1264 - Add support for state token for stormpath_factor_challenge grant_type requests.

Richard Blaylock · Richard Blaylock · commit 10e8fc48590f · 2017-01-25T12:30:37.000-08:00
diff --git a/api/src/main/java/com/stormpath/sdk/oauth/OAuthStormpathFactorChallengeGrantRequestAuthentication.java b/api/src/main/java/com/stormpath/sdk/oauth/OAuthStormpathFactorChallengeGrantRequestAuthentication.java
@@ -23,6 +23,8 @@
  */
 public interface OAuthStormpathFactorChallengeGrantRequestAuthentication extends OAuthGrantRequestAuthentication {
 
+    String getState();
+
     String getChallenge();
 
     String getCode();
diff --git a/extensions/httpclient/src/test/groovy/com/stormpath/sdk/impl/application/ApplicationIT.groovy b/extensions/httpclient/src/test/groovy/com/stormpath/sdk/impl/application/ApplicationIT.groovy
@@ -1890,7 +1890,7 @@ class ApplicationIT extends ClientIT {
         challenge = factor.createChallenge(challenge)
 
         String bogusCode = "000000"
-        OAuthStormpathFactorChallengeGrantRequestAuthentication request = new DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(challenge.href, bogusCode)
+        OAuthStormpathFactorChallengeGrantRequestAuthentication request = new DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(null, challenge.href, bogusCode)
 
         try {
             Authenticators.OAUTH_STORMPATH_FACTOR_CHALLENGE_GRANT_REQUEST_AUTHENTICATOR.forApplication(app).authenticate(request)
@@ -1918,7 +1918,7 @@ class ApplicationIT extends ClientIT {
 
         String validCode = calculateCurrentTOTP(new Base32().decode(factor.getSecret()))
 
-        OAuthStormpathFactorChallengeGrantRequestAuthentication request = new DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(challenge.href, validCode)
+        OAuthStormpathFactorChallengeGrantRequestAuthentication request = new DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(null, challenge.href, validCode)
 
         def result = Authenticators.OAUTH_STORMPATH_FACTOR_CHALLENGE_GRANT_REQUEST_AUTHENTICATOR.forApplication(app).authenticate(request)
         assertNotNull result.getAccessTokenHref()
diff --git a/extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/AccessTokenController.java b/extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/AccessTokenController.java
@@ -319,10 +319,11 @@ protected AccessTokenResult stormpathFactorChallengeAuthenticationRequest(HttpSe
 
         try {
             Application app = getApplication(request);
+            String state = request.getParameter("state");
             String challenge = request.getParameter("challenge");
             String code = request.getParameter("code");
             OAuthStormpathFactorChallengeGrantRequestAuthentication grantRequestAuthentication =
-                    new DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(challenge, code);
+                    new DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(state, challenge, code);
 
             authenticationResult = Authenticators.OAUTH_STORMPATH_FACTOR_CHALLENGE_GRANT_REQUEST_AUTHENTICATOR
                     .forApplication(app)
diff --git a/impl/src/main/java/com/stormpath/sdk/impl/ds/DefaultDataStore.java b/impl/src/main/java/com/stormpath/sdk/impl/ds/DefaultDataStore.java
@@ -508,10 +508,13 @@ private String buildCanonicalBodyQueryParams(Map<String, Object> bodyData){
         Map<String, Object> treeMap = new TreeMap<String, Object>(bodyData);
         try {
             for (Map.Entry<String,Object> entry : treeMap.entrySet()) {
+                Object value = entry.getValue();
+                if (value != null) {
                     if (builder.length() > 0) {
                         builder.append(APPEND_PARAM_CHAR);
                     }
-                    builder.append(String.format("%s=%s", URLEncoder.encode(entry.getKey(), "UTF-8"), URLEncoder.encode(entry.getValue().toString(), "UTF-8")));
+                    builder.append(String.format("%s=%s", URLEncoder.encode(entry.getKey(), "UTF-8"), URLEncoder.encode(value.toString(), "UTF-8")));
+                }
             }
         } catch (UnsupportedEncodingException e){
             log.trace("Body content could not be properly encoded");
diff --git a/impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultOAuthStormpathFactorChallengeGrantAuthenticationAttempt.java b/impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultOAuthStormpathFactorChallengeGrantAuthenticationAttempt.java
@@ -28,10 +28,11 @@
 public class DefaultOAuthStormpathFactorChallengeGrantAuthenticationAttempt extends AbstractResource implements OAuthStormpathFactorChallengeGrantAuthenticationAttempt {
 
     static final StringProperty GRANT_TYPE = new StringProperty("grant_type");
+    static final StringProperty STATE = new StringProperty("state");
     static final StringProperty CHALLENGE = new StringProperty("challenge");
     static final StringProperty CODE = new StringProperty("code");
 
