From d518ccde14c99c8a12b08865ba319d1c27a23318 Mon Sep 17 00:00:00 2001
From: byronantak <bma.byron.antak@gmail.com>
Date: Thu, 23 Jan 2025 13:46:35 +0000
Subject: [PATCH] I18N-1308: Header Authentication: Users cannot be services
 (#227)

During service-service authentication, both the user and
service headers are sent. For the user flow, accounts are
created however if these are actually services we do not
want to create accounts on the fly. So validate that a user
is not a service before creating their accounts
---
 .../java/com/box/l10n/mojito/security/HeaderPreAuthFilter.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapp/src/main/java/com/box/l10n/mojito/security/HeaderPreAuthFilter.java b/webapp/src/main/java/com/box/l10n/mojito/security/HeaderPreAuthFilter.java
index 5b2508804b..1f1a2a70c1 100644
--- a/webapp/src/main/java/com/box/l10n/mojito/security/HeaderPreAuthFilter.java
+++ b/webapp/src/main/java/com/box/l10n/mojito/security/HeaderPreAuthFilter.java
@@ -17,7 +17,7 @@ public HeaderPreAuthFilter(HeaderSecurityConfig headerSecurityConfig) {
   @Override
   protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
     String forwardedUser = request.getHeader(headerSecurityConfig.userIdentifyingHeader);
-    if (forwardedUser != null) {
+    if (forwardedUser != null && !forwardedUser.contains(headerSecurityConfig.servicePrefix)) {
       logger.debug("Forwarded user: {}", forwardedUser);
       if (!forwardedUser.isEmpty()) {
         return forwardedUser;