From 675c6a0d6bde4c4f68c84a0d8aba716d9b6b2222 Mon Sep 17 00:00:00 2001 From: Valentin CZERYBA Date: Fri, 13 May 2022 20:33:49 +0200 Subject: [PATCH 1/7] Remove array and add error http bad request --- .../com/covas/Resources/TokenRessource.java | 33 +++++++++++-------- .../com/covas/Resources/UsersRessources.java | 6 ++-- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/src/main/java/com/covas/Resources/TokenRessource.java b/src/main/java/com/covas/Resources/TokenRessource.java index f1864f4..2b19a1f 100644 --- a/src/main/java/com/covas/Resources/TokenRessource.java +++ b/src/main/java/com/covas/Resources/TokenRessource.java @@ -21,26 +21,33 @@ import io.smallrye.jwt.auth.principal.JWTParser; import io.smallrye.jwt.auth.principal.ParseException; import io.smallrye.jwt.build.Jwt; + import org.eclipse.microprofile.jwt.JsonWebToken; +import org.jboss.logging.Logger; import org.jboss.resteasy.annotations.jaxrs.HeaderParam; import org.postgresql.shaded.com.ongres.scram.common.bouncycastle.base64.Base64; -@Path("/api") +@Path("/token") public class TokenRessource { @Inject JsonWebToken jwt; + private static final Logger LOGGER = Logger.getLogger(UsersRessources.class); + @Inject JWTParser parser; @GET @Produces(MediaType.APPLICATION_JSON) - @Path("token") public Response getUserName(@HeaderParam("Authorization") String auth, @CookieParam("jwt") String jwtCookie) { String name = "anonymous"; String password = ""; + if (jwtCookie == null) { + if(auth == null){ + return Response.status(Response.Status.BAD_REQUEST).build(); + } String[] hash = new String(Base64.decode(auth.split(" ")[1]), StandardCharsets.UTF_8).split(":"); name = hash[0]; password = Hash.encryptSHA512(hash[1]); @@ -50,7 +57,7 @@ public class TokenRessource { if(password.equals(users.password)){ // Create a JWT token signed using the 'HS256' algorithm - String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(new HashSet<>(Arrays.asList(users.roles))).sign(); + String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).sign(); // or create a JWT token encrypted using the 'A256KW' algorithm // Jwt.upn("alice").encryptWithSecret(secret); return Response.status(Response.Status.CREATED).cookie(new NewCookie("jwt", newJwtCookie)).build(); @@ -62,16 +69,16 @@ public class TokenRessource { } return Response.status(Response.Status.NOT_FOUND).build(); - } else { - // All mp.jwt and smallrye.jwt properties are still effective, only the verification key is customized. - try { - jwt = parser.parse(jwtCookie); - } - catch(ParseException p){ - return Response.status(Response.Status.UNAUTHORIZED).build(); - } + } + // All mp.jwt and smallrye.jwt properties are still effective, only the verification key is customized. + try { + jwt = parser.parse(jwtCookie); + } + catch(ParseException p){ + return Response.status(Response.Status.NOT_ACCEPTABLE).build(); + } // or jwt = parser.decrypt(jwtCookie, secret); - return Response.status(Response.Status.OK).build(); - } + return Response.status(Response.Status.OK).build(); } + } diff --git a/src/main/java/com/covas/Resources/UsersRessources.java b/src/main/java/com/covas/Resources/UsersRessources.java index ade1086..1f193fe 100644 --- a/src/main/java/com/covas/Resources/UsersRessources.java +++ b/src/main/java/com/covas/Resources/UsersRessources.java @@ -20,13 +20,13 @@ import org.jboss.logging.Logger; public class UsersRessources { private static final Logger LOGGER = Logger.getLogger(UsersRessources.class); @GET - @RolesAllowed({"Admin"}) + @RolesAllowed("Admin") public Response getUsers(){ return Response.ok(UsersEntity.listAll()).build(); } @GET - @RolesAllowed({"Admin"}) + @RolesAllowed("Admin") @Path("{id}") public Response getSingleUser(@PathParam("id") String id){ UUID uid = UUID.fromString(id); @@ -38,7 +38,7 @@ public class UsersRessources { } @GET - @RolesAllowed({"User"}) + @RolesAllowed("User") @Path("info") public Response getInfoUser(){ return Response.ok().build(); From 39ad985eae13b64816805402410597e7956af1ac Mon Sep 17 00:00:00 2001 From: Valentin CZERYBA Date: Fri, 13 May 2022 21:01:31 +0200 Subject: [PATCH 2/7] Add claims kid --- src/main/java/com/covas/Resources/TokenRessource.