fix #2801 Updated AccessTokenHelper to throw exception when only 'Bea…

…rer' is specified in Authorization header
codelibs · Jan 28, 2024 · cff8b1c · cff8b1c
1 parent d391949
commit cff8b1c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java b/src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java
@@ -27,6 +27,8 @@
 
 public class AccessTokenHelper {
 
+    protected static final String BEARER = "Bearer";
+
     protected Random random = new SecureRandom();
 
     public String generateAccessToken() {
@@ -37,10 +39,10 @@ public String getAccessTokenFromRequest(final HttpServletRequest request) {
         final String token = request.getHeader("Authorization");
         if (token != null) {
             final String[] values = token.trim().split(" ");
-            if (values.length == 2 && "Bearer".equals(values[0])) {
+            if (values.length == 2 && BEARER.equals(values[0])) {
                 return values[1];
             }
-            if (values.length == 1) {
+            if (values.length == 1 && !BEARER.equals(values[0])) {
                 return values[0];
             }
             throw new InvalidAccessTokenException("invalid_request", "Invalid format: " + token);

diff --git a/src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java b/src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java
@@ -63,16 +63,22 @@ public void test_getAccessTokenFromRequest_ok1() {
         assertEquals(token, accessTokenHelper.getAccessTokenFromRequest(req));
     }
 
-    public void test_getAccessTokenFromRequest_ng0() {
-        final String token = accessTokenHelper.generateAccessToken();
+    public void test_getAccessTokenFromRequest_bad0() {
         MockletHttpServletRequest req = getMockRequest();
         assertNull(accessTokenHelper.getAccessTokenFromRequest(req));
     }
 
-    public void test_getAccessTokenFromRequest_ng1() {
+    public void test_getAccessTokenFromRequest_bad1() {
         final String token = "INVALID _TOKEN0";
         MockletHttpServletRequest req = getMockRequest();
         req.addHeader("Authorization", token);
         assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
     }
+
+    public void test_getAccessTokenFromRequest_bad2() {
+        final String token = "Bearer";
+        MockletHttpServletRequest req = getMockRequest();
+        req.addHeader("Authorization", token);
+        assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
+    }
 }