Skip to content

Commit

Permalink
Properly check header before extracting the bearer token
Browse files Browse the repository at this point in the history
Fixes #42591

(cherry picked from commit 51834c5)
  • Loading branch information
gsmet committed Aug 19, 2024
1 parent 1ca100a commit 2b8983f
Showing 1 changed file with 11 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
@ApplicationScoped
public class OAuth2AuthMechanism implements HttpAuthenticationMechanism {

private static final String BEARER_PREFIX = "Bearer ";

protected static final ChallengeData CHALLENGE_DATA = new ChallengeData(
HttpResponseStatus.UNAUTHORIZED.code(),
HttpHeaderNames.WWW_AUTHENTICATE,
Expand All @@ -42,15 +44,17 @@ public class OAuth2AuthMechanism implements HttpAuthenticationMechanism {
public Uni<SecurityIdentity> authenticate(RoutingContext context,
IdentityProviderManager identityProviderManager) {
String authHeader = context.request().headers().get("Authorization");
String bearerToken = authHeader != null ? authHeader.substring(7) : null;
if (bearerToken != null) {
// Install the OAuth2 principal as the caller
return identityProviderManager
.authenticate(new TokenAuthenticationRequest(new TokenCredential(bearerToken, "bearer")));

if (authHeader == null || !authHeader.startsWith(BEARER_PREFIX)) {
// No suitable bearer token has been found in this request,
return Uni.createFrom().nullItem();
}
// No suitable header has been found in this request,
return Uni.createFrom().nullItem();

String bearerToken = authHeader.substring(BEARER_PREFIX.length());

// Install the OAuth2 principal as the caller
return identityProviderManager
.authenticate(new TokenAuthenticationRequest(new TokenCredential(bearerToken, "bearer")));
}

@Override
Expand Down

0 comments on commit 2b8983f

Please sign in to comment.