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/covas/Resources/TokenRessource.java b/src/main/java/com/covas/Resources/TokenRessource.java index 2b19a1f..b5a1552 100644 --- a/src/main/java/com/covas/Resources/TokenRessource.java +++ b/src/main/java/com/covas/Resources/TokenRessource.java @@ -21,7 +21,7 @@ import io.smallrye.jwt.auth.principal.JWTParser; import io.smallrye.jwt.auth.principal.ParseException; import io.smallrye.jwt.build.Jwt; - +import org.eclipse.microprofile.jwt.Claims; import org.eclipse.microprofile.jwt.JsonWebToken; import org.jboss.logging.Logger; import org.jboss.resteasy.annotations.jaxrs.HeaderParam; @@ -57,7 +57,7 @@ public class TokenRessource { if(password.equals(users.password)){ // Create a JWT token signed using the 'HS256' algorithm - String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).sign(); + String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).claim(Claims.kid, users.id.toString()).sign(); // or create a JWT token encrypted using the 'A256KW' algorithm // Jwt.upn("alice").encryptWithSecret(secret); return Response.status(Response.Status.CREATED).cookie(new NewCookie("jwt", newJwtCookie)).build(); From b91b0dd734292a1dc3f8102871dc6ad33a264c27 Mon Sep 17 00:00:00 2001 From: Valentin CZERYBA Date: Sun, 15 May 2022 11:23:20 +0200 Subject: [PATCH 3/7] simplification class token --- .../com/covas/Resources/TokenRessource.java | 43 ++++++++----------- 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/src/main/java/com/covas/Resources/TokenRessource.java b/src/main/java/com/covas/Resources/TokenRessource.java index b5a1552..95e0426 100644 --- a/src/main/java/com/covas/Resources/TokenRessource.java +++ b/src/main/java/com/covas/Resources/TokenRessource.java @@ -43,32 +43,25 @@ public class TokenRessource { String name = "anonymous"; String password = ""; - - if (jwtCookie == null) { - if(auth == null){ - return Response.status(Response.Status.BAD_REQUEST).build(); - } - String[] hash = new String(Base64.decode(auth.split(" ")[1]), StandardCharsets.UTF_8).split(":"); - name = hash[0]; - password = Hash.encryptSHA512(hash[1]); - - UsersEntity users = UsersEntity.findByPseudo(name); - if(users != null){ - - if(password.equals(users.password)){ - // Create a JWT token signed using the 'HS256' algorithm - String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).claim(Claims.kid, users.id.toString()).sign(); - // or create a JWT token encrypted using the 'A256KW' algorithm - // Jwt.upn("alice").encryptWithSecret(secret); - return Response.status(Response.Status.CREATED).cookie(new NewCookie("jwt", newJwtCookie)).build(); - } else { - return Response.status(Response.Status.FORBIDDEN).build(); - } - - - } + if(auth == null){ + return Response.status(Response.Status.BAD_REQUEST).build(); + } + String[] hash = new String(Base64.decode(auth.split(" ")[1]), StandardCharsets.UTF_8).split(":"); + name = hash[0]; + password = Hash.encryptSHA512(hash[1]); + UsersEntity users = UsersEntity.findByPseudo(name); + if (users == null){ return Response.status(Response.Status.NOT_FOUND).build(); - + } + if (jwtCookie == null) { + if(!password.equals(users.password)){ + return Response.status(Response.Status.FORBIDDEN).build(); + } + // Create a JWT token signed using the 'HS256' algorithm + String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).claim(Claims.kid, users.id.toString()).sign(); + // or create a JWT token encrypted using the 'A256KW' algorithm + // Jwt.upn("alice").encryptWithSecret(secret); + return Response.status(Response.Status.CREATED).cookie(new NewCookie("jwt", newJwtCookie)).build(); } // All mp.jwt and smallrye.jwt properties are still effective, only the verification key is customized. try { From 88d93ab8e8623f7904917e367fb1c515015c7f6f Mon Sep 17 00:00:00 2001 From: Valentin CZERYBA Date: Sun, 15 May 2022 11:33:27 +0200 Subject: [PATCH 4/7] add expire --- src/main/java/com/covas/Resources/TokenRessource.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/covas/Resources/TokenRessource.java b/src/main/java/com/covas/Resources/TokenRessource.java index 95e0426..72ddc6f 100644 --- a/src/main/java/com/covas/Resources/TokenRessource.java +++ b/src/main/java/com/covas/Resources/TokenRessource.java @@ -1,6 +1,7 @@ package com.covas.Resources; import java.nio.charset.StandardCharsets; +import java.time.Duration; import java.util.Arrays; import java.util.HashSet; @@ -58,7 +59,7 @@ public class TokenRessource { return Response.status(Response.Status.FORBIDDEN).build(); } // Create a JWT token signed using the 'HS256' algorithm - String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).claim(Claims.kid, users.id.toString()).sign(); + String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).claim(Claims.kid, users.id.toString()).expiresIn(Duration.ofMinutes(1)).sign(); // or create a JWT token encrypted using the 'A256KW' algorithm // Jwt.upn("alice").encryptWithSecret(secret); return Response.status(Response.Status.CREATED).cookie(new NewCookie("jwt", newJwtCookie)).build(); From 83d7ec19bcc3dc9b6772b8269b2325f64e15cff0 Mon Sep 17 00:00:00 2001 From: Valentin CZERYBA Date: Sun, 15 May 2022 11:33:50 +0200 Subject: [PATCH 5/7] error kid invalid --- src/main/java/com/covas/Resources/TokenRessource.