Merge pull request #102 from it-at-m/fix-altcha-payload

Use base Altcha payload for challenge verification

Author: Fabinatix97

captchaservice-backend/src/main/java/de/muenchen/captchaservice/controller/captcha/request/PostVerifyRequest.java

@@ -1,14 +1,13 @@
 package de.muenchen.captchaservice.controller.captcha.request;
 
+import de.muenchen.captchaservice.data.ExtendedPayload;
 import de.muenchen.captchaservice.validation.ValidSourceAddress;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
-import de.muenchen.captchaservice.data.ExtendedPayload;
-
 @Data
 @NoArgsConstructor
 @AllArgsConstructor

captchaservice-backend/src/main/java/de/muenchen/captchaservice/data/ExtendedPayload.java

@@ -14,4 +14,18 @@ public class ExtendedPayload extends Altcha.Payload {
      */
     private Long took;
 
+    /**
+     * Converts this {@code ExtendedPayload} instance into a plain {@link Altcha.Payload}
+     * object that contains only the standard fields required for validation.
+     */
+    public Altcha.Payload toBasePayload() {
+        Altcha.Payload base = new Altcha.Payload();
+        base.algorithm = this.algorithm;
+        base.challenge = this.challenge;
+        base.number = this.number;
+        base.salt = this.salt;
+        base.signature = this.signature;
+        return base;
+    }
+
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/CaptchaService.java

@@ -57,7 +57,8 @@ public boolean verify(final String siteKey, final ExtendedPayload payload, final
             return false;
         }
         try {
-            final boolean isValid = Altcha.verifySolution(payload, captchaProperties.hmacKey(), true);
+            Altcha.Payload base = payload.toBasePayload();
+            final boolean isValid = Altcha.verifySolution(base, captchaProperties.hmacKey(), true);
             if (isValid) {
                 metricsService.recordVerifySuccess(siteKey, sourceAddress);
 

captchaservice-backend/src/test/java/de/muenchen/captchaservice/controller/captcha/CaptchaControllerTest.java

@@ -2,13 +2,10 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import de.muenchen.captchaservice.TestConstants;
-import de.muenchen.captchaservice.configuration.captcha.CaptchaProperties;
 import de.muenchen.captchaservice.controller.captcha.request.PostChallengeRequest;
 import de.muenchen.captchaservice.controller.captcha.request.PostVerifyRequest;
 import de.muenchen.captchaservice.data.ExtendedPayload;
 import de.muenchen.captchaservice.repository.CaptchaRequestRepository;
-import de.muenchen.captchaservice.service.captcha.CaptchaService;
-import de.muenchen.captchaservice.service.expireddata.ExpiredDataService;
 import de.muenchen.captchaservice.util.DatabaseTestUtil;
 import lombok.SneakyThrows;
 import org.altcha.altcha.Altcha;
@@ -29,8 +26,6 @@
 import org.testcontainers.junit.jupiter.Container;
 import org.testcontainers.utility.DockerImageName;
 
-import java.time.Instant;
-
 import static de.muenchen.captchaservice.TestConstants.SPRING_NO_SECURITY_PROFILE;
 import static de.muenchen.captchaservice.TestConstants.SPRING_TEST_PROFILE;
 import static org.hamcrest.Matchers.hasItem;
@@ -84,15 +79,6 @@ class CaptchaControllerTest {
     @Autowired
     private CaptchaRequestRepository captchaRequestRepository;
 
-    @Autowired
-    private CaptchaProperties captchaProperties;
-
-    @Autowired
-    private ExpiredDataService expiredDataService;
-
-    @Autowired
-    private CaptchaService captchaService;
-
     @Test
     void postChallenge_basic() {
         final Altcha.ChallengeOptions challengeOptions = new Altcha.ChallengeOptions();