fixes #272 Return an error message if the authorization header is an …

…empty string (#273)
networknt · Dec 22, 2022 · 2b35ab3 · 2b35ab3
1 parent 250b196
commit 2b35ab3
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java b/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java
@@ -119,7 +119,13 @@ public boolean handleJwt(HttpServerExchange exchange, String pathPrefix, String
 
         if (logger.isTraceEnabled() && authorization != null && authorization.length() > 10)
             logger.trace("Authorization header = " + authorization.substring(0, 10));
-
+        // if an empty authorization header or a value length less than 6 ("Basic "), return an error
+        if(authorization == null || authorization.trim().length() < 6) {
+            setExchangeStatus(exchange, STATUS_INVALID_AUTH_TOKEN);
+            exchange.endExchange();
+            if (logger.isDebugEnabled()) logger.debug("JwtVerifyHandler.handleRequest ends with an error.");
+            return false;
+        }
         authorization = this.getScopeToken(authorization, headerMap);
 
         boolean ignoreExpiry = config.isIgnoreJwtExpiry();

diff --git a/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java b/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java
@@ -361,4 +361,40 @@ public void testH2CDisabledRequest() throws Exception {
             Assert.assertEquals("ERR10008", status.getCode());
         }
     }
+
+    @Test
+    public void testEmptyAuthorizationHeader() throws Exception {
+        final Http2Client client = Http2Client.getInstance();
+        final CountDownLatch latch = new CountDownLatch(1);
+        final ClientConnection connection;
+        try {
+            connection = client.connect(new URI("http://localhost:7081"), Http2Client.WORKER, Http2Client.SSL, Http2Client.BUFFER_POOL, OptionMap.EMPTY).get();
+        } catch (Exception e) {
+            throw new ClientException(e);
+        }
+        final AtomicReference<ClientResponse> reference = new AtomicReference<>();
+        try {
+            ClientRequest request = new ClientRequest().setPath("/v1/pets/111").setMethod(Methods.GET);
+            request.getRequestHeaders().put(Headers.HOST, "localhost");
+            request.getRequestHeaders().put(Headers.AUTHORIZATION, "");
+            connection.sendRequest(request, client.createClientCallback(reference, latch));
+            latch.await();
+        } catch (Exception e) {
+            logger.error("Exception: ", e);
+            throw new ClientException(e);
+        } finally {
+            IoUtils.safeClose(connection);
+        }
+        int statusCode = reference.get().getResponseCode();
+        logger.debug("statusCode = " + statusCode);
+        String responseBody = reference.get().getAttachment(Http2Client.RESPONSE_BODY);
+        logger.debug("responseBody = " + responseBody);
+        Assert.assertEquals(401, statusCode);
+        if (statusCode == 401) {
+            Status status = Config.getInstance().getMapper().readValue(responseBody, Status.class);
+            Assert.assertNotNull(status);
+            Assert.assertEquals("ERR10000", status.getCode());
+        }
+    }
+
 }