Merge pull request #1996 from constantine2nd/develop

Incorrect provider; Authorization header
2026-02-06 13:26:51 +00:00 · 2021-12-22 05:49:09 -06:00 · 2021-12-22 05:49:09 -06:00 · f9c38ea606
commit f9c38ea606
parent b2e832c3c4 9925dbcb08
3 changed files with 16 additions and 2 deletions
--- a/obp-api/src/main/scala/code/api/util/APIUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@ -161,6 +161,8 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
  def hasDirectLoginHeader(authorization: Box[String]): Boolean = hasHeader("DirectLogin", authorization)
  
  def has2021DirectLoginHeader(requestHeaders: List[HTTPParam]): Boolean = requestHeaders.find(_.name == "DirectLogin").isDefined
+  
+  def hasAuthorizationHeader(requestHeaders: List[HTTPParam]): Boolean = requestHeaders.find(_.name == "Authorization").isDefined

  def hasAnOAuthHeader(authorization: Box[String]): Boolean = hasHeader("OAuth", authorization)

@ -2760,7 +2762,14 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
        Future{(cc.user, Some(cc))}
      }
      else {
-        Future { (Empty, Some(cc)) }
+        if(hasAuthorizationHeader(reqHeaders)) {
+          // We want to throw error in case of wrong or unsupported header. For instance:
+          // - Authorization: mF_9.B5f-4.1JqM
+          // - Authorization: Basic mF_9.B5f-4.1JqM
+          Future { (Failure(ErrorMessages.InvalidAuthorizationHeader), Some(cc)) }
+        } else {
+          Future { (Empty, Some(cc)) }
+        }
      }

    // COMMON POST AUTHENTICATION CODE GOES BELOW
--- a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
+++ b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
@ -190,6 +190,9 @@ object ErrorMessages {
  val DAuthNoJwtForResponse = "OBP-20070: There is no useful value for JWT."
  val DAuthJwtTokenIsNotValid = "OBP-20071: The DAuth JWT is corrupted/changed during a transport."
  val InvalidDAuthHeaderToken = "OBP-20072: DAuth Header value should be one single string."
+  
+  val InvalidAuthorizationHeader = "OBP-20080: Authorization Header format is not supported at this instance."
+  

  val UserNotSuperAdminOrMissRole = "OBP-20101: Current User is not super admin or is missing entitlements: "
  val CannotGetOrCreateUser = "OBP-20102: Cannot get or create user."
--- a/obp-api/src/main/scala/code/snippet/UserInvitation.scala
+++ b/obp-api/src/main/scala/code/snippet/UserInvitation.scala
@ -29,6 +29,7 @@ package code.snippet
 import java.time.{Duration, ZoneId, ZoneOffset, ZonedDateTime}
 import java.util.Date

+import code.api.Constant
 import code.api.util.{APIUtil, SecureRandomUtil}
 import code.model.dataAccess.{AuthUser, ResourceUser}
 import code.users
@ -102,9 +103,10 @@ class UserInvitation extends MdcLoggable {
      else if(termsCheckboxVar.is == false) showErrorsForTermsAndConditions()
      else if(personalDataCollectionConsentCountryWaiverList.exists(_.toLowerCase == countryVar.is.toLowerCase) == false && consentForCollectingCheckboxVar.is == false) showErrorsForConsentForCollectingPersonalData()
      else {
+        val localIdentityProviderUrl = APIUtil.getPropsValue("local_identity_provider_url", Constant.HostName)
        // Resource User table
        createResourceUser(
-          provider = APIUtil.getPropsValue("hostname",""), // TODO Make provider an enum
+          provider = localIdentityProviderUrl, // TODO Make provider an enum
          providerId = Some(usernameVar.is),
          name = Some(usernameVar.is),
          email = Some(email),