NFC-47 Move /auth/challenge and /auth/mobile/auth/init into Security filters; remove ChallengeController

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -24,7 +24,10 @@
 
 import eu.webeid.example.security.AuthTokenDTOAuthenticationProvider;
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
+import eu.webeid.example.security.WebEidChallengeNonceFilter;
+import eu.webeid.example.security.WebEidMobileAuthInitFilter;
 import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -35,8 +38,10 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
+import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
@@ -46,7 +51,7 @@
 public class ApplicationConfiguration implements WebMvcConfigurer {
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig, ChallengeNonceGenerator challengeNonceGenerator) throws Exception {
 
         var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
 
@@ -63,6 +68,8 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthentica
             )
             .authenticationProvider(authTokenDTOAuthenticationProvider)
             .addFilterBefore(new WebEidLoginPageGeneratingFilter(), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidChallengeNonceFilter(challengeNonceGenerator), AuthorizationFilter.class)
+            .addFilterAfter(new WebEidMobileAuthInitFilter(challengeNonceGenerator), CsrfFilter.class)
             .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))

example/src/main/java/eu/webeid/example/security/WebEidChallengeNonceFilter.java

@@ -0,0 +1,46 @@
+package eu.webeid.example.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectWriter;
+import eu.webeid.example.service.dto.ChallengeDTO;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpMethod;
+import org.springframework.lang.NonNull;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+public final class WebEidChallengeNonceFilter extends OncePerRequestFilter {
+
+    private static final ObjectWriter JSON = new ObjectMapper().writer();
+    private final RequestMatcher matcher =
+        PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/auth/challenge");
+
+    private final ChallengeNonceGenerator nonceGenerator;
+
+    public WebEidChallengeNonceFilter(ChallengeNonceGenerator nonceGenerator) {
+        this.nonceGenerator = nonceGenerator;
+    }
+
+    @Override
+    protected void doFilterInternal(@NonNull HttpServletRequest request,
+                                    @NonNull HttpServletResponse response,
+                                    @NonNull FilterChain chain) throws ServletException, IOException {
+        if (!matcher.matches(request)) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        var dto = new ChallengeDTO();
+        dto.setNonce(nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
+
+        response.setContentType("application/json");
+        JSON.writeValue(response.getWriter(), dto);
+    }
+}

example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java

@@ -0,0 +1,66 @@
+package eu.webeid.example.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import eu.webeid.example.service.dto.MobileAuthInitResponse;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpMethod;
+import org.springframework.lang.NonNull;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Map;
+
+public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
+
+    private static final ObjectMapper MAPPER = new ObjectMapper();
+    private final RequestMatcher matcher =
+        PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/mobile/auth/init");
+
+    private final ChallengeNonceGenerator nonceGenerator;
+
+    public WebEidMobileAuthInitFilter(ChallengeNonceGenerator nonceGenerator) {
+        this.nonceGenerator = nonceGenerator;
+    }
+
+    @Override
+    protected void doFilterInternal(@NonNull HttpServletRequest request,
+                                    @NonNull HttpServletResponse response,
+                                    @NonNull FilterChain chain) throws ServletException, IOException {
+        if (!matcher.matches(request)) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        String nonce = nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce();
+
+        String loginUri = ServletUriComponentsBuilder
+            .fromCurrentContextPath()
+            .path("/auth/eid/login")
+            .build()
+            .toUriString();
+
+        String payloadJson = MAPPER.writeValueAsString(Map.of(
+            "challenge", nonce,
+            "login_uri", loginUri
+        ));
+        String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
+        String eidAuthUri = "web-eid-mobile://auth#" + encoded;
+
+        response.setContentType("application/json");
+        MAPPER.writeValue(response.getWriter(), new MobileAuthInitResponse(eidAuthUri));
+    }
+
+    @Override
+    protected boolean shouldNotFilterAsyncDispatch() {
+        return false;
+    }
+}

example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java

@@ -22,28 +22,74 @@
 
 package eu.webeid.example;
 
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
-import eu.webeid.example.web.rest.ChallengeController;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 
-import static org.assertj.core.api.Assertions.assertThat;
 import static eu.webeid.security.challenge.ChallengeNonceGenerator.NONCE_LENGTH;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @SpringBootTest
-class AuthenticationRestControllerTest {
+@AutoConfigureMockMvc
+class AuthenticationEndpointsFilterTest {
 
     @Autowired
-    ChallengeController authRestController;
+    private ObjectMapper mapper;
+
+    @Autowired
+    private MockMvc mvc;
 
     @Test
-    void testChallengeNonceLength() {
-        assertThat(authRestController.challenge().getNonce().length())
-                .isEqualTo(nonceGeneratorNonceBase64Length());
+    void challengeReturnsNonceWithExpectedBase64Length() throws Exception {
+        MvcResult result = mvc.perform(get("/auth/challenge").accept(MediaType.APPLICATION_JSON))
+            .andExpect(status().isOk())
+            .andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON))
+            .andReturn();
+
+        JsonNode json = mapper.readTree(result.getResponse().getContentAsByteArray());
+        String nonce = json.get("nonce").asText();
+
+        assertThat(nonce).isNotBlank();
+        assertThat(nonce).hasSize(expectedBase64Len());
     }
 
-    private int nonceGeneratorNonceBase64Length() {
-        return (NONCE_LENGTH * 8 + 6 - 1) / 6 + 1;
+    @Test
+    void mobileInitBuildsDeepLinkWithEmbeddedChallenge() throws Exception {
+        MvcResult result = mvc.perform(post("/auth/mobile/auth/init")
+                .with(csrf())
+                .accept(MediaType.APPLICATION_JSON))
+            .andExpect(status().isOk())
+            .andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON))
+            .andReturn();
+
+        JsonNode json = mapper.readTree(result.getResponse().getContentAsByteArray());
+        String eidAuthUri = json.get("eidAuthUri").asText();
+
+        assertThat(eidAuthUri).startsWith("web-eid-mobile://auth#");
+
+        String fragment = eidAuthUri.substring(eidAuthUri.indexOf('#') + 1);
+        String payloadJson = new String(Base64.getDecoder().decode(fragment), StandardCharsets.UTF_8);
+        JsonNode payload = mapper.readTree(payloadJson);
+
+        assertThat(payload.get("challenge").asText()).hasSize(expectedBase64Len());
+        assertThat(payload.get("login_uri").asText()).endsWith("/auth/eid/login");
     }
 
+    private static int expectedBase64Len() {
+        return Base64.getEncoder().encodeToString(new byte[NONCE_LENGTH]).length();
+    }
 }