Improve Error Messages Related To Session Data (#1842)

* Use 302 in all OAuth2 Redirects, adjusted tests accordingly
* distinguish 'CSRF token mismatch' causes.

---------

Co-authored-by: Valentin Brückel <brueckel@predic8.de>
Co-authored-by: Tobias Polley <mail@tobias-polley.de>

Author: 3 people

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/rf/OAuth2CallbackRequestHandler.java

@@ -41,6 +41,9 @@
 
 public class OAuth2CallbackRequestHandler {
     private static final Logger log = LoggerFactory.getLogger(OAuth2CallbackRequestHandler.class);
+    public static final String MEMBRANE_MISSING_SESSION = "Missing session.";
+    public static final String MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION = "CSRF token missing in session.";
+    public static final String MEMBRANE_CSRF_TOKEN_MISMATCH = "CSRF token mismatch.";
 
     LogHelper logHelper = new LogHelper();
     private URIFactory uriFactory;
@@ -87,7 +90,22 @@ public boolean handleRequest(Exchange exc, Session session) throws Exception {
             String stateFromUri = getSecurityTokenFromState(state2);
 
             if (!csrfTokenMatches(session, stateFromUri)) {
-                throw new RuntimeException("CSRF token mismatch.");
+                if (session.isNew()) {
+                    throw new OAuth2Exception(
+                            "MEMBRANE_MISSING_SESSION",
+                            MEMBRANE_MISSING_SESSION,
+                            Response.badRequest().body(MEMBRANE_MISSING_SESSION).build());
+                } else if (!session.get().containsKey(ParamNames.STATE)) {
+                    throw new OAuth2Exception(
+                            "MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION",
+                            MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION,
+                            Response.badRequest().body(MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION).build());
+                }else {
+                    throw new OAuth2Exception(
+                            "MEMBRANE_CSRF_TOKEN_MISMATCH",
+                            MEMBRANE_CSRF_TOKEN_MISMATCH,
+                            Response.badRequest().body(MEMBRANE_CSRF_TOKEN_MISMATCH).build());
+                }
             }
 
             // state in session can be "merged" -> save the selected state in session overwriting the possibly merged value

core/src/main/java/com/predic8/membrane/core/interceptor/session/InMemorySessionManager.java

@@ -19,6 +19,8 @@
 import com.predic8.membrane.core.*;
 import com.predic8.membrane.core.exchange.*;
 import com.predic8.membrane.core.http.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.time.*;
 import java.util.*;
@@ -28,6 +30,8 @@
 @MCElement(name = "inMemorySessionManager2")
 public class InMemorySessionManager extends SessionManager {
 
+    private static final Logger log = LoggerFactory.getLogger(InMemorySessionManager.class);
+
     final static String ID_NAME = "_in_memory_session_id";
     Cache<String, Session> sessions;
 

core/src/main/java/com/predic8/membrane/core/interceptor/session/Session.java

@@ -25,6 +25,17 @@
 
 public class Session {
 
+    @JsonIgnore  // we don't want this utility method to show up in JSON representations
+    public boolean isNew() {
+        if (isDirty)
+            return false;
+        if (content.size() != 1)
+            return false;
+        if (!content.containsKey(INTERNAL_PREFIX + AUTHORIZATION_LEVEL))
+            return false;
+        return AuthorizationLevel.ANONYMOUS.name().equals(content.get(INTERNAL_PREFIX + AUTHORIZATION_LEVEL));
+    }
+
     public enum AuthorizationLevel{
         ANONYMOUS,
         VERIFIED

core/src/main/java/com/predic8/membrane/core/interceptor/session/SessionManager.java

@@ -139,7 +139,6 @@ private void createDefaultResponseIfNeeded(Exchange exc) {
             exc.setResponse(Response.ok().build());
     }
 
-
     private void handleSetCookieHeaderForResponse(Exchange exc, Session session) throws Exception {
         Optional<Object> originalCookieValueAtBeginning = Optional.ofNullable(exc.getProperty(SESSION_COOKIE_ORIGINAL));
 
