feat: add 2FA auth

Author: osahner

contributed/requests/address.http

@@ -12,7 +12,8 @@ Content-Type: application/json
 
 {
   "username": "admin.admin",
-  "password": "test1234"
+  "password": "test1234",
+  "verificationCode": ""
 }
 
 > {%
@@ -22,6 +23,23 @@ Content-Type: application/json
   client.global.set("auth_token", response.headers.valueOf("Authorization").replace("Bearer ", ""));
 %}
 
+### Login as user
+POST http://localhost:{{port}}/starter-test/login
+Content-Type: application/json
+
+{
+  "username": "john.doe",
+  "password": "test1234",
+  "verificationCode": "479346"
+}
+
+> {%
+  client.test("Request executed successfully", function() {
+    client.assert(response.status === 200, "Response status is not 200");
+  });
+%}
+
+
 
 ### Add / Update
 POST http://localhost:{{port}}/starter-test/api/v1/address

pom.xml

@@ -32,6 +32,7 @@
     <jasypt.version>1.9.3</jasypt.version>
     <opencsv.version>5.7.1</opencsv.version>
     <commons-io.version>2.11.0</commons-io.version>
+    <aerogear-otp-java.version>1.0.0</aerogear-otp-java.version>
   </properties>
 
   <dependencies>
@@ -72,6 +73,12 @@
       <version>${kotlin.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.jboss.aerogear</groupId>
+      <artifactId>aerogear-otp-java</artifactId>
+      <version>${aerogear-otp-java.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt-api</artifactId>

src/main/kotlin/osahner/config/WebConfig.kt

@@ -11,11 +11,10 @@ import org.springframework.security.web.SecurityFilterChain
 import org.springframework.web.cors.CorsConfiguration
 import org.springframework.web.cors.CorsConfigurationSource
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource
-import osahner.security.JWTAuthenticationFilter
-import osahner.security.JWTAuthorizationFilter
-import osahner.security.TokenProvider
+import osahner.security.*
 import osahner.service.AppAuthenticationManager
 
+
 @Configuration
 @EnableWebSecurity
 @EnableMethodSecurity(prePostEnabled = true)
@@ -65,4 +64,5 @@ class WebConfig(
       cors.registerCorsConfiguration("/**", this)
     }
   }
+
 }

src/main/kotlin/osahner/domain/User.kt

@@ -5,6 +5,7 @@ package osahner.domain
 import jakarta.persistence.*
 import org.hibernate.annotations.GenericGenerator
 import org.hibernate.annotations.Parameter
+import org.jboss.aerogear.security.otp.api.Base32
 
 @Entity
 @Table(name = "app_user")
@@ -34,6 +35,10 @@ class User(
   @Column(name = "last_name")
   var lastName: String? = null,
 
+  var isUsing2FA: Boolean = false,
+
+  var secret: String = Base32.random(),
+
   @ManyToMany(fetch = FetchType.EAGER, cascade = [CascadeType.MERGE])
   @JoinTable(
     name = "user_role",

src/main/kotlin/osahner/security/JWTAuthenticationFilter.kt

@@ -6,17 +6,17 @@ import jakarta.servlet.FilterChain
 import jakarta.servlet.ServletException
 import jakarta.servlet.http.HttpServletRequest
 import jakarta.servlet.http.HttpServletResponse
-import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.authentication.AuthenticationServiceException
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.AuthenticationException
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
 import osahner.config.SecurityProperties
+import osahner.service.AppAuthenticationManager
 import java.io.IOException
 
 class JWTAuthenticationFilter(
-  private val authManager: AuthenticationManager,
+  private val authManager: AppAuthenticationManager,
   private val securityProperties: SecurityProperties,
   private val tokenProvider: TokenProvider
 ) : UsernamePasswordAuthenticationFilter() {
@@ -29,15 +29,16 @@ class JWTAuthenticationFilter(
     return try {
       val mapper = jacksonObjectMapper()
 
-      val creds = mapper
-        .readValue<osahner.domain.User>(req.inputStream)
+      val creds = mapper.readValue<UserLoginDTO>(req.inputStream)
 
       authManager.authenticate(
         UsernamePasswordAuthenticationToken(
           creds.username,
           creds.password,
           ArrayList()
-        )
+        ).apply {
+          details = mapOf("verificationCode" to creds.verificationCode)
+        }
       )
     } catch (e: IOException) {
       throw AuthenticationServiceException(e.message)

src/main/kotlin/osahner/security/UserLoginDTO.kt

@@ -0,0 +1,7 @@
+package osahner.security
+
+data class UserLoginDTO(
+  val username: String,
+  val password: String,
+  val verificationCode: String? = null
+)

src/main/kotlin/osahner/service/AppAuthenticationManager.kt

@@ -1,25 +1,54 @@
 package osahner.service
 
+import org.jboss.aerogear.security.otp.Totp
 import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.authentication.BadCredentialsException
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.AuthenticationException
+import org.springframework.security.core.GrantedAuthority
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.core.userdetails.UsernameNotFoundException
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
 import org.springframework.stereotype.Component
+import osahner.domain.User
 
