NFC-57 Fix and improve authentication flow

Author: SanderKondratjevNortal

app/src/androidTest/kotlin/ee/ria/DigiDoc/viewmodel/WebEidViewModelTest.kt

@@ -2,24 +2,27 @@
 
 package ee.ria.DigiDoc.viewmodel
 
-import android.app.Activity
 import android.net.Uri
+import android.util.Base64.URL_SAFE
+import android.util.Base64.decode
 import androidx.arch.core.executor.testing.InstantTaskExecutorRule
 import ee.ria.DigiDoc.webEid.WebEidAuthService
-import ee.ria.DigiDoc.webEid.domain.model.WebEidAuthRequest
-import kotlinx.coroutines.flow.MutableStateFlow
+import kotlinx.coroutines.ExperimentalCoroutinesApi
+import kotlinx.coroutines.async
+import kotlinx.coroutines.flow.first
+import kotlinx.coroutines.test.UnconfinedTestDispatcher
+import kotlinx.coroutines.test.runTest
 import org.json.JSONObject
+import org.junit.Assert.assertEquals
 import org.junit.Before
 import org.junit.Rule
 import org.junit.Test
 import org.junit.runner.RunWith
 import org.mockito.Mock
-import org.mockito.Mockito.never
-import org.mockito.Mockito.`when`
 import org.mockito.MockitoAnnotations
 import org.mockito.junit.MockitoJUnitRunner
-import org.mockito.kotlin.any
 import org.mockito.kotlin.verify
+import org.mockito.kotlin.whenever
 
 @RunWith(MockitoJUnitRunner::class)
 class WebEidViewModelTest {
@@ -29,129 +32,177 @@ class WebEidViewModelTest {
     @Mock
     private lateinit var authService: WebEidAuthService
 
-    @Mock
-    private lateinit var activity: Activity
-
     private lateinit var viewModel: WebEidViewModel
 
     @Before
     fun setup() {
         MockitoAnnotations.openMocks(this)
-
-        `when`(authService.authRequest).thenReturn(MutableStateFlow(null))
-        `when`(authService.signRequest).thenReturn(MutableStateFlow(null))
-        `when`(authService.errorState).thenReturn(MutableStateFlow(null))
-        `when`(authService.redirectUri).thenReturn(MutableStateFlow(null))
-
         viewModel = WebEidViewModel(authService)
     }
 
     @Test
-    fun handleAuth_callsParseAuthUri() {
-        val uri = Uri.parse("web-eid-mobile://auth#dummyData")
-        viewModel.handleAuth(uri)
-        verify(authService).parseAuthUri(uri)
+    fun webEidViewModel_handleAuth_parsesAuthUriAndSetsStateFlow() {
+        runTest {
+            val uri =
+                Uri.parse(
+                    "web-eid-mobile://auth#eyJjaGFsbGVuZ2UiOiJ0ZXN0LWNoYWxsZW5nZS0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCIsImxvZ2luX3VyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vcmVzcG9uc2UiLCJnZXRfc2lnbmluZ19jZXJ0aWZpY2F0ZSI6dHJ1ZX0",
+                )
+            viewModel.handleAuth(uri)
+            val authRequest = viewModel.authRequest.value
+            val signRequest = viewModel.signRequest.value
+            assert(authRequest != null)
+            assert(signRequest == null)
+            assertEquals("test-challenge-00000000000000000000000000000", authRequest?.challenge)
+            assertEquals("https://example.com/response", authRequest?.loginUri)
+            assertEquals("https://example.com", authRequest?.origin)
+            assertEquals(true, authRequest?.getSigningCertificate)
+        }
     }
 
     @Test
-    fun handleSign_callsParseSignUri() {
-        val uri = Uri.parse("web-eid-mobile://sign#dummyData")
-        viewModel.handleSign(uri)
-        verify(authService).parseSignUri(uri)
+    fun webEidViewModel_handleAuth_emitErrorResponseEventWhenChallengeMinLength() {
+        val uri =
+            Uri.parse(
+                "web-eid-mobile://auth#eyJjaGFsbGVuZ2UiOiJ0ZXN0LWNoYWxsZW5nZS0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwibG9naW5fdXJpIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9yZXNwb25zZSIsImdldF9zaWduaW5nX2NlcnRpZmljYXRlIjp0cnVlfQ",
+            )
+        webEidViewModel_handleAuth_emitErrorResponseEventWhenInvalidChallenge(uri)
     }
 
