockRequest();
assertNull(accessTokenHelper.getAccessTokenFromRequest(req));
}
public void test_getAccessTokenFromRequest_ng1() {
public void test_getAccessTokenFromRequest_bad1() {
final String token = "INVALID _TOKEN0";
MockletHttpServletRequest req = getMockRequest();
req.addHeader("Authorization", token);
assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
}
public void test_getAccessTokenFromRequest_bad2() {
final String token = "Bearer";
MockletHttpServletRequest req = getMockRequest();
req.addHeader("Authorization", token);
assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
}
}