private void executeVerifyStateDoesNotFailOnRequest(String uri, String method) { when(request.getRequestURI()).thenReturn(uri); when(request.getMethod()).thenReturn(method); underTest.verifyState(request, null, LOGIN); } }
@Test public void ignore_GET_request() { when(request.getRequestURI()).thenReturn(JAVA_WS_URL); when(request.getMethod()).thenReturn("GET"); underTest.verifyState(request, null, LOGIN); }
private Optional<Token> validateToken(String tokenEncoded, HttpServletRequest request, HttpServletResponse response) { Optional<Claims> claims = jwtSerializer.decode(tokenEncoded); if (!claims.isPresent()) { return Optional.empty(); } Date now = new Date(system2.now()); Claims token = claims.get(); if (now.after(addSeconds(token.getIssuedAt(), SESSION_DISCONNECT_IN_SECONDS))) { return Optional.empty(); } jwtCsrfVerifier.verifyState(request, (String) token.get(CSRF_JWT_PARAM), token.getSubject()); if (now.after(addSeconds(getLastRefreshDate(token), SESSION_REFRESH_IN_SECONDS))) { refreshToken(token, request, response); } Optional<UserDto> user = selectUserFromUuid(token.getSubject()); if (!user.isPresent()) { return Optional.empty(); } return Optional.of(new Token(user.get(), claims.get())); }
@Test public void verify_POST_request() { mockRequestCsrf("other value"); when(request.getRequestURI()).thenReturn(JAVA_WS_URL); when(request.getMethod()).thenReturn("POST"); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Wrong CSFR in request"); underTest.verifyState(request, CSRF_STATE, LOGIN); }
@Test public void verify_PUT_request() { mockRequestCsrf("other value"); when(request.getRequestURI()).thenReturn(JAVA_WS_URL); when(request.getMethod()).thenReturn("PUT"); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Wrong CSFR in request"); underTest.verifyState(request, CSRF_STATE, LOGIN); }
@Test public void verify_state() { mockRequestCsrf(CSRF_STATE); mockPostJavaWsRequest(); underTest.verifyState(request, CSRF_STATE, LOGIN); }
@Test public void verify_DELETE_request() { mockRequestCsrf("other value"); when(request.getRequestURI()).thenReturn(JAVA_WS_URL); when(request.getMethod()).thenReturn("DELETE"); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Wrong CSFR in request"); underTest.verifyState(request, CSRF_STATE, LOGIN); }
@Test public void validate_token_verify_csrf_state() { UserDto user = db.users().insertUser(); addJwtCookie(); Claims claims = createToken(user.getUuid(), NOW); claims.put("xsrfToken", CSRF_STATE); when(jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(claims)); underTest.validateToken(request, response); verify(jwtCsrfVerifier).verifyState(request, CSRF_STATE, user.getUuid()); }
@Test public void fail_with_AuthenticationException_when_state_header_is_not_the_same_as_state_parameter() { mockRequestCsrf("other value"); mockPostJavaWsRequest(); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Wrong CSFR in request"); underTest.verifyState(request, CSRF_STATE, LOGIN); }
@Test public void fail_with_AuthenticationException_when_state_is_null() { mockRequestCsrf(CSRF_STATE); mockPostJavaWsRequest(); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Missing reference CSRF value"); underTest.verifyState(request, null, LOGIN); }
@Test public void fail_with_AuthenticationException_when_state_parameter_is_empty() { mockRequestCsrf(CSRF_STATE); mockPostJavaWsRequest(); thrown.expect(authenticationException().from(Source.local(Method.JWT)).withLogin(LOGIN).andNoPublicMessage()); thrown.expectMessage("Missing reference CSRF value"); underTest.verifyState(request, "", LOGIN); }
private Optional<Token> validateToken(String tokenEncoded, HttpServletRequest request, HttpServletResponse response) { Optional<Claims> claims = jwtSerializer.decode(tokenEncoded); if (!claims.isPresent()) { return Optional.empty(); } Date now = new Date(system2.now()); Claims token = claims.get(); if (now.after(addSeconds(token.getIssuedAt(), SESSION_DISCONNECT_IN_SECONDS))) { return Optional.empty(); } jwtCsrfVerifier.verifyState(request, (String) token.get(CSRF_JWT_PARAM), token.getSubject()); if (now.after(addSeconds(getLastRefreshDate(token), SESSION_REFRESH_IN_SECONDS))) { refreshToken(token, request, response); } Optional<UserDto> user = selectUserFromDb(token.getSubject()); if (!user.isPresent()) { return Optional.empty(); } return Optional.of(new Token(user.get(), claims.get())); }