zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-14 04:01:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): reject requests with missing/malformed auth header

Browse Source 
The custom auth filter only rejected invalid tokens but silently
passed through requests without an Authorization header, creating
a complete auth bypass. Inverted the guard to reject-first: abort
immediately when header is absent or malformed, then validate.
This commit is contained in:
AlexisLeDain
2026-04-09 16:09:10 +02:00
parent 8f65048bc3
commit eddfeb6fbf
4 changed files with 36 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/ja-JP/skills/quarkus-security/SKILL.md
+9 -5
View File
@@ -72,11 +72,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
public void filter(ContainerRequestContext requestContext) { public void filter(ContainerRequestContext requestContext) {
String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION); String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
if (authHeader != null && authHeader.startsWith("Bearer ")) { // ヘッダーが存在しないか不正な場合は即座に拒否
String token = authHeader.substring(7); if (authHeader == null || !authHeader.startsWith("Bearer ")) {
if (!validateToken(token)) { requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build()); return;
} }
String token = authHeader.substring(7);
if (!validateToken(token)) {
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
} }
} }
docs/tr/skills/quarkus-security/SKILL.md
+9 -6
View File
@@ -73,12 +73,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
public void filter(ContainerRequestContext requestContext) { public void filter(ContainerRequestContext requestContext) {
String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION); String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
if (authHeader != null && authHeader.startsWith("Bearer ")) { // Başlık yoksa veya hatalıysa hemen reddet
String token = authHeader.substring(7); if (authHeader == null || !authHeader.startsWith("Bearer ")) {
// Token'ı doğrula ve SecurityIdentity'yi ayarla requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
if (!validateToken(token)) { return;
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build()); }
}
String token = authHeader.substring(7);
if (!validateToken(token)) {
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
} }
} }
docs/zh-CN/skills/quarkus-security/SKILL.md
+9 -5
View File
@@ -72,11 +72,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
public void filter(ContainerRequestContext requestContext) { public void filter(ContainerRequestContext requestContext) {
String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION); String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
if (authHeader != null && authHeader.startsWith("Bearer ")) { // 头部缺失或格式错误时立即拒绝
String token = authHeader.substring(7); if (authHeader == null || !authHeader.startsWith("Bearer ")) {
if (!validateToken(token)) { requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build()); return;
} }
String token = authHeader.substring(7);
if (!validateToken(token)) {
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
} }
} }
skills/quarkus-security/SKILL.md
+9 -6
View File
@@ -73,12 +73,15 @@ public class CustomAuthFilter implements ContainerRequestFilter {
public void filter(ContainerRequestContext requestContext) { public void filter(ContainerRequestContext requestContext) {
String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION); String authHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
if (authHeader != null && authHeader.startsWith("Bearer ")) { // Reject immediately if header is absent or malformed
String token = authHeader.substring(7); if (authHeader == null || !authHeader.startsWith("Bearer ")) {
// Validate token and set SecurityIdentity requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
if (!validateToken(token)) { return;
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build()); }
}
String token = authHeader.substring(7);
if (!validateToken(token)) {
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
} }
} }