Release fixes to main (#251)

* Add mailhog as dependency

* Fix auth validation (#250)

Author: piyushroshan

deploy/docker/docker-compose.yml

@@ -52,6 +52,8 @@ services:
         condition: service_healthy
       mongodb:
         condition: service_healthy
+      mailhog:
+        condition: service_healthy
     healthcheck:
       test: /app/health.sh
       interval: 15s

services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java

@@ -76,6 +76,9 @@ protected void doFilterInternal(
           response.sendError(
               HttpServletResponse.SC_UNAUTHORIZED, UserMessage.ACCOUNT_LOCKED_MESSAGE);
         }
+      } else {
+        tokenLogger.error(UserMessage.INVALID_CREDENTIALS);
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, UserMessage.INVALID_CREDENTIALS);
       }
     } catch (Exception e) {
       tokenLogger.error("Can NOT set user authentication -> Message:%d", e);
@@ -122,10 +125,13 @@ public String getUserFromToken(HttpServletRequest request) throws ParseException
     String username = null;
     if (token != null) {
       if (apiType == ApiType.APIKEY) {
+        logger.debug("Token is api token");
         username = tokenProvider.getUserNameFromApiToken(token);
       } else {
-        tokenProvider.validateJwtToken(token);
-        username = tokenProvider.getUserNameFromJwtToken(token);
+        logger.debug("Token is jwt token");
+        if (tokenProvider.validateJwtToken(token)) {
+          username = tokenProvider.getUserNameFromJwtToken(token);
+        }
       }
       // checking username from token
       if (username != null) return username;

services/identity/src/main/java/com/crapi/config/JwtProvider.java

@@ -175,25 +175,26 @@ public boolean validateJwtToken(String authToken) {
       SignedJWT signedJWT = SignedJWT.parse(authToken);
       JWSHeader header = signedJWT.getHeader();
       Algorithm alg = header.getAlgorithm();
-
+      boolean valid = false;
       // JWT Algorithm confusion vulnerability
-      logger.info("Algorithm: " + alg.getName());
+      logger.debug("Algorithm: " + alg.getName());
+      JWSVerifier verifier;
       if (Objects.equals(alg.getName(), "HS256")) {
         String secret = getJwtSecret(header);
-        logger.info("JWT Secret: " + secret);
-        JWSVerifier verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8));
-        return signedJWT.verify(verifier);
+        logger.debug("JWT Secret: " + secret);
+        verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8));
       } else {
         RSAKey verificationKey = getKeyFromJkuHeader(header);
-        JWSVerifier verifier;
         if (verificationKey == null) {
+          logger.debug("Key from JWKS: " + this.publicRSAKey.toJSONString());
           verifier = new RSASSAVerifier(this.publicRSAKey);
         } else {
-          logger.info("Key from JKU: " + verificationKey.toJSONString());
+          logger.debug("Key from JKU: " + verificationKey.toJSONString());
           verifier = new RSASSAVerifier(verificationKey);
         }
-
-        return signedJWT.verify(verifier);
+        valid = signedJWT.verify(verifier);
+        logger.info("JWT valid?: " + valid);
+        return valid;
       }
 
     } catch (ParseException e) {