Add support JdbcOneTimeTokenService

Closes gh-15735

Author: franticticktick

core/src/main/java/org/springframework/security/aot/hint/OneTimeTokenRuntimeHints.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.aot.hint;
+
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.RuntimeHintsRegistrar;
+import org.springframework.jdbc.core.JdbcOperations;
+import org.springframework.security.authentication.ott.OneTimeToken;
+import org.springframework.security.authentication.ott.OneTimeTokenService;
+
+/**
+ *
+ * A JDBC implementation of an {@link OneTimeTokenService} that uses a
+ * {@link JdbcOperations} for {@link OneTimeToken} persistence.
+ *
+ * @author Max Batischev
+ * @since 6.4
+ */
+class OneTimeTokenRuntimeHints implements RuntimeHintsRegistrar {
+
+	@Override
+	public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
+		hints.resources().registerPattern("org/springframework/security/core/ott/jdbc/one-time-tokens.sql");
+	}
+
+}

core/src/main/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenService.java

@@ -16,14 +16,11 @@
 
 package org.springframework.security.authentication.ott;
 
-import java.time.Clock;
-import java.time.Instant;
 import java.util.Map;
 import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.lang.NonNull;
-import org.springframework.util.Assert;
 
 /**
  * Provides an in-memory implementation of the {@link OneTimeTokenService} interface that
@@ -38,23 +35,20 @@ public final class InMemoryOneTimeTokenService implements OneTimeTokenService {
 
 	private final Map<String, OneTimeToken> oneTimeTokenByToken = new ConcurrentHashMap<>();
 
-	private Clock clock = Clock.systemUTC();
-
 	@Override
 	@NonNull
 	public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
-		String token = UUID.randomUUID().toString();
-		Instant fiveMinutesFromNow = this.clock.instant().plusSeconds(300);
-		OneTimeToken ott = new DefaultOneTimeToken(token, request.getUsername(), fiveMinutesFromNow);
-		this.oneTimeTokenByToken.put(token, ott);
+		OneTimeToken ott = OneTimeTokenUtils.generateOneTimeToken(request,
+				OneTimeTokenUtils.DEFAULT_ONE_TIME_TOKEN_TIME_TO_LIVE);
+		this.oneTimeTokenByToken.put(ott.getTokenValue(), ott);
 		cleanExpiredTokensIfNeeded();
 		return ott;
 	}
 
 	@Override
 	public OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken) {
 		OneTimeToken ott = this.oneTimeTokenByToken.remove(authenticationToken.getTokenValue());
-		if (ott == null || isExpired(ott)) {
+		if (ott == null || OneTimeTokenUtils.isExpired(ott)) {
 			return null;
 		}
 		return ott;
@@ -65,19 +59,10 @@ private void cleanExpiredTokensIfNeeded() {
 			return;
 		}
 		for (Map.Entry<String, OneTimeToken> entry : this.oneTimeTokenByToken.entrySet()) {
-			if (isExpired(entry.getValue())) {
+			if (OneTimeTokenUtils.isExpired(entry.getValue())) {
 				this.oneTimeTokenByToken.remove(entry.getKey());
 			}
 		}
 	}
 
-	private boolean isExpired(OneTimeToken ott) {
-		return this.clock.instant().isAfter(ott.getExpiresAt());
-	}
-
-	void setClock(Clock clock) {
-		Assert.notNull(clock, "clock cannot be null");
-		this.clock = clock;
-	}
-
 }

core/src/main/java/org/springframework/security/authentication/ott/JdbcOneTimeTokenService.java