     @Test
-    fun reset_callsResetValues() {
-        viewModel.reset()
-        verify(authService).resetValues()
+    fun webEidViewModel_handleAuth_emitErrorResponseEventWhenChallengeMaxLength() {
+        val uri =
+            Uri.parse(
+                "web-eid-mobile://auth#eyJjaGFsbGVuZ2UiOiJ0ZXN0LWNoYWxsZW5nZS0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAiLCJsb2dpbl91cmkiOiJodHRwczovL2V4YW1wbGUuY29tL3Jlc3BvbnNlIiwiZ2V0X3NpZ25pbmdfY2VydGlmaWNhdGUiOnRydWV9",
+            )
+        webEidViewModel_handleAuth_emitErrorResponseEventWhenInvalidChallenge(uri)
     }
 
-    @Test
-    fun redirectUri_isExposedFromAuthService() {
-        val redirectFlow = MutableStateFlow("https://example.com#encodedPayload")
-        `when`(authService.redirectUri).thenReturn(redirectFlow)
-        val vm = WebEidViewModel(authService)
-        assert(vm.redirectUri.value == "https://example.com#encodedPayload")
+    @OptIn(ExperimentalCoroutinesApi::class)
+    private fun webEidViewModel_handleAuth_emitErrorResponseEventWhenInvalidChallenge(uri: Uri) {
+        runTest(UnconfinedTestDispatcher()) {
+            val deferred =
+                async {
+                    viewModel.relyingPartyResponseEvents.first()
+                }
+
+            viewModel.handleAuth(uri)
+
+            val emittedUri = deferred.await()
+            assert(emittedUri.toString().startsWith("https://example.com/response#"))
+            assert(emittedUri.fragment != null)
+            val decodedPayload = String(decode(emittedUri.fragment, URL_SAFE))
+            val jsonPayload = JSONObject(decodedPayload)
+            assertEquals("ERR_WEBEID_MOBILE_INVALID_REQUEST", jsonPayload.getString("code"))
+            assertEquals("Invalid challenge length", jsonPayload.getString("message"))
+        }
     }
 
     @Test
-    fun redirectUri_updatesWhenServiceUpdates() {
-        val redirectFlow = MutableStateFlow<String?>(null)
-        `when`(authService.redirectUri).thenReturn(redirectFlow)
-        val vm = WebEidViewModel(authService)
-        redirectFlow.value = "https://example.com#updatedPayload"
-        assert(vm.redirectUri.value == "https://example.com#updatedPayload")
+    @OptIn(ExperimentalCoroutinesApi::class)
+    fun webEidViewModel_handleAuth_emitErrorResponseEventWhenOriginMaxLength() {
+        runTest(UnconfinedTestDispatcher()) {
+            val uri =
+                Uri.parse(
+                    "web-eid-mobile://auth#eyJjaGFsbGVuZ2UiOiJ0ZXN0LWNoYWxsZW5nZS0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCIsImxvZ2luX3VyaSI6Imh0dHBzOi8vZXhhbXBsZS54eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eC5jb20vcmVzcG9uc2UiLCJnZXRfc2lnbmluZ19jZXJ0aWZpY2F0ZSI6dHJ1ZX0",
+                )
+            val deferred =
+                async {
+                    viewModel.relyingPartyResponseEvents.first()
+                }
+
+            viewModel.handleAuth(uri)
+
+            val emittedUri = deferred.await()
+            assert(
+                emittedUri.toString().startsWith(
+                    "https://example.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com/response#",
+                ),
+            )
+            assert(emittedUri.fragment != null)
+            val decodedPayload = String(decode(emittedUri.fragment, URL_SAFE))
+            val jsonPayload = JSONObject(decodedPayload)
+            assertEquals("ERR_WEBEID_MOBILE_INVALID_REQUEST", jsonPayload.getString("code"))
+            assertEquals("Invalid origin length", jsonPayload.getString("message"))
+        }
     }
 