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main/java/com/covas/Resources/TokenRessource.java b/src/main/java/com/covas/Resources/TokenRessource.java index 72ddc6f..4c80581 100644 --- a/src/main/java/com/covas/Resources/TokenRessource.java +++ b/src/main/java/com/covas/Resources/TokenRessource.java @@ -72,6 +72,10 @@ public class TokenRessource { return Response.status(Response.Status.NOT_ACCEPTABLE).build(); } // or jwt = parser.decrypt(jwtCookie, secret); + String kid = jwt.getClaim(Claims.kid).toString(); + if(!kid.equals(users.id.toString())){ + return Response.status(Response.Status.UNAUTHORIZED).build(); + } return Response.status(Response.Status.OK).build(); } From 6c3cf5b92c3bec492ed8b4108e464e0889542f15 Mon Sep 17 00:00:00 2001 From: Valentin CZERYBA Date: Sun, 15 May 2022 13:35:21 +0200 Subject: [PATCH 6/7] add expire times --- .../com/covas/Resources/TokenRessource.java | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/main/java/com/covas/Resources/TokenRessource.java b/src/main/java/com/covas/Resources/TokenRessource.java index 4c80581..b9a80a8 100644 --- a/src/main/java/com/covas/Resources/TokenRessource.java +++ b/src/main/java/com/covas/Resources/TokenRessource.java @@ -40,16 +40,20 @@ public class TokenRessource { @GET @Produces(MediaType.APPLICATION_JSON) - public Response getUserName(@HeaderParam("Authorization") String auth, @CookieParam("jwt") String jwtCookie) { + public Response getUserName(@HeaderParam("Authorization") String auth, @CookieParam("user") String user, @CookieParam("jwt") String jwtCookie) { String name = "anonymous"; String password = ""; - if(auth == null){ - return Response.status(Response.Status.BAD_REQUEST).build(); + if(user == null){ + return Response.status(Response.Status.BAD_REQUEST).build(); + } else { + name = new String(Base64.decode(user), StandardCharsets.UTF_8); + } + } else { + String[] hash = new String(Base64.decode(auth.split(" ")[1]), StandardCharsets.UTF_8).split(":"); + name = hash[0]; + password = Hash.encryptSHA512(hash[1]); } - String[] hash = new String(Base64.decode(auth.split(" ")[1]), StandardCharsets.UTF_8).split(":"); - name = hash[0]; - password = Hash.encryptSHA512(hash[1]); UsersEntity users = UsersEntity.findByPseudo(name); if (users == null){ return Response.status(Response.Status.NOT_FOUND).build(); @@ -62,7 +66,8 @@ public class TokenRessource { String newJwtCookie = Jwt.issuer("https://example.com/issuer").upn(name).groups(users.roles).claim(Claims.kid, users.id.toString()).expiresIn(Duration.ofMinutes(1)).sign(); // or create a JWT token encrypted using the 'A256KW' algorithm // Jwt.upn("alice").encryptWithSecret(secret); - return Response.status(Response.Status.CREATED).cookie(new NewCookie("jwt", newJwtCookie)).build(); + String nameEncoded = Base64.toBase64String(name.getBytes(StandardCharsets.UTF_8)); + return Response.status(Response.Status.CREATED).cookie(new NewCookie("jwt", newJwtCookie), new NewCookie("user", nameEncoded)).build(); } // All mp.jwt and smallrye.jwt properties are still effective, only the verification key is customized. try { From 4f1efd8c2ea7bfc9564f90e6720050f2c06b88e2 Mon Sep 17 00:00:00 2001 From: Valentin CZERYBA Date: Sun, 15 May 2022 13:36:43 +0200 Subject: [PATCH 7/7] change name for function --- src/main/java/com/covas/Resources/TokenRessource.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/covas/Resources/TokenRessource.java b/src/main/java/com/covas/Resources/TokenRessource.java index b9a80a8..84daf33 100644 --- a/src/main/java/com/covas/Resources/TokenRessource.java +++ b/src/main/java/com/covas/Resources/TokenRessource.java @@ -40,7 +40,7 @@ public class TokenRessource { @GET @Produces(MediaType.APPLICATION_JSON) - public Response getUserName(@HeaderParam("Authorization") String auth, @CookieParam("user") String user, @CookieParam("jwt") String jwtCookie) { + public Response tokenRefresh(@HeaderParam("Authorization") String auth, @CookieParam("user") String user, @CookieParam("jwt") String jwtCookie) { String name = "anonymous"; String password = ""; if(auth == null){