added temporary token auth. and improved private net check

Author: fquirin

src/main/java/net/b07z/sepia/server/core/server/SparkJavaFw.java

@@ -143,6 +143,8 @@ public static String returnNoAccess(Request request, Response response){
 
 	/**
 	 * Return simple access-restricted message with custom error code.
+	 * @param errorCode - code returned from authenticator - 1: communication error, 2: access denied, ...
+	 * @return
 	 */
 	public static String returnNoAccess(Request request, Response response, int errorCode){
 		if (errorCode == 2){

src/main/java/net/b07z/sepia/server/core/server/Validate.java

@@ -1,6 +1,7 @@
 package net.b07z.sepia.server.core.server;
 
 import net.b07z.sepia.server.core.tools.Debugger;
+import net.b07z.sepia.server.core.tools.Is;
 import net.b07z.sepia.server.core.tools.Security;
 import spark.Request;
 
@@ -42,12 +43,13 @@ public static String getLocalSignature(Request request, String challenge, long t
 	 */
 	public static boolean validateInternalCall(Request request, String submittedKey, String sharedServerKey) {
 		//TODO: make this more secure by adding a white-list of IPs or something ...
-		if (submittedKey != null && submittedKey.equals(sharedServerKey)){
-			return true;
-		}else if (submittedKey != null){
-			Debugger.println("Invalid internal API call from " + request.ip(), 1);
+		if (Is.nullOrEmpty(submittedKey) || Is.nullOrEmpty(sharedServerKey)){
 			return false;
+		}
+		if (submittedKey.equals(sharedServerKey)){
+			return true;
 		}else{
+			Debugger.println("Invalid internal API call from " + request.ip(), 1);
 			return false;
 		}
 	}

src/main/java/net/b07z/sepia/server/core/tools/Security.java

@@ -1,6 +1,7 @@
 package net.b07z.sepia.server.core.tools;
 
 import java.net.InetAddress;
+import java.net.UnknownHostException;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.SecureRandom;
@@ -154,15 +155,16 @@ public static byte[] getAwsSignatureKey(String key, String dateStamp, String reg
 	/**
 	 * Check if host (e.g. IP address) is from a private network (according to IANA IP range etc.).	
 	 * @param host - host address with or without protocol (http..), port (..:8080) or path (.../index.html) 
+	 * @throws UnknownHostException 
 	 */
-	public static boolean isPrivateNetwork(String host) throws Exception {
+	public static boolean isPrivateNetwork(String host) throws UnknownHostException {
 		if (host == null || host.isEmpty()){
 			new RuntimeException("Invalid host address!");
 		}
 		//clean-up host string
 		host = host.trim().replaceAll("^http(s|)://", "");
 		host = host.trim().replaceAll("/.*", "");
-		if (host.matches("^localhost($|:\\d+$)")){
+		if (host.matches("^localhost($|:\\d+$)|.*\\.local$")){
 			return true;
 		}
 		if (host.contains(".")){

src/main/java/net/b07z/sepia/server/core/tools/StringTools.java

@@ -1,5 +1,7 @@
 package net.b07z.sepia.server.core.tools;
 
+import java.util.ArrayList;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -26,4 +28,19 @@ public static String findFirstRexEx(String input, String regEx){
 			return "";
 		}
 	}
+	
+	/**
+	 * Find all groups of matching regular expression or return empty string.
+	 * @param input - input to search in
+	 * @param regEx - regular expression to search for
+	 */
+	public static List<String> findAllRexEx(String input, String regEx){
+		Pattern pattern = Pattern.compile(regEx);
+		Matcher matcher = pattern.matcher(input);
+		List<String> matches = new ArrayList<>();
+		while (matcher.find()){
+			matches.add(matcher.group(0));
+		}
+		return matches;
+	}
 }

src/main/java/net/b07z/sepia/server/core/users/Account.java

@@ -14,6 +14,7 @@
 import net.b07z.sepia.server.core.server.RequestParameters;
 import net.b07z.sepia.server.core.tools.ClassBuilder;
 import net.b07z.sepia.server.core.tools.Converters;
+import net.b07z.sepia.server.core.tools.Is;
 import net.b07z.sepia.server.core.tools.JSON;
 import net.b07z.sepia.server.core.tools.Security;
 
@@ -45,6 +46,29 @@ public class Account {
 	//more
 	private Map<String, Object> info = new HashMap<>(); 	//info for everything that's not in the basics
 