-    private static final Map<String, Property> PROPERTY_DESCRIPTORS = createPropertyDescriptorMap(GRANT_TYPE, CHALLENGE, CODE);
+    private static final Map<String, Property> PROPERTY_DESCRIPTORS = createPropertyDescriptorMap(GRANT_TYPE, STATE, CHALLENGE, CODE);
 
     public DefaultOAuthStormpathFactorChallengeGrantAuthenticationAttempt(InternalDataStore dataStore) {
         super(dataStore);
@@ -46,6 +47,11 @@ public void setGrantType(String grantType) {
         setProperty(GRANT_TYPE, grantType);
     }
 
+    @Override
+    public void setState(String state) {
+        setProperty(STATE, state);
+    }
+
     @Override
     public void setChallenge(String challenge) {
         setProperty(CHALLENGE, challenge);
@@ -60,6 +66,10 @@ public String getGrantType() {
         return getString(GRANT_TYPE);
     }
 
+    public String getState() {
+        return getString(STATE);
+    }
+
     public String getChallenge() {
         return getString(CHALLENGE);
     }
diff --git a/impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication.java b/impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication.java
@@ -16,6 +16,7 @@
 package com.stormpath.sdk.impl.oauth;
 
 import com.stormpath.sdk.lang.Assert;
+import com.stormpath.sdk.lang.Strings;
 import com.stormpath.sdk.oauth.OAuthStormpathFactorChallengeGrantRequestAuthentication;
 import com.stormpath.sdk.oauth.OAuthStormpathSocialGrantRequestAuthentication;
 
@@ -25,17 +26,26 @@
 public class DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication implements OAuthStormpathFactorChallengeGrantRequestAuthentication {
     private final static String grant_type = "stormpath_factor_challenge";
 
+    private String state;
     private String challenge;
     private String code;
 
-    public DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(String challenge, String code) {
-        Assert.hasText(challenge, "challenge cannot be null or empty.");
+    public DefaultOAuthStormpathFactorChallengeGrantRequestAuthentication(String state, String challenge, String code) {
+        if (!Strings.hasText(state)) {
+            Assert.hasText(challenge, "either state or challenge must be provided.");
+        }
         Assert.hasText(code, "code cannot be null or empty.");
 
+        this.state = state;
         this.challenge = challenge;
         this.code = code;
     }
 
+    @Override
+    public String getState() {
+        return state;
+    }
+
     @Override
     public String getChallenge() {
         return challenge;
diff --git a/impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultOAuthStormpathFactorChallengeGrantRequestAuthenticator.java b/impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultOAuthStormpathFactorChallengeGrantRequestAuthenticator.java
@@ -45,6 +45,7 @@ public OAuthGrantRequestAuthenticationResult authenticate(OAuthRequestAuthentica
 
         OAuthStormpathFactorChallengeGrantAuthenticationAttempt authenticationAttempt = new DefaultOAuthStormpathFactorChallengeGrantAuthenticationAttempt(dataStore);
         authenticationAttempt.setGrantType(authentication.getGrantType());
+        authenticationAttempt.setState(authentication.getState());
         authenticationAttempt.setChallenge(authentication.getChallenge());
         authenticationAttempt.setCode(authentication.getCode());
 
diff --git a/impl/src/main/java/com/stormpath/sdk/impl/oauth/OAuthStormpathFactorChallengeGrantAuthenticationAttempt.java b/impl/src/main/java/com/stormpath/sdk/impl/oauth/OAuthStormpathFactorChallengeGrantAuthenticationAttempt.java
@@ -36,6 +36,13 @@ public interface OAuthStormpathFactorChallengeGrantAuthenticationAttempt extends
      */
     void setChallenge(String challenge);
 
+    /**
+     * Method used to set the state token referencing a challenge to be verified.  Typically this token will have come
+     * in response to a previous OAuth token request.
+     * @param state the state token referencing the challenge to be verified.
+     */
+    void setState(String state);
+
     /**
      * Method used to set the code for the multifactor challenge.
      * @param code the code for the multifactor challenge.
