NFC-47 Authentication flow fixes and updates

Signed-off-by: Sander Kondratjev [email protected]

Author: aarmam

example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java

@@ -41,12 +41,14 @@
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
+    private static final String WEB_EID_MOBILE_AUTH_PATH = "auth";
     private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writer();
     private final RequestMatcher requestMatcher;
     private final ChallengeNonceGenerator nonceGenerator;
@@ -79,10 +81,20 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
                 webEidMobileProperties.requestSigningCert() ? Boolean.TRUE : null)
         );
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
-        String eidAuthUri = "web-eid-mobile://auth#" + encoded;
+        String authUri = getAuthUri(encoded);
 
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-        OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(eidAuthUri));
+        OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(authUri));
+    }
+
+    private String getAuthUri(String encodedPayload) {
+        UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(webEidMobileProperties.baseRequestUri());
+        if (webEidMobileProperties.baseRequestUri().startsWith("http")) {
+            builder.pathSegment(WEB_EID_MOBILE_AUTH_PATH);
+        } else {
+            builder.host(WEB_EID_MOBILE_AUTH_PATH);
+        }
+        return builder.fragment(encodedPayload).toUriString();
     }
 
     @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)

example/src/main/resources/templates/webeid-login.html

@@ -13,57 +13,47 @@
 </div>
 
 <script type="module" th:inline="javascript">
-    import { showErrorMessage } from "/js/errors.js";
+    import {showErrorMessage, checkHttpError} from "/js/errors.js";
 
     // Using an async IIFE for mobile WebView compatibility:
     // top-level await is not supported in some mobile browsers/WebViews.
     (async function () {
-        const frag = location.hash ? location.hash.substring(1) : "";
-        if (!frag) {
-            showErrorMessage({ code: "UNKNOWN_ERROR", message: "Missing authentication payload" });
-            return;
+        const fragment = window.location.hash.slice(1);
+        if (!fragment) {
+            throw new Error("Missing authentication payload");
         }
 
         let payload;
         try {
-            payload = JSON.parse(atob(frag));
+            payload = JSON.parse(atob(fragment));
         } catch (e) {
-            console.error("Failed to parse payload", e);
-            showErrorMessage({ code: "UNKNOWN_ERROR", message: "Failed to parse authentication payload" });
-            return;
+            console.error(e)
+            throw new Error("Failed to parse the authentication response");
         }
 
         if (payload.error) {
-            showErrorMessage({
-                code: payload.code ?? "UNKNOWN_ERROR",
-                message: payload.message ?? "Authentication failed"
-            });
-            return;
+            const error = new Error(payload.message ?? "Authentication failed");
+            error.code = payload.code;
+            throw error;
         }
 
-        const authToken = payload["auth-token"];
-
-        try {
-            const response = await fetch(/*[[${loginProcessingPath}]]*/, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    "X-CSRF-TOKEN": /*[[${csrfToken}]]*/
-                },
-                body: JSON.stringify(authToken),
-                credentials: "include"
-            });
-
-            if (!response.ok) {
-                throw new Error("HTTP " + response.status);
-            }
-
-            window.location.replace("/welcome");
-        } catch (error) {
-            console.error(error);
-            showErrorMessage(error);
-        }
-    })();
+        const authToken = payload["auth_token"];
+        const response = await fetch(/*[[${loginProcessingPath}]]*/, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "X-CSRF-TOKEN": /*[[${csrfToken}]]*/
+            },
+            body: JSON.stringify(authToken),
+            credentials: "include"
+        });
+        await checkHttpError(response);
+
+        window.location.replace("/welcome");
+    })().catch((error) => {
+        console.error(error);
+        showErrorMessage(error);
+    });
 </script>
 </body>
 </html>