Further improvements

marcusdacoregio · marcusdacoregio · commit e5c338fc342b · 2024-08-19T11:27:29.000-03:00
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -2979,6 +2979,36 @@ public HttpSecurity oauth2ResourceServer(
 		return HttpSecurity.this;
 	}
 
+	/**
+	 * Configures One-Time Token Login Support.
+	 *
+	 * <h2>Example Configuration</h2>
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class SecurityConfig {
+	 *
+	 * 	&#064;Bean
+	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeHttpRequests((authorize) -&gt; authorize
+	 * 					.anyRequest().authenticated()
+	 * 			)
+	 * 			.oneTimeTokenLogin(Customizer.withDefaults());
+	 * 		return http.build();
+	 * 	}
+	 * }
+	 * </pre>
+	 *
+	 * Note that a
+	 * {@link org.springframework.security.authentication.ott.OneTimeTokenSender} is
+	 * required to enable this support.
+	 * @param oneTimeTokenLoginConfigurerCustomizer the {@link Customizer} to provide more
+	 * options for the {@link OneTimeTokenLoginConfigurer}
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 */
 	public HttpSecurity oneTimeTokenLogin(
 			Customizer<OneTimeTokenLoginConfigurer<HttpSecurity>> oneTimeTokenLoginConfigurerCustomizer)
 			throws Exception {
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
@@ -46,8 +46,10 @@
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationConverter;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestResolver;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestSuccessHandler;
 import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenAuthenticationRequestSuccessHandler;
+import org.springframework.security.web.authentication.ott.RequestParameterOneTimeTokenAuthenticationRequestResolver;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
@@ -88,6 +90,8 @@ public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private AuthenticationProvider authenticationProvider;
 
+	private OneTimeTokenAuthenticationRequestResolver authenticationRequestResolver = new RequestParameterOneTimeTokenAuthenticationRequestResolver();
+
 	public OneTimeTokenLoginConfigurer(ApplicationContext context) {
 		this.context = context;
 	}
@@ -143,6 +147,7 @@ private SecurityContextRepository getSecurityContextRepository(H http) {
 	private void configureOttAuthenticationRequestFilter(H http) {
 		OneTimeTokenAuthenticationRequestFilter authenticationRequestFilter = new OneTimeTokenAuthenticationRequestFilter(
 				getOneTimeTokenService(http), getOneTimeTokenSender(http));
+		authenticationRequestFilter.setAuthenticationRequestResolver(this.authenticationRequestResolver);
 		authenticationRequestFilter.setAuthenticationRequestSuccessHandler(this.authenticationRequestSuccessHandler);
 		authenticationRequestFilter.setRequestMatcher(antMatcher(HttpMethod.POST, this.authenticationRequestUrl));
 		http.addFilter(postProcess(authenticationRequestFilter));
@@ -169,6 +174,19 @@ private AuthenticationProvider getAuthenticationProvider(H http) {
 		return this.authenticationProvider;
 	}
 
+	/**
+	 * Specifies the {@link OneTimeTokenAuthenticationRequestResolver} to use to resolve a
+	 * {@link org.springframework.security.authentication.ott.OneTimeTokenAuthenticationRequest}.
+	 * Defaults to {@link RequestParameterOneTimeTokenAuthenticationRequestResolver}
+	 * @param authenticationRequestResolver
+	 */
+	public OneTimeTokenLoginConfigurer<H> authenticationRequestResolver(
+			OneTimeTokenAuthenticationRequestResolver authenticationRequestResolver) {
+		Assert.notNull(authenticationRequestResolver, "authenticationRequestResolver cannot be null");
+		this.authenticationRequestResolver = authenticationRequestResolver;
+		return this;
+	}
+
 	/**
 	 * Specifies the {@link AuthenticationProvider} to use when authenticating the user.
 	 * @param authenticationProvider
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenService.java b/core/src/main/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenService.java
@@ -53,7 +53,7 @@ public OneTimeToken generate(OneTimeTokenAuthenticationRequest request) {
 
