Check token content before handling them

This adds plausibility checks before handling tokens as for example jwt or api keys. Doing so we generate less error logs and therefore we cause less confusion.
2026-02-06 14:49:11 +01:00 · 2020-10-14 11:03:42 +02:00
parent 12e01825e8
commit 07a85ef9c1
8 changed files with 68 additions and 7 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/ApiKeyRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ApiKeyRealm.java
@@ -30,6 +30,8 @@ import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.realm.AuthenticatingRealm;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import sonia.scm.plugin.Extension;
 import sonia.scm.repository.RepositoryRole;
 import sonia.scm.repository.RepositoryRoleManager;
@@ -43,6 +45,8 @@ import static com.google.common.base.Preconditions.checkArgument;
@Extension
 public class ApiKeyRealm extends AuthenticatingRealm {

+  private static final Logger LOG = LoggerFactory.getLogger(ApiKeyRealm.class);
+
  private final ApiKeyService apiKeyService;
  private final DAORealmHelper helper;
  private final RepositoryRoleManager repositoryRoleManager;
@@ -58,7 +62,14 @@ public class ApiKeyRealm extends AuthenticatingRealm {

  @Override
  public boolean supports(AuthenticationToken token) {
-    return token instanceof UsernamePasswordToken || token instanceof BearerToken;
+    if (token instanceof UsernamePasswordToken || token instanceof BearerToken) {
+      boolean containsDot = getPassword(token).contains(".");
+      if (containsDot) {
+        LOG.debug("Ignoring token with at least one dot ('.'); this is probably a JWT token");
+      }
+      return !containsDot;
+    }
+    return false;
  }

  @Override