fix(security): reject requests with missing/malformed auth header

The custom auth filter only rejected invalid tokens but silently passed through requests without an Authorization header, creating a complete auth bypass. Inverted the guard to reject-first: abort immediately when header is absent or malformed, then validate.
2026-06-10 18:23:12 +08:00 · 2026-04-09 16:09:10 +02:00
parent 8f65048bc3
commit eddfeb6fbf
4 changed files with 36 additions and 22 deletions
--- a/docs/ja-JP/skills/quarkus-security/SKILL.md
+++ b/docs/ja-JP/skills/quarkus-security/SKILL.md
@@ -72,11 +72,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
    
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // ヘッダーが存在しないか不正な場合は即座に拒否
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }

--- a/docs/tr/skills/quarkus-security/SKILL.md
+++ b/docs/tr/skills/quarkus-security/SKILL.md
@@ -73,12 +73,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
    
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      // Token'ı doğrula ve SecurityIdentity'yi ayarla
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // Başlık yoksa veya hatalıysa hemen reddet
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }

--- a/docs/zh-CN/skills/quarkus-security/SKILL.md
+++ b/docs/zh-CN/skills/quarkus-security/SKILL.md
@@ -72,11 +72,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
    
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // 头部缺失或格式错误时立即拒绝
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }

--- a/skills/quarkus-security/SKILL.md
+++ b/skills/quarkus-security/SKILL.md
@@ -73,12 +73,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
    
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      // Validate token and set SecurityIdentity
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // Reject immediately if header is absent or malformed
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }