custom token auth for ktor

Author: di0nys1us

build.gradle.kts

@@ -31,17 +31,23 @@ dependencies {
 
     // Ktor
     val ktorVersion = "2.0.1"
+    implementation("io.ktor:ktor-server-auth:$ktorVersion")
     implementation("io.ktor:ktor-server-content-negotiation:$ktorVersion")
     implementation("io.ktor:ktor-serialization-jackson:$ktorVersion")
 
     // Testing
     testImplementation(kotlin("test"))
+    testImplementation("io.ktor:ktor-server-test-host:$ktorVersion")
 }
 
 tasks.withType<KotlinCompile> {
     kotlinOptions.jvmTarget = "17"
 }
 
+tasks.test {
+    useJUnitPlatform()
+}
+
 tasks.withType<Jar> {
     duplicatesStrategy = DuplicatesStrategy.EXCLUDE
     manifest {

src/main/kotlin/no/nav/hjelpemidler/Application.kt

@@ -3,6 +3,8 @@ package no.nav.hjelpemidler
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule
 import io.ktor.serialization.jackson.jackson
 import io.ktor.server.application.install
+import io.ktor.server.auth.Authentication
+import io.ktor.server.auth.authenticate
 import io.ktor.server.plugins.contentnegotiation.ContentNegotiation
 import io.ktor.server.routing.routing
 import mu.KotlinLogging
@@ -51,10 +53,19 @@ fun main() {
                 registerModule(JavaTimeModule())
             }
         }
+        install(Authentication) {
+            token("oebsToken") {
+                validate(requireNotNull(Configuration.application["OEBSTOKEN"]) {
+                    "OEBSTOKEN mangler"
+                })
+            }
+        }
         val context = Context(rapidApp)
         routing {
-            ordrelinjeAPI(context)
-            serviceforespørselAPI(context)
+            authenticate("oebsToken") {
+                ordrelinjeAPI(context)
+                serviceforespørselAPI(context)
+            }
         }
     }.build()
 

src/main/kotlin/no/nav/hjelpemidler/TokenAuthenticationProvider.kt

@@ -0,0 +1,90 @@
+package no.nav.hjelpemidler
+
+import io.ktor.http.auth.AuthScheme
+import io.ktor.http.auth.HttpAuthHeader
+import io.ktor.server.application.ApplicationCall
+import io.ktor.server.auth.AuthenticationConfig
+import io.ktor.server.auth.AuthenticationContext
+import io.ktor.server.auth.AuthenticationFailedCause
+import io.ktor.server.auth.AuthenticationFunction
+import io.ktor.server.auth.AuthenticationProvider
+import io.ktor.server.auth.Principal
+import io.ktor.server.auth.UnauthorizedResponse
+import io.ktor.server.auth.parseAuthorizationHeader
+import io.ktor.server.request.ApplicationRequest
+import io.ktor.server.response.respond
+
+fun AuthenticationConfig.token(
+    name: String? = null,
+    configure: TokenAuthenticationProvider.Config.() -> Unit,
+) {
+    val provider = TokenAuthenticationProvider(TokenAuthenticationProvider.Config(name).apply(configure))
+    register(provider)
+}
+
+fun ApplicationRequest.tokenCredentials(): TokenCredential? {
+    when (val authHeader = parseAuthorizationHeader()) {
+        is HttpAuthHeader.Single -> {
+            if (!authHeader.authScheme.equals(AuthScheme.Bearer, ignoreCase = true)) {
+                return null
+            }
+            return TokenCredential(authHeader.blob)
+        }
+        else -> return null
+    }
+}
+
+class TokenAuthenticationProvider internal constructor(config: Config) : AuthenticationProvider(config) {
+    internal val authenticationFunction = config.authenticationFunction
+
+    override suspend fun onAuthenticate(context: AuthenticationContext) {
+        val call = context.call
+        val credentials = call.request.tokenCredentials()
+        val principal = credentials?.let { authenticationFunction(call, it) }
+        val cause = when {
+            credentials == null -> AuthenticationFailedCause.NoCredentials
+            principal == null -> AuthenticationFailedCause.InvalidCredentials
+            else -> null
+        }
+        if (cause != null) {
+            @Suppress("NAME_SHADOWING")
+            context.challenge("", cause) { challenge, call ->
+                call.respond(
+                    UnauthorizedResponse(
+                        HttpAuthHeader.Parameterized(
+                            AuthScheme.Bearer,
+                            mapOf("realm" to "Ktor Server")
+                        )
+                    )
+                )
+                challenge.complete()
+            }
+        }
+        if (principal != null) {
+            context.principal(principal)
+        }
+    }
+
+    class Config internal constructor(name: String?) : AuthenticationProvider.Config(name) {
+        internal var authenticationFunction: AuthenticationFunction<TokenCredential> = {
+            throw NotImplementedError(
+                "Token validate function is not specified. Use token { validate { ... } } to fix."
+            )
+        }
+
+        fun validate(body: suspend ApplicationCall.(TokenCredential) -> Principal?) {
+            authenticationFunction = body
+        }
+
+        fun validate(expectedToken: String) = validate {
+            when (it.token) {
+                expectedToken -> TokenPrincipal(it.token)
+                else -> null
+            }
+        }
+    }
+}
+
+data class TokenCredential(val token: String)
+
+data class TokenPrincipal(val token: String) : Principal

