HeaderBasedSecurityFilter broken with PostgreSQL — null token crashes /api/user

[fmaass]

What happens

When using HeaderBasedSecurityFilter (enabled via -Ddocs.header_authentication=true) with a PostgreSQL database, every request to GET /api/user throws a 500 error:

org.postgresql.util.PSQLException: ERROR: operator does not exist: character varying = bytea
  Hint: No operator matches the given name and argument types. You might need to add explicit type casts.
  Position: 90

Other endpoints (e.g. /api/document/list) work fine with header-based auth.

Why it happens

In UserResource.info(), after successful authentication the code unconditionally tries to update the auth token's last connection date:

String authToken = getAuthToken();  // returns null — no cookie exists
AuthenticationTokenDao authenticationTokenDao = new AuthenticationTokenDao();
authenticationTokenDao.updateLastConnectionDate(authToken);  // passes null to native query

getAuthToken() looks for the auth_token cookie, which obviously doesn't exist when the user was authenticated via the X-Authenticated-User header instead of a normal login. The null value gets passed into updateLastConnectionDate() as a native query parameter, and PostgreSQL can't figure out the type for the WHERE aut_id_c = :id comparison.

(I'd guess this doesn't blow up with H2 because H2 is more lenient with null parameter types in native queries.)

How to reproduce

1. Run Teedy with PostgreSQL and -Ddocs.header_authentication=true
2. curl -H 'X-Authenticated-User: admin' http://localhost:8080/api/user
3. 500 error

Suggested fix

Guard the updateLastConnectionDate call with a null check:

String authToken = getAuthToken();
if (authToken != null) {
    AuthenticationTokenDao authenticationTokenDao = new AuthenticationTokenDao();
    authenticationTokenDao.updateLastConnectionDate(authToken);
}

This is in docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java around line 592.

Version

v1.11 (latest release)