fix(security): reject requests with missing/malformed auth header

The custom auth filter only rejected invalid tokens but silently passed through requests without an Authorization header, creating a complete auth bypass. Inverted the guard to reject-first: abort immediately when header is absent or malformed, then validate.
2026-06-15 04:31:27 +08:00 · 2026-04-09 16:09:10 +02:00
parent 8f65048bc3
commit eddfeb6fbf
4 changed files with 36 additions and 22 deletions
@@ -72,13 +72,17 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
+    // ヘッダーが存在しないか不正な場合は即座に拒否
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
      return;
    }
    String token = authHeader.substring(7);
    if (!validateToken(token)) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }
  }
  private boolean validateToken(String token) {
    // トークンバリデーションロジック
@@ -73,14 +73,17 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
+    // Başlık yoksa veya hatalıysa hemen reddet
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
      return;
    }
    String token = authHeader.substring(7);
      // Token'ı doğrula ve SecurityIdentity'yi ayarla
    if (!validateToken(token)) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }
  }
  private boolean validateToken(String token) {
    // Token doğrulama mantığı
@@ -72,13 +72,17 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
+    // 头部缺失或格式错误时立即拒绝
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
      return;
    }
    String token = authHeader.substring(7);
    if (!validateToken(token)) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }
  }
  private boolean validateToken(String token) {
    // 令牌验证逻辑
@@ -73,14 +73,17 @@ public class CustomAuthFilter implements ContainerRequestFilter {
  public void filter(ContainerRequestContext requestContext) {
    String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
-    if (authHeader != null && authHeader.startsWith("Bearer ")) {
+    // Reject immediately if header is absent or malformed
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
      return;
    }
    String token = authHeader.substring(7);
      // Validate token and set SecurityIdentity
    if (!validateToken(token)) {
      requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
    }
  }
  }
  private boolean validateToken(String token) {
    // Token validation logic