 	@Override
 	public OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken) {
-		OneTimeToken ott = this.oneTimeTokenByToken.remove(authenticationToken.getToken());
+		OneTimeToken ott = this.oneTimeTokenByToken.remove(authenticationToken.getTokenValue());
 		if (ott == null || isExpired(ott)) {
 			return null;
 		}
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
@@ -53,7 +53,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			throw new InvalidOneTimeTokenException("Invalid token");
 		}
 		UserDetails user = this.userDetailsService.loadUserByUsername(consumed.getUsername());
-		OneTimeTokenAuthenticationToken authenticated = new OneTimeTokenAuthenticationToken(user,
+		OneTimeTokenAuthenticationToken authenticated = OneTimeTokenAuthenticationToken.authenticated(user,
 				user.getAuthorities());
 		authenticated.setDetails(otpAuthenticationToken.getDetails());
 		return authenticated;
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationToken.java b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationToken.java
@@ -32,12 +32,16 @@ public class OneTimeTokenAuthenticationToken extends AbstractAuthenticationToken
 
 	private final Object principal;
 
-	private String token;
+	private String tokenValue;
 
-	public OneTimeTokenAuthenticationToken(String token) {
+	public OneTimeTokenAuthenticationToken(Object principal, String tokenValue) {
 		super(Collections.emptyList());
-		this.token = token;
-		this.principal = null;
+		this.tokenValue = tokenValue;
+		this.principal = principal;
+	}
+
+	public OneTimeTokenAuthenticationToken(String tokenValue) {
+		this(null, tokenValue);
 	}
 
 	public OneTimeTokenAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) {
@@ -46,13 +50,38 @@ public OneTimeTokenAuthenticationToken(Object principal, Collection<? extends Gr
 		setAuthenticated(true);
 	}
 
-	public String getToken() {
-		return this.token;
+	/**
+	 * Creates an unauthenticated token
+	 * @param principal the principal
+	 * @param tokenValue the one-time token value
+	 * @return an unauthenticated {@link OneTimeTokenAuthenticationToken}
+	 */
+	public static OneTimeTokenAuthenticationToken unauthenticated(Object principal, String tokenValue) {
+		return new OneTimeTokenAuthenticationToken(principal, tokenValue);
+	}
+
+	/**
+	 * Creates an unauthenticated token
+	 * @param principal the principal
+	 * @param authorities the principal authorities
+	 * @return an authenticated {@link OneTimeTokenAuthenticationToken}
+	 */
+	public static OneTimeTokenAuthenticationToken authenticated(Object principal,
+			Collection<? extends GrantedAuthority> authorities) {
+		return new OneTimeTokenAuthenticationToken(principal, authorities);
+	}
+
+	/**
+	 * Returns the one-time token value
+	 * @return
+	 */
+	public String getTokenValue() {
+		return this.tokenValue;
 	}
 
 	@Override
 	public Object getCredentials() {
-		return this.token;
+		return this.tokenValue;
 	}
 
 	@Override
diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationConverter.java
@@ -28,7 +28,8 @@
 /**
  * An implementation of {@link AuthenticationConverter} that detects if the request
  * contains a {@code token} parameter and constructs a
- * {@link OneTimeTokenAuthenticationToken} with it
+ * {@link OneTimeTokenAuthenticationToken} with it. If there is a {@code username}
+ * parameter in the request it will be used as the authentication token principal.
  *
  * @author Marcus da Coregio
  * @since 6.4
@@ -45,7 +46,8 @@ public Authentication convert(HttpServletRequest request) {
 			this.logger.debug("No token found in request");
 			return null;
 		}
-		return new OneTimeTokenAuthenticationToken(token);
+		String username = request.getParameter("username");
+		return OneTimeTokenAuthenticationToken.unauthenticated(username, token);
 	}
 
