Return Mono.empty on Empty POST

jzheaux · jzheaux · commit b6e24db68cc0 · 2026-03-23T18:12:21.000-06:00
Closes gh-18973 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
@@ -49,7 +49,8 @@ public Mono<Authentication> convert(ServerWebExchange exchange) {
 		Assert.notNull(exchange, "exchange cannot be null");
 		if (isFormEncodedRequest(exchange.getRequest())) {
 			return exchange.getFormData()
-				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data.getFirst(TOKEN)));
+				.mapNotNull((data) -> data.getFirst(TOKEN))
+				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data));
 		}
 		String token = resolveTokenFromRequest(exchange.getRequest());
 		if (!StringUtils.hasText(token)) {
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
@@ -72,6 +72,18 @@ void convertWhenNoTokenParameterThenNull() {
 		assertThat(authentication).isNull();
 	}
 
+	// gh-18973
+	@Test
+	void convertWhenNoTokenFormParameterThenNull() {
+		MockServerHttpRequest request = MockServerHttpRequest.post("/")
+			.contentType(MediaType.APPLICATION_FORM_URLENCODED)
+			.body("username=Max");
+
+		Authentication authentication = this.converter.convert(MockServerWebExchange.from(request)).block();
+
+		assertThat(authentication).isNull();
+	}
+
 	@Test
 	void convertWhenTokenEncodedFormParameterThenReturnOneTimeTokenAuthenticationToken() {
 		// @formatter:off
