We use cookies to ensure you get the best experience on our website
Home Verkennen Help
Registreren Inloggen
0ct0pu5
/
fess
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

fix #2801 Updated AccessTokenHelper to throw exception when only 'Bearer' is specified in Authorization header

Shinsuke Sugaya 1 jaar geleden
bovenliggende
d391949adf
commit
cff8b1ccde
2 gewijzigde bestanden met toevoegingen van 13 en 5 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 4 2
      src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java
  2. 9 3
      src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java

+ 4 - 2
src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java
Bestand weergeven 

@@ -27,6 +27,8 @@ import org.codelibs.fess.util.ComponentUtil;
 
 
 public class AccessTokenHelper {
 
 
+    protected static final String BEARER = "Bearer";
 
+
 
     protected Random random = new SecureRandom();
 
 
     public String generateAccessToken() {
 
@@ -37,10 +39,10 @@ public class AccessTokenHelper {
 
         final String token = request.getHeader("Authorization");
 
         if (token != null) {
 
             final String[] values = token.trim().split(" ");
 
-            if (values.length == 2 && "Bearer".equals(values[0])) {
 
+            if (values.length == 2 && BEARER.equals(values[0])) {
 
                 return values[1];
 
             }
 
-            if (values.length == 1) {
 
+            if (values.length == 1 && !BEARER.equals(values[0])) {
 
                 return values[0];
 
             }
 
             throw new InvalidAccessTokenException("invalid_request", "Invalid format: " + token);

+ 9 - 3
src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java
Bestand weergeven 

@@ -63,16 +63,22 @@ public class AccessTokenHelperTest extends UnitFessTestCase {
 
         assertEquals(token, accessTokenHelper.getAccessTokenFromRequest(req));
 
     }
 
 
-    public void test_getAccessTokenFromRequest_ng0() {
 
-        final String token = accessTokenHelper.generateAccessToken();
 
+    public void test_getAccessTokenFromRequest_bad0() {
 
         MockletHttpServletRequest req = getMockRequest();
 
         assertNull(accessTokenHelper.getAccessTokenFromRequest(req));
 
     }
 
 
-    public void test_getAccessTokenFromRequest_ng1() {
 
+    public void test_getAccessTokenFromRequest_bad1() {
 
         final String token = "INVALID _TOKEN0";
 
         MockletHttpServletRequest req = getMockRequest();
 
         req.addHeader("Authorization", token);
 
         assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
 
     }
 
+
 
+    public void test_getAccessTokenFromRequest_bad2() {
 
+        final String token = "Bearer";
 
+        MockletHttpServletRequest req = getMockRequest();
 
+        req.addHeader("Authorization", token);
 
+        assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
 
+    }
 
 }

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5