bugfix: disallow multiple auth headers

ids-basecamp · Mar 28, 2024 · 23e26e2 · 23e26e2
1 parent 5809490
commit 23e26e2
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/...enbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationService.java b/...enbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationService.java
@@ -50,6 +50,6 @@ public boolean isAuthenticated(Map<String, List<String>> headers) {
     }
 
     private boolean checkApiKeyValid(List<String> apiKeys) {
-        return apiKeys.stream().anyMatch(hardCodedApiKey::equalsIgnoreCase);
+        return apiKeys.size() == 1 && apiKeys.stream().allMatch(hardCodedApiKey::equalsIgnoreCase);
     }
 }
diff --git a/...sed/src/test/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationServiceTest.java b/...sed/src/test/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationServiceTest.java
@@ -69,8 +69,8 @@ void isAuthorized_notAuthorized() {
     }
 
     @Test
-    void isAuthorized_multipleValues_oneAuthorized() {
+    void isAuthorized_multipleValues_oneAuthorized_shouldReturnFalse(){
         var map = Map.of("x-api-key", List.of("invalid_api_key", TEST_API_KEY));
-        assertThat(service.isAuthenticated(map)).isTrue();
+        assertThat(service.isAuthenticated(map)).isFalse();
     }
 }