private static Optional<String> getTokenFromCookie(HttpServletRequest request) { Optional<Cookie> jwtCookie = findCookie(JWT_COOKIE, request); if (!jwtCookie.isPresent()) { return Optional.empty(); } Cookie cookie = jwtCookie.get(); String token = cookie.getValue(); if (isEmpty(token)) { return Optional.empty(); } return Optional.of(token); }
private static Optional<String> getParameter(HttpServletRequest request, String parameterKey) { Optional<javax.servlet.http.Cookie> cookie = findCookie(AUTHENTICATION_COOKIE_NAME, request); if (!cookie.isPresent()) { return empty(); } Map<String, String> parameters = fromJson(cookie.get().getValue()); if (parameters.isEmpty()) { return empty(); } return Optional.ofNullable(parameters.get(parameterKey)); }
@Test public void does_not_fail_to_find_cookie_when_no_cookie() { assertThat(findCookie("unknown", request)).isEmpty(); }
@Test public void find_cookie() { Cookie cookie = newCookieBuilder(request).setName("name").setValue("value").build(); when(request.getCookies()).thenReturn(new Cookie[] {cookie}); assertThat(findCookie("name", request)).isPresent(); assertThat(findCookie("NAME", request)).isEmpty(); assertThat(findCookie("unknown", request)).isEmpty(); }
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider, String parameterName) { Cookie cookie = findCookie(CSRF_STATE_COOKIE, request) .orElseThrow(AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage(format("Cookie '%s' is missing", CSRF_STATE_COOKIE))::build); String hashInCookie = cookie.getValue(); // remove cookie response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(true).setExpiry(0).build()); String stateInRequest = request.getParameter(parameterName); if (isBlank(stateInRequest) || !sha256Hex(stateInRequest).equals(hashInCookie)) { throw AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage("CSRF state value is invalid") .build(); } }
private static Optional<String> getTokenFromCookie(HttpServletRequest request) { Optional<Cookie> jwtCookie = findCookie(JWT_COOKIE, request); if (!jwtCookie.isPresent()) { return Optional.empty(); } Cookie cookie = jwtCookie.get(); String token = cookie.getValue(); if (isEmpty(token)) { return Optional.empty(); } return Optional.of(token); }
private static Optional<String> getParameter(HttpServletRequest request, String parameterKey) { Optional<javax.servlet.http.Cookie> cookie = findCookie(AUTHENTICATION_COOKIE_NAME, request); if (!cookie.isPresent()) { return Optional.empty(); } Map<String, String> parameters = fromJson(cookie.get().getValue()); if (parameters.isEmpty()) { return Optional.empty(); } return Optional.ofNullable(parameters.get(parameterKey)); }
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider) { Cookie cookie = findCookie(CSRF_STATE_COOKIE, request) .orElseThrow(AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage(format("Cookie '%s' is missing", CSRF_STATE_COOKIE))::build); String hashInCookie = cookie.getValue(); // remove cookie response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(true).setExpiry(0).build()); String stateInRequest = request.getParameter("state"); if (isBlank(stateInRequest) || !sha256Hex(stateInRequest).equals(hashInCookie)) { throw AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage("CSRF state value is invalid") .build(); } }