NFC-47 Start using state instead of sending the challenge.

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -26,8 +26,10 @@
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 import eu.webeid.example.security.WebEidChallengeNonceFilter;
 import eu.webeid.example.security.WebEidMobileAuthInitFilter;
+import eu.webeid.example.security.state.MobileAuthStateStore;
 import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import eu.webeid.security.challenge.ChallengeNonceStore;
 import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -51,7 +53,7 @@
 public class ApplicationConfiguration implements WebMvcConfigurer {
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig, ChallengeNonceGenerator challengeNonceGenerator) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig, ChallengeNonceGenerator challengeNonceGenerator, ChallengeNonceStore challengeNonceStore, MobileAuthStateStore mobileAuthStateStore) throws Exception {
 
         var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
 
@@ -67,15 +69,20 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthentica
                 .anyRequest().permitAll()
             )
             .authenticationProvider(authTokenDTOAuthenticationProvider)
-            .addFilterBefore(new WebEidLoginPageGeneratingFilter(), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidLoginPageGeneratingFilter(mobileAuthStateStore, challengeNonceStore), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new WebEidChallengeNonceFilter(challengeNonceGenerator), AuthorizationFilter.class)
-            .addFilterAfter(new WebEidMobileAuthInitFilter(challengeNonceGenerator), CsrfFilter.class)
+            .addFilterAfter(new WebEidMobileAuthInitFilter(challengeNonceGenerator, mobileAuthStateStore), CsrfFilter.class)
             .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
             .build();
     }
 
+    @Bean
+    public MobileAuthStateStore mobileAuthStateStore() {
+        return new MobileAuthStateStore(5 * 60L);
+    }
+
     @Override
     public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/").setViewName("index");

example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java

@@ -71,14 +71,7 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         final List<GrantedAuthority> authorities = Collections.singletonList(USER_ROLE);
 
         try {
-            String nonce;
-            if (authToken.getChallenge() != null && !authToken.getChallenge().isEmpty()) {
-                nonce = authToken.getChallenge();
-                LOG.info("Using challenge from token itself");
-            } else {
-                nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
-                LOG.info("Using challenge from session store");
-            }
+            final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
             return WebEidAuthentication.fromCertificate(userCertificate, authorities);
         } catch (AuthTokenException e) {

example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java

@@ -29,8 +29,6 @@
 import eu.webeid.example.security.dto.AuthTokenDTO;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
-import jakarta.servlet.ServletRequest;
-import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
@@ -81,6 +79,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         LOG.info("attemptAuthentication(): Creating token");
         final PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(null, authTokenDTO);
         LOG.info("attemptAuthentication(): Calling authentication manager");
+        token.setDetails(new org.springframework.security.web.authentication.WebAuthenticationDetailsSource().buildDetails(request));
         return getAuthenticationManager().authenticate(token);
     }
 

example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java

@@ -1,12 +1,15 @@
 package eu.webeid.example.security;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import eu.webeid.example.security.state.MobileAuthStateStore;
 import eu.webeid.example.service.dto.MobileAuthInitResponse;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
 import org.springframework.lang.NonNull;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
@@ -20,43 +23,45 @@
 import java.util.Map;
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
-
+    private static final Logger LOG = LoggerFactory.getLogger(WebEidMobileAuthInitFilter.class);
     private static final ObjectMapper MAPPER = new ObjectMapper();
     private final RequestMatcher matcher =
-        PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/mobile/auth/init");
+            PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/mobile/auth/init");
 
     private final ChallengeNonceGenerator nonceGenerator;
+    private final MobileAuthStateStore stateStore;
 
-    public WebEidMobileAuthInitFilter(ChallengeNonceGenerator nonceGenerator) {
+    public WebEidMobileAuthInitFilter(ChallengeNonceGenerator nonceGenerator, MobileAuthStateStore stateStore) {
         this.nonceGenerator = nonceGenerator;
+        this.stateStore = stateStore;
     }
 
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request,
                                     @NonNull HttpServletResponse response,
                                     @NonNull FilterChain chain) throws ServletException, IOException {
-        if (!matcher.matches(request)) {
-            chain.doFilter(request, response);
-            return;
-        }
+        if (!matcher.matches(request)) { chain.doFilter(request, response); return; }
 
-        String nonce = nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce();
+        var challenge = nonceGenerator.generateAndStoreNonce();
+        String state = stateStore.put(challenge);
 
-        String loginUri = ServletUriComponentsBuilder
-            .fromCurrentContextPath()
-            .path("/auth/eid/login")
-            .build()
-            .toUriString();
+        String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+                .path("/auth/eid/login").queryParam("state", state).build().toUriString();
 
