Merge branch '6.5.x' into 7.0.x

1 week ago · a7c3e842d6
2 changed files with 14 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
@ -50,7 +50,8 @@ public final class ServerOneTimeTokenAuthenticationConverter implements ServerAu
				@@ -50,7 +50,8 @@ public final class ServerOneTimeTokenAuthenticationConverter implements ServerAu
 		Assert.notNull(exchange, "exchange cannot be null");
 		if (isFormEncodedRequest(exchange.getRequest())) {
 			return exchange.getFormData()
-				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data.getFirst(TOKEN)));
+				.mapNotNull((data) -> data.getFirst(TOKEN))
+				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data));
 		}
 		String token = resolveTokenFromRequest(exchange.getRequest());
 		if (!StringUtils.hasText(token)) {
--- a/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
@ -72,6 +72,18 @@ public class ServerOneTimeTokenAuthenticationConverterTests {
				@@ -72,6 +72,18 @@ public class ServerOneTimeTokenAuthenticationConverterTests {
 		assertThat(authentication).isNull();
 	}

+	// gh-18973
+	@Test
+	void convertWhenNoTokenFormParameterThenNull() {
+		MockServerHttpRequest request = MockServerHttpRequest.post("/")
+			.contentType(MediaType.APPLICATION_FORM_URLENCODED)
+			.body("username=Max");
+
+		Authentication authentication = this.converter.convert(MockServerWebExchange.from(request)).block();
+
+		assertThat(authentication).isNull();
+	}
+
 	@Test
 	void convertWhenTokenEncodedFormParameterThenReturnOneTimeTokenAuthenticationToken() {
 		// @formatter:off