 
 @Component
 class AppAuthenticationManager(
-  private val userService: AppUserDetailsService, val bCryptPasswordEncoder: BCryptPasswordEncoder,
+  private val userRepository: UserRepository,
+  val bCryptPasswordEncoder: BCryptPasswordEncoder,
 ) : AuthenticationManager {
   @Throws(AuthenticationException::class)
-  override fun authenticate(authentication: Authentication): Authentication? {
+  override fun authenticate(authentication: Authentication): Authentication {
     val password = authentication.credentials.toString()
-    val user = userService.loadUserByUsername(authentication.name)
+    val user: User = userRepository.findByUsername(authentication.name).orElseThrow {
+      UsernameNotFoundException("The username ${authentication.name} doesn't exist")
+    }
     if (!bCryptPasswordEncoder.matches(password, user.password)) {
       throw BadCredentialsException("Bad credentials")
     }
-    return UsernamePasswordAuthenticationToken(user.username, user.password, user.authorities)
+    if (user.isUsing2FA) {
+      val verificationCode: String = (authentication.details as Map<*, *>)["verificationCode"].toString()
+      val totp = Totp(user.secret)
+      when {
+        !isValidLong(verificationCode) -> throw BadCredentialsException("Invalid verfication code")
+        !totp.verify(verificationCode) -> throw BadCredentialsException("Invalid verfication code")
+      }
+    }
+    val authorities = ArrayList<GrantedAuthority>()
+    if (user.roles != null) {
+      user.roles!!.forEach { authorities.add(SimpleGrantedAuthority(it.roleName)) }
+    }
+    return UsernamePasswordAuthenticationToken(user.username, user.password, authorities)
+  }
+
+  private fun isValidLong(code: String): Boolean {
+    try {
+      code.toLong()
+    } catch (e: NumberFormatException) {
+      return false
+    }
+    return true
   }
 }

src/main/kotlin/osahner/service/AppUserDetailsService.kt

@@ -8,6 +8,7 @@ import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.core.userdetails.UsernameNotFoundException
 import org.springframework.stereotype.Component
 
+
 @Component
 class AppUserDetailsService(private val userRepository: UserRepository) : UserDetailsService {
 

src/main/resources/application.yaml

@@ -39,7 +39,7 @@ management:
 spring:
   jpa:
     hibernate:
-      ddl-auto: update
+      ddl-auto: create-drop
     properties:
       hibernate.show_sql: true
   config:

src/main/resources/data.sql

@@ -8,11 +8,11 @@ VALUES (2, 'STANDARD_USER', 'Standard User - Has no admin rights');
 
 TRUNCATE TABLE app_user;
 -- password test1234
-INSERT INTO app_user (id, first_name, last_name, password, username)
-VALUES (1, 'Admin', 'Admin', '$2a$10$5AWyzymSnNypg9BkMOyKE.zA05GtRKHCoWimh.q2w.KAO5koBYPM6', 'admin.admin');
+INSERT INTO app_user (id, first_name, last_name, password, username, isUsing2FA, secret)
+VALUES (1, 'Admin', 'Admin', '$2a$10$5AWyzymSnNypg9BkMOyKE.zA05GtRKHCoWimh.q2w.KAO5koBYPM6', 'admin.admin', false, '5TPFV3VGX3EKYAET');
 -- password test1234
-INSERT INTO app_user (id, first_name, last_name, password, username)
-VALUES (2, 'John', 'Doe', '$2a$10$5AWyzymSnNypg9BkMOyKE.zA05GtRKHCoWimh.q2w.KAO5koBYPM6', 'john.doe');
+INSERT INTO app_user (id, first_name, last_name, password, username, isUsing2FA, secret)
+VALUES (2, 'John', 'Doe', '$2a$10$5AWyzymSnNypg9BkMOyKE.zA05GtRKHCoWimh.q2w.KAO5koBYPM6', 'john.doe', true, '5TPFV3VGX3EKYAET');
 
 TRUNCATE TABLE user_role;
 INSERT INTO user_role(user_id, role_id)