fix: Avoid requesting super auth when authentication is disabled (#2630)

tolgee · Oct 29, 2024 · 3f7919a · 3f7919a
1 parent 66c4895
commit 3f7919a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/...d/security/src/main/kotlin/io/tolgee/security/authentication/AuthenticationInterceptor.kt b/...d/security/src/main/kotlin/io/tolgee/security/authentication/AuthenticationInterceptor.kt
@@ -16,6 +16,7 @@
 
 package io.tolgee.security.authentication
 
+import io.tolgee.configuration.tolgee.AuthenticationProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.PermissionException
 import jakarta.servlet.DispatcherType
@@ -33,6 +34,7 @@ import org.springframework.web.servlet.HandlerInterceptor
 @Component
 class AuthenticationInterceptor(
   private val authenticationFacade: AuthenticationFacade,
+  private val authenticationProperties: AuthenticationProperties,
 ) : HandlerInterceptor, Ordered {
   override fun preHandle(
     request: HttpServletRequest,
@@ -67,6 +69,7 @@ class AuthenticationInterceptor(
 
     if (
       requiresSuperAuth &&
+      authenticationProperties.enabled &&
       authenticationFacade.authenticatedUser.needsSuperJwt &&
       !authenticationFacade.isUserSuperAuthenticated
     ) {

diff --git a/...curity/src/test/kotlin/io/tolgee/security/authentication/AuthenticationInterceptorTest.kt b/...curity/src/test/kotlin/io/tolgee/security/authentication/AuthenticationInterceptorTest.kt
@@ -1,5 +1,6 @@
 package io.tolgee.security.authentication
 
+import io.tolgee.configuration.tolgee.AuthenticationProperties
 import io.tolgee.dtos.cacheable.UserAccountDto
 import io.tolgee.fixtures.andIsForbidden
 import io.tolgee.fixtures.andIsOk
@@ -17,7 +18,9 @@ class AuthenticationInterceptorTest {
 
   private val userAccount = Mockito.mock(UserAccountDto::class.java)
 
-  private val authenticationInterceptor = AuthenticationInterceptor(authenticationFacade)
+  private val authenticationProperties = Mockito.mock(AuthenticationProperties::class.java)
+
+  private val authenticationInterceptor = AuthenticationInterceptor(authenticationFacade, authenticationProperties)
 
   private val mockMvc =
     MockMvcBuilders.standaloneSetup(TestController::class.java)
@@ -26,6 +29,7 @@ class AuthenticationInterceptorTest {
 
   @BeforeEach
   fun setupMocks() {
+    Mockito.`when`(authenticationProperties.enabled).thenReturn(true)
     Mockito.`when`(authenticationFacade.authenticatedUser).thenReturn(userAccount)
     Mockito.`when`(authenticationFacade.isApiAuthentication).thenReturn(false)
     Mockito.`when`(authenticationFacade.isUserSuperAuthenticated).thenReturn(false)
@@ -60,6 +64,13 @@ class AuthenticationInterceptorTest {
     mockMvc.perform(get("/requires-super-auth")).andIsOk
   }
 
+  @Test
+  fun `it ignores super JWT requirement when authentication is disabled`() {
+    mockMvc.perform(get("/requires-super-auth")).andIsForbidden
+    Mockito.`when`(authenticationProperties.enabled).thenReturn(false)
+    mockMvc.perform(get("/requires-super-auth")).andIsOk
+  }
+
   @RestController
   class TestController {
     @GetMapping("/no-annotation")