     @Test
-    fun handleWebEidAuthResult_callsBuildAuthToken_whenPayloadValid() {
-        val cert = byteArrayOf(1, 2, 3)
-        val signature = byteArrayOf(4, 5, 6)
-        val challenge = "test-challenge"
-        val loginUri = "https://example.com/login"
-        val getSigningCertificate = true
-        val origin = "https://example.com"
-
-        val authRequest =
-            WebEidAuthRequest(
-                challenge = challenge,
-                loginUri = loginUri,
-                getSigningCertificate = getSigningCertificate,
-                origin = origin,
+    fun webEidViewModel_handleSign_parsesSignUriAndSetsStateFlow() {
+        val uri =
+            Uri.parse(
+                "web-eid-mobile://sign#eyJyZXNwb25zZV91cmkiOiJodHRwczovL2V4YW1wbGUuY29tL3Jlc3BvbnNlIiwic2lnbl9jZXJ0aWZpY2F0ZSI6InNpZ25pbmdfY2VydGlmaWNhdGUiLCJoYXNoIjoiaGFzaCIsImhhc2hfZnVuY3Rpb24iOiJoYXNoX2Z1bmN0aW9uIn0",
             )
-        `when`(authService.authRequest).thenReturn(MutableStateFlow(authRequest))
-
-        val token = JSONObject().put("mock", "token")
-        `when`(authService.buildAuthToken(cert, signature, challenge)).thenReturn(token)
-
-        viewModel = WebEidViewModel(authService)
-
-        viewModel.handleWebEidAuthResult(cert, signature, activity)
-
-        verify(authService).buildAuthToken(cert, signature, challenge)
-        verify(activity).startActivity(any())
-        verify(activity).finish()
+        viewModel.handleSign(uri)
+        val authRequest = viewModel.authRequest.value
+        val signRequest = viewModel.signRequest.value
+        assert(authRequest == null)
+        assert(signRequest != null)
+        assertEquals("https://example.com/response", signRequest?.responseUri)
+        assertEquals("signing_certificate", signRequest?.signCertificate)
+        assertEquals("hash", signRequest?.hash)
+        assertEquals("hash_function", signRequest?.hashFunction)
     }
 
     @Test
-    fun handleWebEidAuthResult_doesNothing_whenChallengeMissing() {
-        val cert = byteArrayOf(1)
-        val signature = byteArrayOf(2)
-
-        val authRequest =
-            WebEidAuthRequest(
-                challenge = "",
-                loginUri = "https://example.com",
-                getSigningCertificate = true,
-                origin = "https://example.com",
-            )
-        `when`(authService.authRequest).thenReturn(MutableStateFlow(authRequest))
-
-        viewModel = WebEidViewModel(authService)
-        viewModel.handleWebEidAuthResult(cert, signature, activity)
-
-        verify(authService, never()).buildAuthToken(any(), any(), any())
-        verify(activity, never()).startActivity(any())
+    @OptIn(ExperimentalCoroutinesApi::class)
+    fun webEidViewModel_handleWebEidAuthResult_buildsAuthTokenAndEmitsResponseEvent() {
+        runTest(UnconfinedTestDispatcher()) {
+            val cert = byteArrayOf(1, 2, 3)
+            val signingCert = byteArrayOf(9, 9, 9)
+            val signature = byteArrayOf(4, 5, 6)
+            val uri =
+                Uri.parse(
+                    "web-eid-mobile://auth#eyJjaGFsbGVuZ2UiOiJ0ZXN0LWNoYWxsZW5nZS0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCIsImxvZ2luX3VyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vcmVzcG9uc2UiLCJnZXRfc2lnbmluZ19jZXJ0aWZpY2F0ZSI6dHJ1ZX0",
+                )
+            whenever(authService.buildAuthToken(cert, signingCert, signature))
+                .thenReturn(JSONObject().put("format", "web-eid:1.0"))
+            val deferred =
+                async {
+                    viewModel.relyingPartyResponseEvents.first()
+                }
+            viewModel.handleAuth(uri)
+            viewModel.handleWebEidAuthResult(cert, signingCert, signature)
+
+            verify(authService).buildAuthToken(cert, signingCert, signature)
+            val emittedUri = deferred.await()
+            assert(emittedUri.toString().startsWith("https://example.com/response#"))
+            assert(emittedUri.fragment != null)
+            val decodedPayload = String(decode(emittedUri.fragment, URL_SAFE))
+            val jsonPayload = JSONObject(decodedPayload)
+            val authToken = jsonPayload.getJSONObject("auth-token")
+            assertEquals("web-eid:1.0", authToken.getString("format"))
+        }
     }
 
