spring-projects
diff --git a/‎oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java‎
Lines changed: 62 additions & 104 deletions b/‎oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java‎
Lines changed: 62 additions & 104 deletions
@@ -16,16 +16,12 @@
 
 package org.springframework.security.oauth2.server.resource.web.server.authentication;
 
-import static org.springframework.security.oauth2.server.resource.BearerTokenErrors.invalidRequest;
-
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
-import reactor.util.function.Tuple2;
-import reactor.util.function.Tuples;
 
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
@@ -38,6 +34,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
 import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
 import org.springframework.util.CollectionUtils;
+import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
 import org.springframework.web.server.ServerWebExchange;
 
@@ -53,73 +50,89 @@
  */
 public class ServerBearerTokenAuthenticationConverter implements ServerAuthenticationConverter {
 
-	public static final String ACCESS_TOKEN_NAME = "access_token";
-	public static final String MULTIPLE_BEARER_TOKENS_ERROR_MSG = "Found multiple bearer tokens in the request";
+	private static final String ACCESS_TOKEN_PARAMETER_NAME = "access_token";
+
 	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$",
 			Pattern.CASE_INSENSITIVE);
 
-	private boolean allowUriQueryParameter = false;
-
 	private boolean allowFormEncodedBodyParameter = false;
 
+	private boolean allowUriQueryParameter = false;
+
 	private String bearerTokenHeaderName = HttpHeaders.AUTHORIZATION;
 
 	@Override
 	public Mono<Authentication> convert(ServerWebExchange exchange) {
-		return Mono.defer(() -> token(exchange)).map(token -> {
-			if (token.isEmpty()) {
-				BearerTokenError error = invalidTokenError();
-				throw new OAuth2AuthenticationException(error);
-			}
-			return new BearerTokenAuthenticationToken(token);
+		return Mono.defer(() -> {
+			ServerHttpRequest request = exchange.getRequest();
+			// @formatter:off
+			return Flux.merge(resolveFromAuthorizationHeader(request.getHeaders()),
+						resolveAccessTokenFromQueryString(request),
+						resolveAccessTokenFromBody(exchange))
+				.collectList()
+				.flatMap(ServerBearerTokenAuthenticationConverter::resolveToken)
+				.map(BearerTokenAuthenticationToken::new);
+			// @formatter:on
 		});
 	}
 
-	private Mono<String> token(ServerWebExchange exchange) {
-		final ServerHttpRequest request = exchange.getRequest();
-
-		return Flux.merge(resolveFromAuthorizationHeader(request.getHeaders()).map(s -> Tuples.of(s, TokenSource.HEADER)),
-						  resolveAccessTokenFromRequest(request).map(s -> Tuples.of(s, TokenSource.QUERY_PARAMETER)),
-						  resolveAccessTokenFromBody(exchange).map(s -> Tuples.of(s, TokenSource.BODY_PARAMETER)))
-				   .collectList()
-				   .mapNotNull(tokenTuples -> {
-					   switch (tokenTuples.size()) {
-						   case 0:
-							   return null;
-						   case 1:
-							   return getTokenIfSupported(tokenTuples.get(0), request);
-						   default:
-							   BearerTokenError error = invalidRequest(MULTIPLE_BEARER_TOKENS_ERROR_MSG);
-							   throw new OAuth2AuthenticationException(error);
-					   }
-				   });
+	private static Mono<String> resolveToken(List<String> accessTokens) {
+		if (CollectionUtils.isEmpty(accessTokens)) {
+			return Mono.empty();
+		}
+
+		if (accessTokens.size() > 1) {
+			BearerTokenError error = BearerTokenErrors.invalidRequest("Found multiple bearer tokens in the request");
+			return Mono.error(new OAuth2AuthenticationException(error));
+		}
+
+		String accessToken = accessTokens.get(0);
+		if (!StringUtils.hasText(accessToken)) {
+			BearerTokenError error = BearerTokenErrors
+				.invalidRequest("The requested token parameter is an empty string");
+			return Mono.error(new OAuth2AuthenticationException(error));
+		}
+
+		return Mono.just(accessToken);
 	}
 
-	private static Mono<String> resolveAccessTokenFromRequest(ServerHttpRequest request) {
-		List<String> parameterTokens = request.getQueryParams().get(ACCESS_TOKEN_NAME);
-		if (CollectionUtils.isEmpty(parameterTokens)) {
+	private Mono<String> resolveFromAuthorizationHeader(HttpHeaders headers) {
+		String authorization = headers.getFirst(this.bearerTokenHeaderName);
+		if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
 			return Mono.empty();
 		}
-		if (parameterTokens.size() == 1) {
-			return Mono.just(parameterTokens.get(0));
+
+		Matcher matcher = authorizationPattern.matcher(authorization);
+		if (!matcher.matches()) {
+			BearerTokenError error = BearerTokenErrors.invalidToken("Bearer token is malformed");
+			throw new OAuth2AuthenticationException(error);
 		}
 
