add exception check in AuthFilter

Author: corgiboygsj

hubble-be/pom.xml

@@ -120,7 +120,7 @@
         <dependency>
             <groupId>com.baidu.hugegraph</groupId>
             <artifactId>hugegraph-client</artifactId>
-            <version>1.9.4</version>
+            <version>1.9.5</version>
         </dependency>
 
         <dependency>

hubble-be/src/main/java/com/baidu/hugegraph/filter/AuthFilter.java

@@ -20,6 +20,9 @@
 package com.baidu.hugegraph.filter;
 
 import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Set;
+import java.util.function.Supplier;
 
 import javax.annotation.Resource;
 import javax.servlet.Filter;
@@ -29,19 +32,32 @@
 import javax.servlet.ServletResponse;
 import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.MediaType;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.http.HttpHeaders;
+import org.springframework.web.bind.annotation.RequestMethod;
 
+import com.baidu.hugegraph.common.Constant;
+import com.baidu.hugegraph.common.Response;
 import com.baidu.hugegraph.driver.HugeClient;
 import com.baidu.hugegraph.config.AuthClientConfiguration;
+import com.baidu.hugegraph.util.JsonUtil;
+import com.google.common.collect.ImmutableSet;
 
 import lombok.extern.log4j.Log4j2;
 
 @Log4j2
 @WebFilter(filterName = "authFilter", urlPatterns = "/*")
 public class AuthFilter implements Filter {
 
+    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
+
+    private static final Set<String> WHITE_API = ImmutableSet.of(
+            buildPath(RequestMethod.POST,
+                      Constant.API_VERSION + "graph-connections/login")
+    );
+
     @Resource(name = AuthClientConfiguration.AUTH_CLIENT_NAME)
     private HugeClient client;
 
@@ -51,15 +67,65 @@ public void doFilter(ServletRequest servletRequest,
                          FilterChain filterChain)
                          throws IOException, ServletException {
         try {
-            String authorization = ((HttpServletRequest) servletRequest)
-                                   .getHeader(HttpHeaders.AUTHORIZATION);
-            if (StringUtils.isNotEmpty(authorization)) {
-                this.client.setAuthContext(authorization);
+            HttpServletRequest request = (HttpServletRequest) servletRequest;
+            String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
+
+            // Missed token and request uri not in white list
+            if (StringUtils.isEmpty(authorization) && !isWhiteAPI(request)) {
+                String msg = "Missed authorization token";
+                writeResponse(servletResponse, () -> {
+                    return Response.builder()
+                                   .status(Constant.STATUS_BAD_REQUEST)
+                                   .message(msg)
+                                   .build();
+                });
+                return;
+            }
+            // Illegal token format
+            if (StringUtils.isNotEmpty(authorization) &&
+                !authorization.startsWith(BEARER_TOKEN_PREFIX)) {
+                String msg = "Only HTTP Bearer authentication is supported";
+                writeResponse(servletResponse, () -> {
+                    return Response.builder()
+                                   .status(Constant.STATUS_BAD_REQUEST)
+                                   .message(msg)
+                                   .build();
+                });
+                return;
             }
 
+            this.client.setAuthContext(authorization);
+
             filterChain.doFilter(servletRequest, servletResponse);
         } finally {
             this.client.resetAuthContext();
         }
     }
+
+    private static String buildPath(RequestMethod method, String path) {
+        return buildPath(method.name(), path);
+    }
+
+    private static String buildPath(String method, String path) {
+        return String.join(":", method, path);
+    }
+
+    private static boolean isWhiteAPI(HttpServletRequest request) {
+        String url = request.getRequestURI();
+        return WHITE_API.contains(buildPath(request.getMethod(), url));
+    }
+
+    private void writeResponse(ServletResponse servletResponse,
+                               Supplier<Response> responseSupplier) {
+        Response response = responseSupplier.get();
+
+        servletResponse.setCharacterEncoding("UTF-8");
+        servletResponse.setContentType(MediaType.APPLICATION_JSON);
+
+        try (PrintWriter writer = servletResponse.getWriter()) {
+            writer.print(JsonUtil.toJson(response));
+        } catch (IOException e) {
+            log.error("Response error",e);
+        }
+    }
 }

hubble-be/src/main/java/com/baidu/hugegraph/service/system/AuthService.java

@@ -31,14 +31,12 @@
 import com.baidu.hugegraph.entity.login.LoginResult;
 import com.baidu.hugegraph.entity.user.HubbleUser;
 import com.baidu.hugegraph.structure.auth.Login;
+import com.baidu.hugegraph.structure.auth.TokenPayload;
 import com.baidu.hugegraph.structure.auth.User;
 
 @Service
 public class AuthService {
 
-    private static final String TOKEN_USER_NAME = "user_name";
-    private static final String TOKEN_USER_ID = "user_id";
-
     @Resource(name = AuthClientConfiguration.AUTH_CLIENT_NAME)
     private HugeClient authClient;
 
@@ -58,8 +56,8 @@ public void logout() {
     }
 
     public HubbleUser getCurrentUser() {
-        Map<String, Object> payload = this.authClient.auth().verifyToken();
-        String userId = (String) payload.get(TOKEN_USER_ID);
+        TokenPayload payload = this.authClient.auth().verifyToken();
+        String userId = payload.userId();
         User user = this.authClient.auth().getUser(userId);
 
         // TODO Set user auth info