🚧 Fix critical bug with auth header

2026-04-11 16:37:08 +02:00 · 2026-04-11 16:37:08 +02:00 · 308ec0c93a
commit 308ec0c93a
parent e3c584e96d
3 changed files with 26 additions and 17 deletions
--- a/src/main/java/dev/dinauer/oidcproxy/proxy/header/HeaderFilter.java
+++ b/src/main/java/dev/dinauer/oidcproxy/proxy/header/HeaderFilter.java
@ -29,24 +29,11 @@ public class HeaderFilter
        List<Map.Entry<String, String>> headers = filterHop2HopHeaders(request.headers().entries());
        if ("OIDC".equals(strategy))
        {
-            headers = oidcStrategy.filter(getAccessToken(request), headers);
+            headers = oidcStrategy.filter(request, headers);
        }
        return headers;
    }

-    private String getAccessToken(HttpServerRequest request) throws TokenNotFoundException
-    {
-        for (Cookie cookie : request.cookies())
-        {
-            if ("session".equals(cookie.getName()))
-            {
-                String session = cookie.getValue();
-                return sessionCache.get(session);
-            }
-        }
-        throw new UnauthorizedException();
-    }
-
    private List<Map.Entry<String, String>> filterHop2HopHeaders(List<Map.Entry<String, String>> input)
    {
        List<Map.Entry<String, String>> result = new LinkedList<>();
--- a/src/main/java/dev/dinauer/oidcproxy/proxy/header/strategy/OidcStrategy.java
+++ b/src/main/java/dev/dinauer/oidcproxy/proxy/header/strategy/OidcStrategy.java
@ -1,6 +1,12 @@
 package dev.dinauer.oidcproxy.proxy.header.strategy;

+import dev.dinauer.oidcproxy.proxy.exception.TokenNotFoundException;
+import dev.dinauer.oidcproxy.session.SessionCache;
+import io.quarkus.security.UnauthorizedException;
+import io.vertx.core.http.Cookie;
+import io.vertx.core.http.HttpServerRequest;
 import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
 import org.apache.commons.lang3.NotImplementedException;
 import org.apache.commons.lang3.Strings;

@ -12,15 +18,31 @@ public class OidcStrategy
 {
    private static final String AUTH_HEADER = "Authorization";

-    public List<Map.Entry<String, String>> filter(String jwt, List<Map.Entry<String, String>> input)
+    @Inject
+    SessionCache sessionCache;
+
+    public List<Map.Entry<String, String>> filter(HttpServerRequest request, List<Map.Entry<String, String>> input) throws TokenNotFoundException
    {
        if (!hasAuthHeader(input))
        {
-            input.add(Map.entry(AUTH_HEADER, String.format("Bearer %s", jwt)));
+            input.add(Map.entry(AUTH_HEADER, String.format("Bearer %s", getAccessToken(request))));
        }
        return input;
    }

+    private String getAccessToken(HttpServerRequest request) throws TokenNotFoundException
+    {
+        for (Cookie cookie : request.cookies())
+        {
+            if ("session".equals(cookie.getName()))
+            {
+                String session = cookie.getValue();
+                return sessionCache.get(session);
+            }
+        }
+        throw new UnauthorizedException();
+    }
+
    private boolean hasAuthHeader(List<Map.Entry<String, String>> input)
    {
        for (Map.Entry<String, String> header : input)
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@ -6,7 +6,7 @@ oidc.proxy.client.redirect=http://localhost:3000
 %test,dev.oidc.proxy.routes.config.location=/home/andreas/Documents/dev/oidc-proxy/src/main/resources/routes.yaml
 %prod.oidc.proxy.routes.config.location=/var/lib/oidc-proxy/routes.yaml

-%test,dev.quarkus.hibernate-orm.schema-management.strategy=drop-and-create
+%test,dev.quarkus.hibernate-orm.schema-management.strategy=none

 %dev,test.quarkus.datasource.username=postgres
 %dev,test.quarkus.datasource.password=postgres