-		BearerTokenError error = invalidRequest(MULTIPLE_BEARER_TOKENS_ERROR_MSG);
-		throw new OAuth2AuthenticationException(error);
+		return Mono.just(matcher.group("token"));
+	}
+
+	private Flux<String> resolveAccessTokenFromQueryString(ServerHttpRequest request) {
+		if (!this.allowUriQueryParameter || !HttpMethod.GET.equals(request.getMethod())) {
+			return Flux.empty();
+		}
 
+		return resolveTokens(request.getQueryParams());
 	}
 
-	private String getTokenIfSupported(Tuple2<String, TokenSource> tokenTuple, ServerHttpRequest request) {
-		switch (tokenTuple.getT2()) {
-			case HEADER:
-				return tokenTuple.getT1();
-			case QUERY_PARAMETER:
-				return isParameterTokenSupportedForRequest(request) ? tokenTuple.getT1() : null;
-			case BODY_PARAMETER:
-				return isBodyParameterTokenSupportedForRequest(request) ? tokenTuple.getT1() : null;
-			default:
-				throw new IllegalArgumentException();
+	private Flux<String> resolveAccessTokenFromBody(ServerWebExchange exchange) {
+		ServerHttpRequest request = exchange.getRequest();
+		if (!this.allowFormEncodedBodyParameter
+				|| !MediaType.APPLICATION_FORM_URLENCODED.equals(request.getHeaders().getContentType())
+				|| !HttpMethod.POST.equals(request.getMethod())) {
+			return Flux.empty();
 		}
+
+		return exchange.getFormData().flatMapMany(ServerBearerTokenAuthenticationConverter::resolveTokens);
+	}
+
+	private static Flux<String> resolveTokens(MultiValueMap<String, String> parameters) {
+		List<String> accessTokens = parameters.get(ACCESS_TOKEN_PARAMETER_NAME);
+		return CollectionUtils.isEmpty(accessTokens) ? Flux.empty() : Flux.fromIterable(accessTokens);
 	}
 
 	/**
@@ -158,59 +171,4 @@ public void setAllowFormEncodedBodyParameter(boolean allowFormEncodedBodyParamet
 		this.allowFormEncodedBodyParameter = allowFormEncodedBodyParameter;
 	}
 
-	private Mono<String> resolveFromAuthorizationHeader(HttpHeaders headers) {
-		String authorization = headers.getFirst(this.bearerTokenHeaderName);
-		if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
-			return Mono.empty();
-		}
-		Matcher matcher = authorizationPattern.matcher(authorization);
-		if (!matcher.matches()) {
-			BearerTokenError error = invalidTokenError();
-			throw new OAuth2AuthenticationException(error);
-		}
-		return Mono.just(matcher.group("token"));
-	}
-
-	private static BearerTokenError invalidTokenError() {
-		return BearerTokenErrors.invalidToken("Bearer token is malformed");
-	}
-
-	private Mono<String> resolveAccessTokenFromBody(ServerWebExchange exchange) {
-		if (!allowFormEncodedBodyParameter) {
-			return Mono.empty();
-		}
-
-		final ServerHttpRequest request = exchange.getRequest();
-
-		if (request.getMethod() == HttpMethod.POST &&
-				MediaType.APPLICATION_FORM_URLENCODED.equalsTypeAndSubtype(request.getHeaders().getContentType())) {
-
-			return exchange.getFormData().mapNotNull(formData -> {
-				if (formData.isEmpty()) {
-					return null;
-				}
-				final List<String> tokens = formData.get(ACCESS_TOKEN_NAME);
-				if (tokens == null) {
-					return null;
-				}
-				if (tokens.size() > 1) {
-					BearerTokenError error = invalidRequest(MULTIPLE_BEARER_TOKENS_ERROR_MSG);
-					throw new OAuth2AuthenticationException(error);
-				}
-				return formData.getFirst(ACCESS_TOKEN_NAME);
-			});
-		}
-		return Mono.empty();
-	}
-
-	private boolean isBodyParameterTokenSupportedForRequest(ServerHttpRequest request) {
-		return this.allowFormEncodedBodyParameter && HttpMethod.POST == request.getMethod();
-	}
-
-	private boolean isParameterTokenSupportedForRequest(ServerHttpRequest request) {
-		return this.allowUriQueryParameter && HttpMethod.GET.equals(request.getMethod());
-	}
-
-	private enum TokenSource {HEADER, QUERY_PARAMETER, BODY_PARAMETER}
-
 }