public void generateToken(UserDto user, Map<String, Object> properties, HttpServletRequest request, HttpServletResponse response) { String csrfState = jwtCsrfVerifier.generateState(request, response, sessionTimeoutInSeconds); String token = jwtSerializer.encode(new JwtSerializer.JwtSession( user.getUuid(), sessionTimeoutInSeconds, ImmutableMap.<String, Object>builder() .putAll(properties) .put(LAST_REFRESH_TIME_PARAM, system2.now()) .put(CSRF_JWT_PARAM, csrfState) .build())); response.addCookie(createCookie(request, JWT_COOKIE, token, sessionTimeoutInSeconds)); }
private void refreshToken(Claims token, HttpServletRequest request, HttpServletResponse response) { String refreshToken = jwtSerializer.refresh(token, sessionTimeoutInSeconds); response.addCookie(createCookie(request, JWT_COOKIE, refreshToken, sessionTimeoutInSeconds)); jwtCsrfVerifier.refreshState(request, response, (String) token.get(CSRF_JWT_PARAM), sessionTimeoutInSeconds); }
public void removeToken(HttpServletRequest request, HttpServletResponse response) { response.addCookie(createCookie(request, JWT_COOKIE, null, 0)); jwtCsrfVerifier.removeState(request, response); }
public void verifyState(HttpServletRequest request, @Nullable String csrfState, @Nullable String login) { if (!shouldRequestBeChecked(request)) { return; } String failureCause = checkCsrf(csrfState, request.getHeader(CSRF_HEADER)); if (failureCause != null) { throw AuthenticationException.newBuilder() .setSource(Source.local(Method.JWT)) .setLogin(login) .setMessage(failureCause) .build(); } }
private void executeVerifyStateDoesNotFailOnRequest(String uri, String method) { when(request.getRequestURI()).thenReturn(uri); when(request.getMethod()).thenReturn(method); underTest.verifyState(request, null, LOGIN); } }
@Test public void ignore_GET_request() { when(request.getRequestURI()).thenReturn(JAVA_WS_URL); when(request.getMethod()).thenReturn("GET"); underTest.verifyState(request, null, LOGIN); }
public void verifyState(HttpServletRequest request, @Nullable String csrfState, @Nullable String login) { if (!shouldRequestBeChecked(request)) { return; } String failureCause = checkCsrf(csrfState, request.getHeader(CSRF_HEADER)); if (failureCause != null) { throw AuthenticationException.newBuilder() .setSource(Source.local(Method.JWT)) .setLogin(login) .setMessage(failureCause) .build(); } }
private Optional<Token> validateToken(String tokenEncoded, HttpServletRequest request, HttpServletResponse response) { Optional<Claims> claims = jwtSerializer.decode(tokenEncoded); if (!claims.isPresent()) { return Optional.empty(); } Date now = new Date(system2.now()); Claims token = claims.get(); if (now.after(addSeconds(token.getIssuedAt(), SESSION_DISCONNECT_IN_SECONDS))) { return Optional.empty(); } jwtCsrfVerifier.verifyState(request, (String) token.get(CSRF_JWT_PARAM), token.getSubject()); if (now.after(addSeconds(getLastRefreshDate(token), SESSION_REFRESH_IN_SECONDS))) { refreshToken(token, request, response); } Optional<UserDto> user = selectUserFromUuid(token.getSubject()); if (!user.isPresent()) { return Optional.empty(); } return Optional.of(new Token(user.get(), claims.get())); }
@Before public void setUp() throws Exception { when(system2.now()).thenReturn(NOW); when(request.getSession()).thenReturn(httpSession); when(jwtSerializer.encode(any(JwtSerializer.JwtSession.class))).thenReturn(JWT_TOKEN); when(jwtCsrfVerifier.generateState(eq(request), eq(response), anyInt())).thenReturn(CSRF_STATE); }
@Test public void refresh_state() { underTest.refreshState(request, response, CSRF_STATE, 30); verify(response).addCookie(cookieArgumentCaptor.capture()); verifyCookie(cookieArgumentCaptor.getValue()); }
@Test public void remove_state() { underTest.removeState(request, response); verify(response).addCookie(cookieArgumentCaptor.capture()); Cookie cookie = cookieArgumentCaptor.getValue(); assertThat(cookie.getValue()).isNull(); assertThat(cookie.getMaxAge()).isEqualTo(0); }
@Test public void verify_PUT_request() { mockRequestCsrf("other value"); when(request.getRequestURI()).thenReturn(JAVA_WS_URL); when(request.getMethod()).thenReturn("PUT"); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Wrong CSFR in request"); underTest.verifyState(request, CSRF_STATE, LOGIN); }
@Test public void generate_state() { String state = underTest.generateState(request, response, TIMEOUT); assertThat(state).isNotEmpty(); verify(response).addCookie(cookieArgumentCaptor.capture()); verifyCookie(cookieArgumentCaptor.getValue()); }
@Test public void validate_token_refresh_state_when_refreshing_token() { UserDto user = db.users().insertUser(); addJwtCookie(); // Token was created 10 days ago and refreshed 6 minutes ago Claims claims = createToken(user.getUuid(), TEN_DAYS_AGO); claims.put("xsrfToken", "CSRF_STATE"); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); underTest.validateToken(request, response); verify(jwtSerializer).refresh(any(Claims.class), anyInt()); verify(jwtCsrfVerifier).refreshState(request, response, "CSRF_STATE", 3 * 24 * 60 * 60); }
@Test public void remove_token() { underTest.removeToken(request, response); verifyCookie(findCookie("JWT-SESSION").get(), null, 0); verify(jwtCsrfVerifier).removeState(request, response); }
@Test public void verify_POST_request() { mockRequestCsrf("other value"); when(request.getRequestURI()).thenReturn(JAVA_WS_URL); when(request.getMethod()).thenReturn("POST"); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Wrong CSFR in request"); underTest.verifyState(request, CSRF_STATE, LOGIN); }
@Test public void generate_csrf_state_when_creating_token() { UserDto user = db.users().insertUser(); underTest.generateToken(user, request, response); verify(jwtCsrfVerifier).generateState(request, response, 3 * 24 * 60 * 60); verify(jwtSerializer).encode(jwtArgumentCaptor.capture()); JwtSerializer.JwtSession token = jwtArgumentCaptor.getValue(); assertThat(token.getProperties().get("xsrfToken")).isEqualTo(CSRF_STATE); }
private void refreshToken(Claims token, HttpServletRequest request, HttpServletResponse response) { String refreshToken = jwtSerializer.refresh(token, sessionTimeoutInSeconds); response.addCookie(createCookie(request, JWT_COOKIE, refreshToken, sessionTimeoutInSeconds)); jwtCsrfVerifier.refreshState(request, response, (String) token.get(CSRF_JWT_PARAM), sessionTimeoutInSeconds); }
public void removeToken(HttpServletRequest request, HttpServletResponse response) { response.addCookie(createCookie(request, JWT_COOKIE, null, 0)); jwtCsrfVerifier.removeState(request, response); }
@Test public void verify_state() { mockRequestCsrf(CSRF_STATE); mockPostJavaWsRequest(); underTest.verifyState(request, CSRF_STATE, LOGIN); }