@@ -0,0 +1,198 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication.ott;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Timestamp;
+import java.sql.Types;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Function;
+
+import org.springframework.jdbc.core.ArgumentPreparedStatementSetter;
+import org.springframework.jdbc.core.JdbcOperations;
+import org.springframework.jdbc.core.PreparedStatementSetter;
+import org.springframework.jdbc.core.RowMapper;
+import org.springframework.jdbc.core.SqlParameterValue;
+import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
+
+/**
+ *
+ * A JDBC implementation of an {@link OneTimeTokenService} that uses a
+ * {@link JdbcOperations} for {@link OneTimeToken} persistence.
+ *
+ * <p>
+ * <b>NOTE:</b> This {@code JdbcOneTimeTokenService} depends on the table definition
+ * described in "classpath:org/springframework/security/core/ott/jdbc/one-time-tokens.sql"
+ * and therefore MUST be defined in the database schema.
+ *
+ * @author Max Batischev
+ * @since 6.4
+ */
+public final class JdbcOneTimeTokenService implements OneTimeTokenService {
+
+	private final JdbcOperations jdbcOperations;
+
+	private Function<OneTimeToken, List<SqlParameterValue>> oneTimeTokenParametersMapper = new OneTimeTokenParametersMapper();
+
+	private RowMapper<OneTimeToken> oneTimeTokenRowMapper = new OneTimeTokenRowMapper();
+
+	private static final String TABLE_NAME = "one_time_tokens";
+
+	// @formatter:off
+	private static final String COLUMN_NAMES = "token_value, "
+			+ "username, "
+			+ "expires_at";
+	// @formatter:on
+
+	// @formatter:off
+	private static final String SAVE_AUTHORIZED_CLIENT_SQL = "INSERT INTO " + TABLE_NAME
+			+ " (" + COLUMN_NAMES + ") VALUES (?, ?, ?)";
+	// @formatter:on
+
+	private static final String FILTER = "token_value = ?";
+
+	private static final String DELETE_ONE_TIME_TOKEN_SQL = "DELETE FROM " + TABLE_NAME + " WHERE " + FILTER;
+
+	// @formatter:off
+	private static final String SELECT_ONE_TIME_TOKEN_SQL = "SELECT " + COLUMN_NAMES
+			+ " FROM " + TABLE_NAME
+			+ " WHERE " + FILTER;
+	// @formatter:on
+
+	/**
+	 * Constructs a {@code JdbcOneTimeTokenService} using the provide parameters.
+	 * @param jdbcOperations the JDBC operations
+	 */
+	public JdbcOneTimeTokenService(JdbcOperations jdbcOperations) {
+		Assert.notNull(jdbcOperations, "jdbcOperations cannot be null");
+		this.jdbcOperations = jdbcOperations;
+	}
+
+	@Override
+	public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
+		Assert.notNull(request, "generateOneTimeTokenRequest cannot be null");
+
+		OneTimeToken oneTimeToken = OneTimeTokenUtils.generateOneTimeToken(request,
+				OneTimeTokenUtils.DEFAULT_ONE_TIME_TOKEN_TIME_TO_LIVE);
+		insertOneTimeToken(oneTimeToken);
+		return oneTimeToken;
+	}
+
+	private void insertOneTimeToken(OneTimeToken oneTimeToken) {
+		List<SqlParameterValue> parameters = this.oneTimeTokenParametersMapper.apply(oneTimeToken);
+		PreparedStatementSetter pss = new ArgumentPreparedStatementSetter(parameters.toArray());
+		this.jdbcOperations.update(SAVE_AUTHORIZED_CLIENT_SQL, pss);
+	}
+
+	@Override
+	public OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken) {
+		Assert.notNull(authenticationToken, "authenticationToken cannot be null");
+
+		List<OneTimeToken> tokens = selectOneTimeToken(authenticationToken);
+		if (CollectionUtils.isEmpty(tokens)) {
+			return null;
+		}
+		OneTimeToken token = tokens.get(0);
+		deleteOneTimeToken(token);
+		if (OneTimeTokenUtils.isExpired(token)) {
+			return null;
+		}
+		return token;
+	}
+
+	private List<OneTimeToken> selectOneTimeToken(OneTimeTokenAuthenticationToken authenticationToken) {
+		List<SqlParameterValue> parameters = List
+			.of(new SqlParameterValue(Types.VARCHAR, authenticationToken.getTokenValue()));
+		PreparedStatementSetter pss = new ArgumentPreparedStatementSetter(parameters.toArray());
+		return this.jdbcOperations.query(SELECT_ONE_TIME_TOKEN_SQL, pss, this.oneTimeTokenRowMapper);
+	}
+
+	private void deleteOneTimeToken(OneTimeToken oneTimeToken) {
+		List<SqlParameterValue> parameters = List
+			.of(new SqlParameterValue(Types.VARCHAR, oneTimeToken.getTokenValue()));
+		PreparedStatementSetter pss = new ArgumentPreparedStatementSetter(parameters.toArray());
+		this.jdbcOperations.update(DELETE_ONE_TIME_TOKEN_SQL, pss);
+	}
+
+	/**
+	 * Sets the {@code Function} used for mapping {@link OneTimeToken} to a {@code List}
+	 * of {@link SqlParameterValue}. The default is {@link OneTimeTokenParametersMapper}.
+	 * @param oneTimeTokenParametersMapper the {@code Function} used for mapping
+	 * {@link OneTimeToken} to a {@code List} of {@link SqlParameterValue}
+	 */
+	public void setOneTimeTokenParametersMapper(
+			Function<OneTimeToken, List<SqlParameterValue>> oneTimeTokenParametersMapper) {
+		Assert.notNull(oneTimeTokenParametersMapper, "oneTimeTokenParametersMapper cannot be null");
+		this.oneTimeTokenParametersMapper = oneTimeTokenParametersMapper;
+	}
+
+	/**
+	 * Sets the {@link RowMapper} used for mapping the current row in
+	 * {@code java.sql.ResultSet} to {@link OneTimeToken}. The default is
+	 * {@link OneTimeTokenRowMapper}.
+	 * @param oneTimeTokenRowMapper the {@link RowMapper} used for mapping the current row
+	 * in {@code java.sql.ResultSet} to {@link OneTimeToken}
+	 */
+	public void setOneTimeTokenRowMapper(RowMapper<OneTimeToken> oneTimeTokenRowMapper) {
+		Assert.notNull(oneTimeTokenRowMapper, "oneTimeTokenRowMapper cannot be null");
+		this.oneTimeTokenRowMapper = oneTimeTokenRowMapper;
+	}
+
+	/**
+	 * The default {@code Function} that maps {@link OneTimeToken} to a {@code List} of
+	 * {@link SqlParameterValue}.
+	 *
+	 * @author Max Batischev
+	 * @since 6.4
+	 */
+	public static class OneTimeTokenParametersMapper implements Function<OneTimeToken, List<SqlParameterValue>> {
+
+		@Override
+		public List<SqlParameterValue> apply(OneTimeToken oneTimeToken) {
+			List<SqlParameterValue> parameters = new ArrayList<>();
+			parameters.add(new SqlParameterValue(Types.VARCHAR, oneTimeToken.getTokenValue()));
+			parameters.add(new SqlParameterValue(Types.VARCHAR, oneTimeToken.getUsername()));
+			parameters.add(new SqlParameterValue(Types.TIMESTAMP, Timestamp.from(oneTimeToken.getExpiresAt())));
+			return parameters;
+		}
+
+	}
+
+	/**
+	 * The default {@link RowMapper} that maps the current row in
+	 * {@code java.sql.ResultSet} to {@link OneTimeToken}.
+	 *
+	 * @author Max Batischev
+	 * @since 6.4
+	 */
+	public static class OneTimeTokenRowMapper implements RowMapper<OneTimeToken> {
+
+		@Override
+		public OneTimeToken mapRow(ResultSet rs, int rowNum) throws SQLException {
+			String tokenValue = rs.getString("token_value");
+			String userName = rs.getString("username");
+			Instant expiresAt = rs.getTimestamp("expires_at").toInstant();
+			return new DefaultOneTimeToken(tokenValue, userName, expiresAt);
+		}
+
+	}
+
+}

