From cff8b1ccdeba766887491243163c79b27ace4ddf Mon Sep 17 00:00:00 2001
From: Shinsuke Sugaya <shinsuke@apache.org>
Date: Sun, 28 Jan 2024 22:54:26 +0900
Subject: [PATCH] fix #2801 Updated AccessTokenHelper to throw exception when
 only 'Bearer' is specified in Authorization header

---
 .../org/codelibs/fess/helper/AccessTokenHelper.java  |  6 ++++--
 .../codelibs/fess/helper/AccessTokenHelperTest.java  | 12 +++++++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java b/src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java
index ad4aa465c..48d18ab82 100644
--- a/src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/AccessTokenHelper.java
@@ -27,6 +27,8 @@
 
 public class AccessTokenHelper {
 
+    protected static final String BEARER = "Bearer";
+
     protected Random random = new SecureRandom();
 
     public String generateAccessToken() {
@@ -37,10 +39,10 @@ public String getAccessTokenFromRequest(final HttpServletRequest request) {
         final String token = request.getHeader("Authorization");
         if (token != null) {
             final String[] values = token.trim().split(" ");
-            if (values.length == 2 && "Bearer".equals(values[0])) {
+            if (values.length == 2 && BEARER.equals(values[0])) {
                 return values[1];
             }
-            if (values.length == 1) {
+            if (values.length == 1 && !BEARER.equals(values[0])) {
                 return values[0];
             }
             throw new InvalidAccessTokenException("invalid_request", "Invalid format: " + token);
diff --git a/src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java b/src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java
index 1166ffdf5..2f1c7320d 100644
--- a/src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java
+++ b/src/test/java/org/codelibs/fess/helper/AccessTokenHelperTest.java
@@ -63,16 +63,22 @@ public void test_getAccessTokenFromRequest_ok1() {
         assertEquals(token, accessTokenHelper.getAccessTokenFromRequest(req));
     }
 
-    public void test_getAccessTokenFromRequest_ng0() {
-        final String token = accessTokenHelper.generateAccessToken();
+    public void test_getAccessTokenFromRequest_bad0() {
         MockletHttpServletRequest req = getMockRequest();
         assertNull(accessTokenHelper.getAccessTokenFromRequest(req));
     }
 
-    public void test_getAccessTokenFromRequest_ng1() {
+    public void test_getAccessTokenFromRequest_bad1() {
         final String token = "INVALID _TOKEN0";
         MockletHttpServletRequest req = getMockRequest();
         req.addHeader("Authorization", token);
         assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
     }
+
+    public void test_getAccessTokenFromRequest_bad2() {
+        final String token = "Bearer";
+        MockletHttpServletRequest req = getMockRequest();
+        req.addHeader("Authorization", token);
+        assertThrows(InvalidAccessTokenException.class, () -> accessTokenHelper.getAccessTokenFromRequest(req));
+    }
 }