     @Test
-    fun handleWebEidAuthResult_doesNothing_whenLoginUriMissing() {
-        val cert = byteArrayOf(1)
-        val signature = byteArrayOf(2)
-
-        val authRequest =
-            WebEidAuthRequest(
-                challenge = "abc",
-                loginUri = "",
-                getSigningCertificate = true,
-                origin = "https://example.com",
-            )
-        `when`(authService.authRequest).thenReturn(MutableStateFlow(authRequest))
-
-        viewModel = WebEidViewModel(authService)
-        viewModel.handleWebEidAuthResult(cert, signature, activity)
-
-        verify(authService, never()).buildAuthToken(any(), any(), any())
-        verify(activity, never()).startActivity(any())
+    @OptIn(ExperimentalCoroutinesApi::class)
+    fun webEidViewModel_handleWebEidAuthResult_emitErrorResponseEventWhenException() {
+        runTest(UnconfinedTestDispatcher()) {
+            val cert = byteArrayOf(1, 2, 3)
+            val signingCert = byteArrayOf(9, 9, 9)
+            val signature = byteArrayOf(4, 5, 6)
+            val uri =
+                Uri.parse(
+                    "web-eid-mobile://auth#eyJjaGFsbGVuZ2UiOiJ0ZXN0LWNoYWxsZW5nZS0wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCIsImxvZ2luX3VyaSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vcmVzcG9uc2UiLCJnZXRfc2lnbmluZ19jZXJ0aWZpY2F0ZSI6dHJ1ZX0",
+                )
+            whenever(authService.buildAuthToken(cert, signingCert, signature))
+                .thenThrow(RuntimeException("Test exception"))
+            val deferred =
+                async {
+                    viewModel.relyingPartyResponseEvents.first()
+                }
+            viewModel.handleAuth(uri)
+
+            viewModel.handleWebEidAuthResult(cert, signingCert, signature)
+
+            verify(authService).buildAuthToken(cert, signingCert, signature)
+            val emittedUri = deferred.await()
+            assert(emittedUri.toString().startsWith("https://example.com/response#"))
+            assert(emittedUri.fragment != null)
+            val decodedPayload = String(decode(emittedUri.fragment, URL_SAFE))
+            val jsonPayload = JSONObject(decodedPayload)
+            assertEquals("ERR_WEBEID_MOBILE_UNKNOWN_ERROR", jsonPayload.getString("code"))
+            assertEquals("Unexpected error", jsonPayload.getString("message"))
+        }
     }
 }

app/src/main/kotlin/ee/ria/DigiDoc/fragment/WebEidFragment.kt

@@ -2,8 +2,11 @@
 
 package ee.ria.DigiDoc.fragment
 
+import android.app.Activity
+import android.content.Intent
 import android.content.res.Configuration
 import android.net.Uri
+import androidx.activity.compose.LocalActivity
 import androidx.compose.foundation.background
 import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.material3.MaterialTheme
@@ -21,7 +24,6 @@ import androidx.navigation.NavHostController
 import androidx.navigation.compose.rememberNavController
 import ee.ria.DigiDoc.fragment.screen.WebEidScreen
 import ee.ria.DigiDoc.ui.theme.RIADigiDocTheme
-import ee.ria.DigiDoc.utilsLib.logging.LoggingUtil.Companion.debugLog
 import ee.ria.DigiDoc.viewmodel.WebEidViewModel
 import ee.ria.DigiDoc.viewmodel.shared.SharedContainerViewModel
 import ee.ria.DigiDoc.viewmodel.shared.SharedMenuViewModel
@@ -38,12 +40,27 @@ fun WebEidFragment(
     sharedContainerViewModel: SharedContainerViewModel = hiltViewModel(),
     sharedMenuViewModel: SharedMenuViewModel = hiltViewModel(),
 ) {
+    val activity = LocalActivity.current as Activity
+
+    LaunchedEffect(viewModel) {
+        viewModel.relyingPartyResponseEvents.collect { responseUri ->
+            val browserIntent =
+                Intent(Intent.ACTION_VIEW, responseUri).apply {
+                    addFlags(Intent.FLAG_ACTIVITY_NEW_TASK or Intent.FLAG_ACTIVITY_CLEAR_TOP)
+                }
+            activity.startActivity(browserIntent)
+            activity.finishAndRemoveTask()
+        }
+    }
+
     LaunchedEffect(webEidUri) {
         webEidUri?.let {
             when (it.host) {
                 "auth" -> viewModel.handleAuth(it)
                 "sign" -> viewModel.handleSign(it)
-                else -> debugLog("WebEidFragment", "Unknown Web eID URI host: ${it.host}")
+                else -> {
+                    viewModel.handleUnknown(it)
+                }
             }
         }
     }