Add hmac to access token

Brutus5000 · Brutus5000 · commit 845b442a3b7b · 2025-05-27T09:53:59.000+02:00
diff --git a/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraService.kt b/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraService.kt
@@ -4,7 +4,9 @@ import com.faforever.userservice.backend.account.LoginResult
 import com.faforever.userservice.backend.account.LoginService
 import com.faforever.userservice.backend.domain.IpAddress
 import com.faforever.userservice.backend.domain.UserRepository
+import com.faforever.userservice.backend.security.HmacService
 import com.faforever.userservice.backend.security.OAuthScope
+import com.faforever.userservice.config.FafProperties
 import jakarta.enterprise.context.ApplicationScoped
 import jakarta.enterprise.inject.Produces
 import jakarta.transaction.Transactional
@@ -48,6 +50,8 @@ class HydraService(
     private val httpClient: HttpClient,
     private val loginService: LoginService,
     private val userRepository: UserRepository,
+    private val fafProperties: FafProperties,
+    private val hmacService: HmacService,
 ) {
     companion object {
         private val LOG: Logger = LoggerFactory.getLogger(HydraService::class.java)
@@ -147,10 +151,15 @@ class HydraService(
 
         val roles = listOf("USER") + permissions.map { it.technicalName }
 
+        val hmac = fafProperties.jwt().hmac()?.let {
+            hmacService.generateHmacToken(it.message(), it.secret())
+        }
+
         val context = mutableMapOf(
             "username" to user.username, // not official OIDC claim, but required for backwards compatible
             "preferred_username" to user.username,
             "roles" to roles,
+            "hmac" to hmac,
         )
 
         if (OAuthScope.canShowEmail(consentRequest.requestedScope)) {
diff --git a/src/main/kotlin/com/faforever/userservice/config/FafProperties.kt b/src/main/kotlin/com/faforever/userservice/config/FafProperties.kt
@@ -61,6 +61,14 @@ interface FafProperties {
 
     interface Jwt {
         fun secret(): String
+
+        fun hmac(): Hmac?
+    }
+
+    interface Hmac {
+        fun message(): String
+
+        fun secret(): String
     }
 
     interface Recaptcha {
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
@@ -32,6 +32,9 @@ faf:
     site-key: ${RECAPTCHA_SITE_KEY:6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI}
   jwt:
     secret: ${JWT_SECRET:banana}
+    hmac:
+      message: ${JWT_MAC_MESSAGE:helloFaf}
+      secret: ${JWT_MAC_SECRET:banana}
   lobby:
     secret: ${LOBBY_SECRET:banana}
     access-uri: ${LOBBY_URL:ws://localhost:8003}