core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenUtils.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication.ott;
+
+import java.time.Clock;
+import java.time.Instant;
+import java.util.UUID;
+
+import org.springframework.util.Assert;
+
+/**
+ *
+ * Utility for default generation and checking of {@link OneTimeToken} time to live.
+ *
+ * @author Max Batischev
+ * @since 6.4
+ */
+public final class OneTimeTokenUtils {
+
+	public static long DEFAULT_ONE_TIME_TOKEN_TIME_TO_LIVE = 300;
+
+	private static Clock clock = Clock.systemUTC();
+
+	private OneTimeTokenUtils() {
+	}
+
+	public static OneTimeToken generateOneTimeToken(GenerateOneTimeTokenRequest request, long timeToLive) {
+		Assert.notNull(request, "generateOneTimeTokenRequest cannot be null");
+		Assert.isTrue(!(timeToLive <= 0), "timeToLive must be greater than 0");
+
+		String token = UUID.randomUUID().toString();
+		Instant fiveMinutesFromNow = clock.instant().plusSeconds(timeToLive);
+		return new DefaultOneTimeToken(token, request.getUsername(), fiveMinutesFromNow);
+	}
+
+	public static boolean isExpired(OneTimeToken token) {
+		Assert.notNull(token, "oneTimeToken cannot be null");
+		return clock.instant().isAfter(token.getExpiresAt());
+	}
+
+}

core/src/main/resources/META-INF/spring/aot.factories

@@ -1,4 +1,6 @@
 org.springframework.aot.hint.RuntimeHintsRegistrar=\
-org.springframework.security.aot.hint.CoreSecurityRuntimeHints
+org.springframework.security.aot.hint.CoreSecurityRuntimeHints,\
+org.springframework.security.aot.hint.OneTimeTokenRuntimeHints
+
 org.springframework.beans.factory.aot.BeanFactoryInitializationAotProcessor=\
 org.springframework.security.aot.hint.SecurityHintsAotProcessor

core/src/main/resources/org/springframework/security/core/ott/jdbc/one-time-tokens.sql

@@ -0,0 +1,6 @@
+create table one_time_tokens
+(
+    token_value varchar(36) not null primary key,
+    username    varchar_ignorecase(50) not null,
+    expires_at  timestamp   not null
+);