From 2b8983f9f079734aaf81cf49c0986d25bacb837f Mon Sep 17 00:00:00 2001
From: Guillaume Smet <guillaume.smet@gmail.com>
Date: Fri, 16 Aug 2024 16:51:02 +0200
Subject: [PATCH] Properly check header before extracting the bearer token

Fixes #42591

(cherry picked from commit 51834c5559995f69936c458acd902f4788d7e9fa)
---
 .../runtime/auth/OAuth2AuthMechanism.java      | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java b/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java
index c61b680c29706..ef644ce1007b8 100644
--- a/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java
+++ b/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java
@@ -24,6 +24,8 @@
 @ApplicationScoped
 public class OAuth2AuthMechanism implements HttpAuthenticationMechanism {
 
+    private static final String BEARER_PREFIX = "Bearer ";
+
     protected static final ChallengeData CHALLENGE_DATA = new ChallengeData(
             HttpResponseStatus.UNAUTHORIZED.code(),
             HttpHeaderNames.WWW_AUTHENTICATE,
@@ -42,15 +44,17 @@ public class OAuth2AuthMechanism implements HttpAuthenticationMechanism {
     public Uni<SecurityIdentity> authenticate(RoutingContext context,
             IdentityProviderManager identityProviderManager) {
         String authHeader = context.request().headers().get("Authorization");
-        String bearerToken = authHeader != null ? authHeader.substring(7) : null;
-        if (bearerToken != null) {
-            // Install the OAuth2 principal as the caller
-            return identityProviderManager
-                    .authenticate(new TokenAuthenticationRequest(new TokenCredential(bearerToken, "bearer")));
 
+        if (authHeader == null || !authHeader.startsWith(BEARER_PREFIX)) {
+            // No suitable bearer token has been found in this request,
+            return Uni.createFrom().nullItem();
         }
-        // No suitable header has been found in this request,
-        return Uni.createFrom().nullItem();
+
+        String bearerToken = authHeader.substring(BEARER_PREFIX.length());
+
+        // Install the OAuth2 principal as the caller
+        return identityProviderManager
+                .authenticate(new TokenAuthenticationRequest(new TokenCredential(bearerToken, "bearer")));
     }
 
     @Override