From eddfeb6fbfe2c0d6a9b7b511ac94194f4a0e712c Mon Sep 17 00:00:00 2001
From: AlexisLeDain <a.ledain@docoon.com>
Date: Thu, 9 Apr 2026 16:09:10 +0200
Subject: [PATCH] fix(security): reject requests with missing/malformed auth
 header

The custom auth filter only rejected invalid tokens but silently
passed through requests without an Authorization header, creating
a complete auth bypass. Inverted the guard to reject-first: abort
immediately when header is absent or malformed, then validate.
---
 docs/ja-JP/skills/quarkus-security/SKILL.md | 14 +++++++++-----
 docs/tr/skills/quarkus-security/SKILL.md    | 15 +++++++++------
 docs/zh-CN/skills/quarkus-security/SKILL.md | 14 +++++++++-----
 skills/quarkus-security/SKILL.md            | 15 +++++++++------
 4 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/docs/ja-JP/skills/quarkus-security/SKILL.md b/docs/ja-JP/skills/quarkus-security/SKILL.md
index cd19f41c..69da4a28 100644
--- a/docs/ja-JP/skills/quarkus-security/SKILL.md
+++ b/docs/ja-JP/skills/quarkus-security/SKILL.md
@@ -72,11 +72,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
   public void filter(ContainerRequestContext requestContext) {
     String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
     
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // ヘッダーが存在しないか不正な場合は即座に拒否
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
     }
   }
 
diff --git a/docs/tr/skills/quarkus-security/SKILL.md b/docs/tr/skills/quarkus-security/SKILL.md
index 8f1296ea..161fad6c 100644
--- a/docs/tr/skills/quarkus-security/SKILL.md
+++ b/docs/tr/skills/quarkus-security/SKILL.md
@@ -73,12 +73,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
   public void filter(ContainerRequestContext requestContext) {
     String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
     
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      // Token'ı doğrula ve SecurityIdentity'yi ayarla
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // Başlık yoksa veya hatalıysa hemen reddet
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
     }
   }
 
diff --git a/docs/zh-CN/skills/quarkus-security/SKILL.md b/docs/zh-CN/skills/quarkus-security/SKILL.md
index 3e48b34b..5b2ff96a 100644
--- a/docs/zh-CN/skills/quarkus-security/SKILL.md
+++ b/docs/zh-CN/skills/quarkus-security/SKILL.md
@@ -72,11 +72,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
   public void filter(ContainerRequestContext requestContext) {
     String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
     
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // 头部缺失或格式错误时立即拒绝
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
     }
   }
 
diff --git a/skills/quarkus-security/SKILL.md b/skills/quarkus-security/SKILL.md
index 99f91390..4a9af479 100644
--- a/skills/quarkus-security/SKILL.md
+++ b/skills/quarkus-security/SKILL.md
@@ -73,12 +73,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
   public void filter(ContainerRequestContext requestContext) {
     String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
     
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
-      String token = authHeader.substring(7);
-      // Validate token and set SecurityIdentity
-      if (!validateToken(token)) {
-        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-      }
+    // Reject immediately if header is absent or malformed
+    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+      return;
+    }
+    
+    String token = authHeader.substring(7);
+    if (!validateToken(token)) {
+      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
     }
   }