+	/**
+	 * Sometimes you need a temporary token that is bound to certain account properties. 
+	 * @param userId
+	 * @param userRoles
+	 * @param secret1
+	 * @param secret2
+	 * @param iterations
+	 * @return
+	 * @throws Exception
+	 */
+	public static String getTemporaryValidationToken(String userId, List<String> userRoles, String secret1, String secret2, int iterations) 
+			throws Exception{
+		if (Is.nullOrEmpty(userId) || userRoles == null || Is.nullOrEmpty(secret1) || Is.nullOrEmpty(secret2) || iterations == 0){
+			throw new RuntimeException("Invalid input for 'getTemporaryValidationToken'");
+		}
+		//build token
+		return Security.bytearrayToHexString(Security.getEncryptedPassword(
+				secret1.replaceAll("\\s", "").trim() + secret2.replaceAll("\\s", "").trim(), 
+				Security.getSha256((userId + userRoles.toString()).replaceAll("\\s", "").trim()), 
+				iterations, 32
+		));
+	}
+	
 	/**
 	 * Return unique user ID.
 	 */
@@ -156,7 +180,35 @@ public boolean authenticate(JSONObject requestJson){
 	 * @return true or false
 	 */
 	public boolean authenticate(RequestParameters params){
-		//get parameters
+		//client data?
+		String clientInfo = params.getString("client");
+		if (clientInfo == null || clientInfo.isEmpty()){
+			clientInfo = ConfigDefaults.defaultClientInfo;
+		}
+		
+		//--- Temp. Token ---
+		
+		//check for temporary token first
+		JSONObject tToken = params.getJson("tToken");
+		if (tToken != null){
+			//call
+			JSONObject authInfo = JSON.make(
+					"tToken", tToken,
+					"client", clientInfo
+			);
+			if (authService.authenticate(authInfo)){
+				//get basic info
+				copyBasicInfo();
+				return true;
+			}else{
+				//fail
+				return false;
+			}
+		}
+		
+		//--- Default ---
+		
+		//get username/password parameters
 		String key = params.getString("KEY");
 		if (key == null || key.isEmpty()){
 			String guuid = params.getString("GUUID");
@@ -165,70 +217,74 @@ public boolean authenticate(RequestParameters params){
 				key = guuid + ";" + Security.hashClientPassword(pwd);
 			} 
 		}
-		String client_info = params.getString("client");
-		if (client_info == null || client_info.isEmpty()){
-			client_info = ConfigDefaults.defaultClientInfo;
-		}
 		//check
 		if (key != null && !key.isEmpty()){
 			String[] up = key.split(";",2);
 			if (up.length == 2){
 				String username = up[0].toLowerCase();
 				String password = up[1];
 				//call
-				JSONObject authInfo = JSON.make("userId", username,
-											"pwd", password,
-											"client", client_info);
-				boolean success = authService.authenticate(authInfo);
-				
-				//get basic info
-				if (success){
-					userId = authService.getUserID();
-					accessLevel = authService.getAccessLevel();
-					
-					info = authService.getBasicInfo();
-					
-					//Language
-					String lang_code = (String) info.get("user_lang_code");
-					if (lang_code != null && !lang_code.isEmpty()){
-						language = lang_code;
-					}
-					
-					//Name
-					JSONObject user_n = (JSONObject) info.get("user_name");
-					if (user_n != null && !user_n.isEmpty()){
-						userName = user_n;
-						userNameShort = getShortUserName();
-					}
-					
-					//Birth
-					String user_birth = (String) info.get("user_birth");
-					if (user_birth != null && !user_birth.isEmpty()){
-						userBirth = user_birth;
-					}
-					
-					//Roles
-					if (info.containsKey("user_roles")){
-						userRoles = Converters.object2ArrayListStr(info.get("user_roles"));
-					}else{
-						userRoles = new ArrayList<>();
-					}
+				JSONObject authInfo = JSON.make(
+						"userId", username,
+						"pwd", password,
+						"client", clientInfo
+				);
+				if (authService.authenticate(authInfo)){
+					//get basic info
+					copyBasicInfo();
+					return true;
+				}else{
+					//fail
+					return false;
 				}
-				return success;
-			
 			//ERROR
 			}else{
 				log.error("AUTHENTICATION FAILED! Due to wrong KEY format: '" + key + "'");
 				return false;
 			}
-		
 		//ERROR
 		}else{
 			log.error("AUTHENTICATION FAILED! Due to missing KEY");
 			return false;
 		}
 	}
 
+	/**
+	 * Fill Account data with data received from successful authentication.
+	 */
+	public void copyBasicInfo(){
+		userId = authService.getUserID();
+		accessLevel = authService.getAccessLevel();
+		
+		info = authService.getBasicInfo();
+		
+		//Language
+		String lang_code = (String) info.get("user_lang_code");
+		if (lang_code != null && !lang_code.isEmpty()){
+			language = lang_code;
+		}
+		
+		//Name
+		JSONObject user_n = (JSONObject) info.get("user_name");
+		if (user_n != null && !user_n.isEmpty()){
+			userName = user_n;
+			userNameShort = getShortUserName();
+		}
+		
+		//Birth
+		String user_birth = (String) info.get("user_birth");
+		if (user_birth != null && !user_birth.isEmpty()){
+			userBirth = user_birth;
+		}
+		
+		//Roles
+		if (info.containsKey("user_roles")){
+			userRoles = Converters.object2ArrayListStr(info.get("user_roles"));
+		}else{
+			userRoles = new ArrayList<>();
+		}
+	}
+	
 	/**
 	 * Export (part of) user account data to JSON string.
 	 */