 }
diff --git a/web/src/test/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationConverterTests.java b/web/src/test/java/org/springframework/security/web/authentication/ott/OneTimeTokenAuthenticationConverterTests.java
@@ -40,7 +40,29 @@ void convertWhenTokenParameterThenReturnOneTimeTokenAuthenticationToken() {
 		OneTimeTokenAuthenticationToken authentication = (OneTimeTokenAuthenticationToken) this.converter
 			.convert(request);
 		assertThat(authentication).isNotNull();
-		assertThat(authentication.getToken()).isEqualTo("1234");
+		assertThat(authentication.getTokenValue()).isEqualTo("1234");
+		assertThat(authentication.getPrincipal()).isNull();
+	}
+
+	@Test
+	void convertWhenTokenAndUsernameParameterThenReturnOneTimeTokenAuthenticationTokenWithUsername() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setParameter("token", "1234");
+		request.setParameter("username", "josh");
+		OneTimeTokenAuthenticationToken authentication = (OneTimeTokenAuthenticationToken) this.converter
+			.convert(request);
+		assertThat(authentication).isNotNull();
+		assertThat(authentication.getTokenValue()).isEqualTo("1234");
+		assertThat(authentication.getPrincipal()).isEqualTo("josh");
+	}
+
+	@Test
+	void convertWhenOnlyUsernameParameterThenReturnNull() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setParameter("username", "josh");
+		OneTimeTokenAuthenticationToken authentication = (OneTimeTokenAuthenticationToken) this.converter
+			.convert(request);
+		assertThat(authentication).isNull();
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public OneTimeToken generate(OneTimeTokenAuthenticationRequest request) {`
`53`	`53`
`54`	`54`	`@Override`
`55`	`55`	`public OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken) {`
`56`		`- OneTimeToken ott = this.oneTimeTokenByToken.remove(authenticationToken.getToken());`
	`56`	`+ OneTimeToken ott = this.oneTimeTokenByToken.remove(authenticationToken.getTokenValue());`
`57`	`57`	`if (ott == null \|\| isExpired(ott)) {`
`58`	`58`	`return null;`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public Authentication authenticate(Authentication authentication) throws Authent`
`53`	`53`	`throw new InvalidOneTimeTokenException("Invalid token");`
`54`	`54`	`}`
`55`	`55`	`UserDetails user = this.userDetailsService.loadUserByUsername(consumed.getUsername());`
`56`		`- OneTimeTokenAuthenticationToken authenticated = new OneTimeTokenAuthenticationToken(user,`
	`56`	`+ OneTimeTokenAuthenticationToken authenticated = OneTimeTokenAuthenticationToken.authenticated(user,`
`57`	`57`	`user.getAuthorities());`
`58`	`58`	`authenticated.setDetails(otpAuthenticationToken.getDetails());`
`59`	`59`	`return authenticated;`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,8 @@`
`28`	`28`	`/**`
`29`	`29`	`* An implementation of {@link AuthenticationConverter} that detects if the request`
`30`	`30`	`* contains a {@code token} parameter and constructs a`
`31`		`- * {@link OneTimeTokenAuthenticationToken} with it`
	`31`	`+ * {@link OneTimeTokenAuthenticationToken} with it. If there is a {@code username}`
	`32`	`+ * parameter in the request it will be used as the authentication token principal.`
`32`	`33`	`*`
`33`	`34`	`* @author Marcus da Coregio`
`34`	`35`	`* @since 6.4`
`@@ -45,7 +46,8 @@ public Authentication convert(HttpServletRequest request) {`
`45`	`46`	`this.logger.debug("No token found in request");`
`46`	`47`	`return null;`
`47`	`48`	`}`
`48`		`- return new OneTimeTokenAuthenticationToken(token);`
	`49`	`+ String username = request.getParameter("username");`
	`50`	`+ return OneTimeTokenAuthenticationToken.unauthenticated(username, token);`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`}`