@@ -211,7 +210,7 @@ private void removeRedundantExpireCookieIfRefreshed(Exchange exc, Map<String, Li
                 .filter(e -> e.getValue().size() > 1)
                 .filter(e -> e.getValue().stream().filter(s -> s.contains(VALUE_TO_EXPIRE_SESSION_IN_BROWSER)).count() == 1)
                 .forEach(e -> {
-                    setCookieHeaders.get(e.getKey()).remove(e.getValue());
+                    setCookieHeaders.get(e.getKey()).remove(e.getValue());  // TODO does this actually do anything?
                     exc.getResponse().getHeader().remove(getAllRelevantSetCookieHeaders(exc)
                             .filter(hf -> hf.getValue().contains(VALUE_TO_EXPIRE_SESSION_IN_BROWSER))
                             .findFirst().get());
@@ -230,8 +229,7 @@ private void setCookieForCurrentSession(Exchange exc, String currentSessionCooki
             log.warn("Cookie is larger than 4093 bytes, this will not work some browsers.");
         String setCookieValue = currentSessionCookieValue
                 + ";" + String.join(";", createCookieAttributes(exc));
-        exc.getResponse().getHeader()
-                .add(Header.SET_COOKIE, setCookieValue);
+        exc.getResponse().getHeader().add(Header.SET_COOKIE, setCookieValue);
     }
 
     private void setCookieForExpiredSessions(Exchange exc, String currentSessionCookieValue) {
@@ -263,8 +261,9 @@ private List<String> expireCookies(Exchange exc, List<String> invalidCookies) {
 
     protected Session getSessionInternal(Exchange exc) {
         exc.setProperty(SESSION_COOKIE_ORIGINAL,null);
-        if (getCookieHeader(exc) == null)
+        if (getCookieHeader(exc) == null) {
             return new Session(usernameKeyName, new HashMap<>());
+        }
 
         Map<String, Map<String, Object>> validCookiesAsListOfMaps = convertValidCookiesToAttributes(exc);
         Session session = new Session(usernameKeyName, mergeCookies(new ArrayList<>(validCookiesAsListOfMaps.values())));
@@ -341,7 +340,11 @@ public List<String> createInvalidationAttributes(Exchange exc) {
 
 
     protected Stream<String> getCookies(Exchange exc) {
-        return exc.getRequest().getHeader().getValues(new HeaderName(COOKIE)).stream().map(s -> s.getValue().split(";")).flatMap(Arrays::stream).map(String::trim);
+        return exc.getRequest().getHeader().getValues(new HeaderName(COOKIE))
+                .stream()
+                .map(s -> s.getValue().split(";"))
+                .flatMap(Arrays::stream)
+                .map(String::trim);
     }
 
     public void removeSession(Exchange exc) {

core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/OAuth2ResourceTest.java

@@ -35,6 +35,8 @@
 import java.util.concurrent.atomic.*;
 
 import static com.predic8.membrane.core.http.MimeType.*;
+import static com.predic8.membrane.core.http.Request.get;
+import static com.predic8.membrane.core.interceptor.oauth2client.rf.OAuth2CallbackRequestHandler.MEMBRANE_MISSING_SESSION;
 import static org.junit.jupiter.api.Assertions.*;
 
 public abstract class OAuth2ResourceTest {
@@ -181,11 +183,9 @@ public Outcome handleRequest(Exchange exc) throws Exception {
 
         browser.clearCookies(); // send the auth link to some helpless (other) user
 
-        excCallResource = browser.apply(new Request.Builder().get("http://localhost:" + serverPort + ref.get()).buildExchange());
-
-        assertEquals(400, excCallResource.getResponse().getStatusCode());
-
-        assertTrue(excCallResource.getResponse().getBodyAsStringDecoded().contains("CSRF"));
+        var response = browser.apply(get("http://localhost:" + serverPort + ref.get()).buildExchange()).getResponse();
+        assertEquals(400, response.getStatusCode());
+        assertTrue(response.getBodyAsStringDecoded().contains(MEMBRANE_MISSING_SESSION));
     }
 
     @Test

core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/OAuth2ResourceB2CTest.java

@@ -31,6 +31,10 @@
 import java.util.concurrent.atomic.*;
 
 import static com.predic8.membrane.core.http.Header.*;
+import static com.predic8.membrane.core.http.Request.get;
+import static com.predic8.membrane.core.interceptor.oauth2client.rf.OAuth2CallbackRequestHandler.MEMBRANE_MISSING_SESSION;
+import static com.predic8.membrane.core.util.URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR;
+import static com.predic8.membrane.core.util.URLParamUtil.parseQueryString;
 import static org.junit.jupiter.api.Assertions.*;
 
 public abstract class OAuth2ResourceB2CTest {
@@ -162,7 +166,8 @@ public Outcome handleRequest(Exchange exc) throws Exception {
 
         assertEquals(400, excCallResource.getResponse().getStatusCode());
 
-        assertTrue(excCallResource.getResponse().getBodyAsStringDecoded().contains("CSRF"));
+        String response = excCallResource.getResponse().getBodyAsStringDecoded();
+        assertTrue(response.contains(MEMBRANE_MISSING_SESSION));
     }
 
     @Test