Return Mono.empty on Empty POST

Closes gh-18973 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-03-30 14:08:11 +00:00 · 2026-03-23 18:12:21 -06:00 · 2026-03-23 18:12:21 -06:00 · b6e24db68c
commit b6e24db68c
parent aeb5fc1fb0
2 changed files with 14 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
@ -49,7 +49,8 @@ public final class ServerOneTimeTokenAuthenticationConverter implements ServerAu
 		Assert.notNull(exchange, "exchange cannot be null");
 		if (isFormEncodedRequest(exchange.getRequest())) {
 			return exchange.getFormData()
-				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data.getFirst(TOKEN)));
+				.mapNotNull((data) -> data.getFirst(TOKEN))
+				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data));
 		}
 		String token = resolveTokenFromRequest(exchange.getRequest());
 		if (!StringUtils.hasText(token)) {
--- a/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
@ -72,6 +72,18 @@ public class ServerOneTimeTokenAuthenticationConverterTests {
 		assertThat(authentication).isNull();
 	}

+	// gh-18973
+	@Test
+	void convertWhenNoTokenFormParameterThenNull() {
+		MockServerHttpRequest request = MockServerHttpRequest.post("/")
+			.contentType(MediaType.APPLICATION_FORM_URLENCODED)
+			.body("username=Max");
+
+		Authentication authentication = this.converter.convert(MockServerWebExchange.from(request)).block();
+
+		assertThat(authentication).isNull();
+	}
+
 	@Test
 	void convertWhenTokenEncodedFormParameterThenReturnOneTimeTokenAuthenticationToken() {
 		// @formatter:off