This is an automated email from the ASF dual-hosted git repository. quantranhong1999 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit c1b5ddd40f8bfabdd037675fb08c4aab331af730 Author: Felix Auringer <[email protected]> AuthorDate: Mon May 18 15:47:30 2026 +0200 refactor(imap): fail early if OIDC is disabled --- .../imap/processor/AuthenticateProcessor.java | 39 +++++++++++----------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java b/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java index 981f07f160..9ca4adaa99 100644 --- a/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java +++ b/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java @@ -105,19 +105,24 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq } } } else if (authType.equalsIgnoreCase(AUTH_TYPE_OAUTHBEARER) || authType.equalsIgnoreCase(AUTH_TYPE_XOAUTH2)) { - if (request instanceof IRAuthenticateRequest) { - IRAuthenticateRequest irRequest = (IRAuthenticateRequest) request; - doOAuth(irRequest.getInitialClientResponse(), session, request, responder); + if (!session.supportsOAuth()) { + LOGGER.warn("OAuth authentication rejected because it is disabled"); + no(request, responder, HumanReadableText.UNSUPPORTED_AUTHENTICATION_MECHANISM); } else { - session.executeSafely(() -> { - responder.respond(new AuthenticateResponse()); - responder.flush(); - session.pushLineHandler((requestSession, data) -> Mono.fromRunnable(() -> { - doOAuth(extractInitialClientResponse(data), requestSession, request, responder); - requestSession.popLineHandler(); + if (request instanceof IRAuthenticateRequest) { + IRAuthenticateRequest irRequest = (IRAuthenticateRequest) request; + doOAuth(irRequest.getInitialClientResponse(), session, request, responder); + } else { + session.executeSafely(() -> { + responder.respond(new AuthenticateResponse()); responder.flush(); - }).subscribeOn(ReactorUtils.BLOCKING_CALL_WRAPPER).then()); - }); + session.pushLineHandler((requestSession, data) -> Mono.fromRunnable(() -> { + doOAuth(extractInitialClientResponse(data), requestSession, request, responder); + requestSession.popLineHandler(); + responder.flush(); + }).subscribeOn(ReactorUtils.BLOCKING_CALL_WRAPPER).then()); + }); + } } } else { LOGGER.debug("Unsupported authentication mechanism '{}'", authType); @@ -197,14 +202,10 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq } protected void doOAuth(String initialResponse, ImapSession session, ImapRequest request, Responder responder) { - if (!session.supportsOAuth()) { - no(request, responder, HumanReadableText.UNSUPPORTED_AUTHENTICATION_MECHANISM); - } else { - OIDCSASLParser.parse(initialResponse) - .flatMap(oidcInitialResponseValue -> session.oidcSaslConfiguration().map(configure -> Pair.of(oidcInitialResponseValue, configure))) - .ifPresentOrElse(pair -> doOAuth(pair.getLeft(), pair.getRight(), session, request, responder), - () -> manageFailureCount(session, request, responder)); - } + OIDCSASLParser.parse(initialResponse) + .flatMap(oidcInitialResponseValue -> session.oidcSaslConfiguration().map(configure -> Pair.of(oidcInitialResponseValue, configure))) + .ifPresentOrElse(pair -> doOAuth(pair.getLeft(), pair.getRight(), session, request, responder), + () -> manageFailureCount(session, request, responder)); session.stopDetectingCommandInjection(); } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
