What happens
When using HeaderBasedSecurityFilter (enabled via -Ddocs.header_authentication=true) with a PostgreSQL database, every request to GET /api/user throws a 500 error:
org.postgresql.util.PSQLException: ERROR: operator does not exist: character varying = bytea
Hint: No operator matches the given name and argument types. You might need to add explicit type casts.
Position: 90
Other endpoints (e.g. /api/document/list) work fine with header-based auth.
Why it happens
In UserResource.info(), after successful authentication the code unconditionally tries to update the auth token's last connection date:
String authToken = getAuthToken(); // returns null — no cookie exists
AuthenticationTokenDao authenticationTokenDao = new AuthenticationTokenDao();
authenticationTokenDao.updateLastConnectionDate(authToken); // passes null to native query
getAuthToken() looks for the auth_token cookie, which obviously doesn't exist when the user was authenticated via the X-Authenticated-User header instead of a normal login. The null value gets passed into updateLastConnectionDate() as a native query parameter, and PostgreSQL can't figure out the type for the WHERE aut_id_c = :id comparison.
(I'd guess this doesn't blow up with H2 because H2 is more lenient with null parameter types in native queries.)
How to reproduce
- Run Teedy with PostgreSQL and
-Ddocs.header_authentication=true
curl -H 'X-Authenticated-User: admin' http://localhost:8080/api/user- 500 error
Suggested fix
Guard the updateLastConnectionDate call with a null check:
String authToken = getAuthToken();
if (authToken != null) {
AuthenticationTokenDao authenticationTokenDao = new AuthenticationTokenDao();
authenticationTokenDao.updateLastConnectionDate(authToken);
}This is in docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java around line 592.
Version
v1.11 (latest release)
What happens
When using
HeaderBasedSecurityFilter(enabled via-Ddocs.header_authentication=true) with a PostgreSQL database, every request toGET /api/userthrows a 500 error:Other endpoints (e.g.
/api/document/list) work fine with header-based auth.Why it happens
In
UserResource.info(), after successful authentication the code unconditionally tries to update the auth token's last connection date:getAuthToken()looks for theauth_tokencookie, which obviously doesn't exist when the user was authenticated via theX-Authenticated-Userheader instead of a normal login. The null value gets passed intoupdateLastConnectionDate()as a native query parameter, and PostgreSQL can't figure out the type for theWHERE aut_id_c = :idcomparison.(I'd guess this doesn't blow up with H2 because H2 is more lenient with null parameter types in native queries.)
How to reproduce
-Ddocs.header_authentication=truecurl -H 'X-Authenticated-User: admin' http://localhost:8080/api/userSuggested fix
Guard the
updateLastConnectionDatecall with a null check:This is in
docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.javaaround line 592.Version
v1.11 (latest release)