NFC-47 Review findings. Add init endpoint, drop /mobile/challenge, update UI.

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -50,18 +50,16 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthentica
         var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
 
         return http
-            .csrf(csrf -> csrf.ignoringRequestMatchers("/auth/login"))
+            .csrf(csrf -> csrf.ignoringRequestMatchers("/auth/login", "/auth/mobile/auth/init"))
             .authorizeHttpRequests(auth -> auth
                 .requestMatchers("/", "/error").permitAll()
-                .requestMatchers("/auth/challenge", "/auth/mobile/challenge").permitAll()
                 .requestMatchers(HttpMethod.GET, "/auth/eid/login").permitAll()
-                .requestMatchers(
-                    "/favicon.ico",
-                    "/css/", "/files/", "/img/", "/js/"
-                ).permitAll()
+                .requestMatchers("/auth/challenge").permitAll()
+                .requestMatchers(HttpMethod.POST, "/auth/mobile/auth/init").permitAll()
+                .requestMatchers("/favicon.ico", "/css/**", "/files/**", "/img/**", "/js/**", "/webjars/**").permitAll()
                 .anyRequest().authenticated()
             )
-            .authenticationProvider(provider)
+            .authenticationProvider(authTokenDTOAuthenticationProvider)
             .addFilterBefore(new WebEidLoginPageGeneratingFilter(), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))

example/src/main/java/eu/webeid/example/service/dto/MobileAuthInitResponse.java

@@ -0,0 +1,3 @@
+package eu.webeid.example.service.dto;
+
+public record MobileAuthInitResponse(String eidAuthUri) {}

example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java

@@ -22,35 +22,58 @@
 
 package eu.webeid.example.web.rest;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import eu.webeid.example.service.dto.ChallengeDTO;
+import eu.webeid.example.service.dto.MobileAuthInitResponse;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Map;
 
 @RestController
 @RequestMapping("auth")
 public class ChallengeController {
 
     private final ChallengeNonceGenerator challengeNonceGenerator;
+    private final ObjectMapper mapper = new ObjectMapper();
 
     public ChallengeController(ChallengeNonceGenerator challengeNonceGenerator) {
         this.challengeNonceGenerator = challengeNonceGenerator;
     }
 
     @GetMapping("challenge")
     public ChallengeDTO challenge() {
-        return generateChallenge();
+        final ChallengeDTO challenge = new ChallengeDTO();
+        challenge.setNonce(challengeNonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
+        return challenge;
     }
 
-    @GetMapping("mobile/challenge")
-    public ChallengeDTO mobileChallenge() {
-        return generateChallenge();
-    }
+    @PostMapping("mobile/auth/init")
+    public MobileAuthInitResponse initMobileAuth(HttpServletRequest request) throws JsonProcessingException {
+        String nonce = challengeNonceGenerator.generateAndStoreNonce().getBase64EncodedNonce();
 
-    private ChallengeDTO generateChallenge() {
-        ChallengeDTO challenge = new ChallengeDTO();
-        challenge.setNonce(challengeNonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
-        return challenge;
+        String loginUri = ServletUriComponentsBuilder
+            .fromCurrentContextPath()
+            .path("/auth/eid/login")
+            .build()
+            .toUriString();
+
+        String payloadJson = mapper.writeValueAsString(Map.of(
+            "challenge", nonce,
+            "login_uri", loginUri
+        ));
+
+        String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
+        String eidAppUri = "web-eid-mobile://auth#" + encoded;
+
+        return new MobileAuthInitResponse(eidAppUri);
     }
 }

example/src/main/resources/templates/index.html

@@ -264,32 +264,24 @@ <h3><a id="for-developers"></a>For developers</h3>
         authButton.disabled = true;
 
         try {
-            const challengeUrl = isMobileDevice()
-                ? "/auth/mobile/challenge"
-                : "/auth/challenge";
+            if (isMobileDevice()) {
+                const resp = await fetch("/auth/mobile/auth/init", {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+            });
+            await checkHttpError(resp);
+            const { eidAuthUri } = await resp.json();
+            window.location.href = eidAuthUri;
+            return;
+          }
 
-            const challengeResponse = await fetch(challengeUrl, {
-                method: "GET",
-                headers: {
-                    "Content-Type": "application/json"
-                }
+          const challengeResponse = await fetch("/auth/challenge", {
+            method: "GET",
+            headers: { "Content-Type": "application/json" }
             });
             await checkHttpError(challengeResponse);
             const {nonce} = await challengeResponse.json();
 
-            if (isMobileDevice()) {
-                const loginUri = encodeURIComponent(window.location.origin + "/auth/eid/login");
-                const payload = {
-                    challenge: nonce,
-                    login_uri: loginUri
-                };
-                const encoded = btoa(JSON.stringify(payload));
-                const eidAppUri = `web-eid-mobile://auth#${encoded}`;
-
-                window.location.href = eidAppUri;
-                return;
-            }
-
             const authToken = await webeid.authenticate(nonce, {lang});
 
             const authTokenResponse = await fetch("/auth/login", {