         String payloadJson = MAPPER.writeValueAsString(Map.of(
-            "challenge", nonce,
-            "login_uri", loginUri
+                "challenge", challenge.getBase64EncodedNonce(),
+                "login_uri", loginUri,
+                "state", state
         ));
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
         String eidAuthUri = "web-eid-mobile://auth#" + encoded;
 
         response.setContentType("application/json");
         MAPPER.writeValue(response.getWriter(), new MobileAuthInitResponse(eidAuthUri));
+
+        var session = request.getSession(false);
+        var sid = (session != null ? session.getId() : "null");
+        LOG.info("MOBILE INIT: sessionId={}, issuing nonce, state={}", sid, state);
     }
 
     @Override

example/src/main/java/eu/webeid/example/security/state/MobileAuthStateStore.java

@@ -0,0 +1,35 @@
+package eu.webeid.example.security.state;
+
+import eu.webeid.security.challenge.ChallengeNonce;
+
+import java.time.Instant;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+
+public final class MobileAuthStateStore {
+    private static final class Entry {
+        final ChallengeNonce challenge;
+        final Instant ts;
+        Entry(ChallengeNonce c) { this.challenge = c; this.ts = Instant.now(); }
+    }
+
+    private final Map<String, Entry> store = new ConcurrentHashMap<>();
+    private final long ttlSeconds;
+
+    public MobileAuthStateStore(long ttlSeconds) { this.ttlSeconds = ttlSeconds; }
+
+    public String put(ChallengeNonce challenge) {
+        String state = UUID.randomUUID().toString();
+        store.put(state, new Entry(challenge));
+        return state;
+    }
+
+    public ChallengeNonce consume(String state) {
+        if (state == null || state.isBlank()) return null;
+        Entry e = store.remove(state);
+        if (e == null) return null;
+        if (Instant.now().isAfter(e.ts.plusSeconds(ttlSeconds))) return null;
+        return e.challenge;
+    }
+}

example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java

@@ -1,9 +1,13 @@
 package eu.webeid.example.security.ui;
 
+import eu.webeid.example.security.state.MobileAuthStateStore;
+import eu.webeid.security.challenge.ChallengeNonceStore;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
 import org.springframework.lang.NonNull;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
@@ -13,8 +17,10 @@
 import java.io.IOException;
 
 public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter {
-
+    private static final Logger LOG = LoggerFactory.getLogger(WebEidLoginPageGeneratingFilter.class);
     private final RequestMatcher requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/auth/eid/login");
+    private final MobileAuthStateStore stateStore;
+    private final ChallengeNonceStore challengeNonceStore;
     private static final String LOGIN_PAGE_HTML = """
             <!doctype html>
             <html lang="en">
@@ -55,21 +61,35 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
             </html>
             """;
 
+    public WebEidLoginPageGeneratingFilter(MobileAuthStateStore stateStore, ChallengeNonceStore challengeNonceStore) {
+        this.stateStore = stateStore;
+        this.challengeNonceStore = challengeNonceStore;
+    }
+
     @Override
-    protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain chain) throws IOException, ServletException {
+    protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain chain)
+            throws IOException, ServletException {
         if (!requestMatcher.matches(request)) {
             chain.doFilter(request, response);
             return;
         }
 
-        var csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute(org.springframework.security.web.csrf.CsrfToken.class.getName());
-        if (csrf == null) {
-            csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute("_csrf");
+        String state = request.getParameter("state");
+        if (state != null && !state.isBlank()) {
+            var challenge = stateStore.consume(state);
+            var session = request.getSession(true);
+            var sid = (session != null ? session.getId() : "null");
+            if (challenge != null) {
+                challengeNonceStore.put(challenge);
+                LOG.info("LOGIN PAGE: rehydrated challenge via state={}, sessionId={}", state, sid);
+            } else {
+                LOG.warn("LOGIN PAGE: state missing/expired: {}, sessionId={}", state, sid);
+            }
         }
-        String token = csrf != null ? csrf.getToken() : "";
-        String header = csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN";
 
-        String html = generateHtml(token, header);
+        var csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute(org.springframework.security.web.csrf.CsrfToken.class.getName());
+        if (csrf == null) csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute("_csrf");
+        String html = generateHtml(csrf != null ? csrf.getToken() : "", csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN");
         response.setContentType("text/html;charset=UTF-8");
         response.getWriter().write(html);
     }