src/main/kotlin/no/nav/hjelpemidler/api/OrdrelinjeAPI.kt

@@ -36,12 +36,6 @@ private val mapperXml = XmlMapper().registerModule(JavaTimeModule())
 internal fun Route.ordrelinjeAPI(context: Context) {
     post("/push") {
         logg.info("incoming push")
-        val authHeader = call.request.header("Authorization").toString()
-        if (!authHeader.startsWith("Bearer ") || authHeader.substring(7) != Configuration.application["OEBSTOKEN"]!!) {
-            call.respond(HttpStatusCode.Unauthorized, "unauthorized")
-            return@post
-        }
-
         try {
             val ordrelinje = parseOrdrelinje(context, call) ?: return@post
             sendUvalidertOrdrelinjeTilRapid(context, ordrelinje.toRåOrdrelinje())

src/main/kotlin/no/nav/hjelpemidler/api/ServiceForespørselAPI.kt

@@ -6,14 +6,12 @@ import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule
 import com.fasterxml.jackson.module.kotlin.jacksonMapperBuilder
 import io.ktor.http.HttpStatusCode
 import io.ktor.server.application.call
-import io.ktor.server.request.header
 import io.ktor.server.request.receive
 import io.ktor.server.response.respond
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.post
 import mu.KotlinLogging
 import no.nav.hjelpemidler.Context
-import no.nav.hjelpemidler.configuration.Configuration
 import no.nav.hjelpemidler.model.SfMessage
 import java.time.LocalDateTime
 import java.util.UUID
@@ -25,12 +23,6 @@ private val mapperJson = jacksonMapperBuilder().addModule(JavaTimeModule()).buil
 internal fun Route.serviceforespørselAPI(context: Context) {
     post("/sf") {
         logg.info("incoming sf-oppdatering")
-        val authHeader = call.request.header("Authorization").toString()
-        if (!authHeader.startsWith("Bearer ") || authHeader.substring(7) != Configuration.application["OEBSTOKEN"]!!) {
-            call.respond(HttpStatusCode.Unauthorized, "unauthorized")
-            return@post
-        }
-
         try {
             val serviceForespørselEndring = call.receive<ServiceForespørselEndring>()
             val sfMessage = SfMessage(

src/test/kotlin/no/nav/hjelpemidler/TestExtensions.kt

@@ -0,0 +1,7 @@
+package no.nav.hjelpemidler
+
+import kotlin.test.assertEquals
+import kotlin.test.assertNotEquals
+
+infix fun <T> T.shouldBe(expected: T) = assertEquals(expected, this)
+infix fun <T> T.shouldNotBe(illegal: T) = assertNotEquals(illegal, this)

src/test/kotlin/no/nav/hjelpemidler/TokenAuthenticationProviderTest.kt

@@ -0,0 +1,73 @@
+package no.nav.hjelpemidler
+
+import io.ktor.client.request.basicAuth
+import io.ktor.client.request.bearerAuth
+import io.ktor.client.request.get
+import io.ktor.client.statement.bodyAsText
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.application.call
+import io.ktor.server.auth.Authentication
+import io.ktor.server.auth.authenticate
+import io.ktor.server.response.respondText
+import io.ktor.server.routing.get
+import io.ktor.server.testing.ApplicationTestBuilder
+import io.ktor.server.testing.testApplication
+import kotlin.test.Test
+
+internal class TokenAuthenticationProviderTest {
+
+    @Test
+    internal fun `authentication fails, missing token`() = testApplication {
+        configure()
+        client.get("/secured") {
+        }.apply {
+            status shouldBe HttpStatusCode.Unauthorized
+        }
+    }
+
+    @Test
+    internal fun `authentication fails, wrong token`() = testApplication {
+        configure()
+        client.get("/secured") {
+            bearerAuth("1234qwer")
+        }.apply {
+            status shouldBe HttpStatusCode.Unauthorized
+        }
+    }
+
+    @Test
+    internal fun `authentication fails, wrong scheme`() = testApplication {
+        configure()
+        client.get("/secured") {
+            basicAuth("foo", "bar")
+        }.apply {
+            status shouldBe HttpStatusCode.Unauthorized
+        }
+    }
+
+    @Test
+    internal fun `authentication succeeds`() = testApplication {
+        configure()
+        client.get("/secured") {
+            bearerAuth("qwer1234")
+        }.apply {
+            status shouldBe HttpStatusCode.OK
+            bodyAsText() shouldBe "secret"
+        }
+    }
+
+    private fun ApplicationTestBuilder.configure() {
+        install(Authentication) {
+            token("oebsToken") {
+                validate("qwer1234")
+            }
+        }
+        routing {
+            authenticate("oebsToken") {
+                get("/secured") {
+                    call.respondText("secret")
+                }
+            }
+        }
+    }
+}