I18N-1308: Header Authentication: Users cannot be services (#227)

During service-service authentication, both the user and service headers are sent. For the user flow, accounts are created however if these are actually services we do not want to create accounts on the fly. So validate that a user is not a service before creating their accounts
pinterest · Jan 23, 2025 · d518ccd · d518ccd
1 parent 37b5f1f
commit d518ccd
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/webapp/src/main/java/com/box/l10n/mojito/security/HeaderPreAuthFilter.java b/webapp/src/main/java/com/box/l10n/mojito/security/HeaderPreAuthFilter.java
@@ -17,7 +17,7 @@ public HeaderPreAuthFilter(HeaderSecurityConfig headerSecurityConfig) {
   @Override
   protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
     String forwardedUser = request.getHeader(headerSecurityConfig.userIdentifyingHeader);
-    if (forwardedUser != null) {
+    if (forwardedUser != null && !forwardedUser.contains(headerSecurityConfig.servicePrefix)) {
       logger.debug("Forwarded user: {}", forwardedUser);
       if (!forwardedUser.isEmpty()) {
         return forwardedUser;