NFC-47 Remove state logic from example

SanderKondratjevNortal · SanderKondratjevNortal · commit 1a9d45a307a4 · 2025-08-29T15:41:49.000+03:00
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -26,7 +26,6 @@
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 import eu.webeid.example.security.WebEidChallengeNonceFilter;
 import eu.webeid.example.security.WebEidMobileAuthInitFilter;
-import eu.webeid.example.security.state.MobileAuthStateStore;
 import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import eu.webeid.security.challenge.ChallengeNonceStore;
@@ -53,7 +52,7 @@
 public class ApplicationConfiguration implements WebMvcConfigurer {
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig, ChallengeNonceGenerator challengeNonceGenerator, ChallengeNonceStore challengeNonceStore, MobileAuthStateStore mobileAuthStateStore) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig, ChallengeNonceGenerator challengeNonceGenerator, ChallengeNonceStore challengeNonceStore) throws Exception {
 
         var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
 
@@ -69,24 +68,18 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthentica
                 .anyRequest().permitAll()
             )
             .authenticationProvider(authTokenDTOAuthenticationProvider)
-            .addFilterBefore(new WebEidLoginPageGeneratingFilter(mobileAuthStateStore, challengeNonceStore), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidLoginPageGeneratingFilter(), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new WebEidChallengeNonceFilter(challengeNonceGenerator), AuthorizationFilter.class)
-            .addFilterAfter(new WebEidMobileAuthInitFilter(challengeNonceGenerator, mobileAuthStateStore), CsrfFilter.class)
+            .addFilterAfter(new WebEidMobileAuthInitFilter(challengeNonceGenerator, challengeNonceStore), CsrfFilter.class)
             .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
             .build();
     }
 
-    @Bean
-    public MobileAuthStateStore mobileAuthStateStore() {
-        return new MobileAuthStateStore(5 * 60L);
-    }
-
     @Override
     public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/").setViewName("index");
         registry.addViewController("/welcome").setViewName("welcome");
     }
-
 }
diff --git a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
@@ -35,7 +35,7 @@ public class SameSiteCookieConfiguration implements WebMvcConfigurer {
     public TomcatContextCustomizer configureSameSiteCookies() {
         return context -> {
             final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
-            cookieProcessor.setSameSiteCookies("strict");
+            cookieProcessor.setSameSiteCookies("lax");
             context.setCookieProcessor(cookieProcessor);
         };
     }
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
@@ -1,15 +1,13 @@
 package eu.webeid.example.security;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import eu.webeid.example.security.state.MobileAuthStateStore;
 import eu.webeid.example.service.dto.MobileAuthInitResponse;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import eu.webeid.security.challenge.ChallengeNonceStore;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
 import org.springframework.lang.NonNull;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
@@ -23,45 +21,43 @@
 import java.util.Map;
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
-    private static final Logger LOG = LoggerFactory.getLogger(WebEidMobileAuthInitFilter.class);
     private static final ObjectMapper MAPPER = new ObjectMapper();
     private final RequestMatcher matcher =
             PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/mobile/auth/init");
 
     private final ChallengeNonceGenerator nonceGenerator;
-    private final MobileAuthStateStore stateStore;
+    private final ChallengeNonceStore challengeNonceStore;
 
-    public WebEidMobileAuthInitFilter(ChallengeNonceGenerator nonceGenerator, MobileAuthStateStore stateStore) {
+    public WebEidMobileAuthInitFilter(ChallengeNonceGenerator nonceGenerator,
+                                      ChallengeNonceStore challengeNonceStore) {
         this.nonceGenerator = nonceGenerator;
-        this.stateStore = stateStore;
+        this.challengeNonceStore = challengeNonceStore;
     }
 
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request,
                                     @NonNull HttpServletResponse response,
-                                    @NonNull FilterChain chain) throws ServletException, IOException {
-        if (!matcher.matches(request)) { chain.doFilter(request, response); return; }
+                                    @NonNull FilterChain chain) throws IOException, ServletException {
+        if (!matcher.matches(request)) {
+            chain.doFilter(request, response);
+            return;
+        }
 
         var challenge = nonceGenerator.generateAndStoreNonce();
-        String state = stateStore.put(challenge);
+        challengeNonceStore.put(challenge);
 
         String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
-                .path("/auth/eid/login").queryParam("state", state).build().toUriString();
+                .path("/auth/eid/login").build().toUriString();
 
         String payloadJson = MAPPER.writeValueAsString(Map.of(
                 "challenge", challenge.getBase64EncodedNonce(),
-                "login_uri", loginUri,
-                "state", state
+                "login_uri", loginUri
         ));
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
         String eidAuthUri = "web-eid-mobile://auth#" + encoded;
 
         response.setContentType("application/json");
         MAPPER.writeValue(response.getWriter(), new MobileAuthInitResponse(eidAuthUri));
-
-        var session = request.getSession(false);
-        var sid = (session != null ? session.getId() : "null");
-        LOG.info("MOBILE INIT: sessionId={}, issuing nonce, state={}", sid, state);
     }
 
     @Override
diff --git a/example/src/main/java/eu/webeid/example/security/state/MobileAuthStateStore.java b/example/src/main/java/eu/webeid/example/security/state/MobileAuthStateStore.java
diff --git a/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java b/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java
@@ -1,7 +1,5 @@
 package eu.webeid.example.security.ui;
 
-import eu.webeid.example.security.state.MobileAuthStateStore;
-import eu.webeid.security.challenge.ChallengeNonceStore;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -10,6 +8,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
 import org.springframework.lang.NonNull;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
@@ -19,8 +18,6 @@
 public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidLoginPageGeneratingFilter.class);
     private final RequestMatcher requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/auth/eid/login");
-    private final MobileAuthStateStore stateStore;
-    private final ChallengeNonceStore challengeNonceStore;
     private static final String LOGIN_PAGE_HTML = """
             <!doctype html>
             <html lang="en">
@@ -38,7 +35,9 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
 
               let payload;
               try { payload = JSON.parse(atob(frag)); } catch (e) {
-                location.replace("/?mobileAuthError=bad_payload"); return;
+                console.error("Failed to parse payload", e);
+                location.replace("/?mobileAuthError=bad_payload");
+                return;
               }
 
               const csrfToken = document.querySelector('#csrftoken').content;
@@ -48,24 +47,28 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
 
               fetch("/auth/login", {
                 method: "POST",
-                headers: { "Content-Type": "application/json", [csrfHeaderName]: csrfToken },
+                headers: {
+                  "Content-Type": "application/json",
+                  [csrfHeaderName]: csrfToken
+                },
                 body: JSON.stringify({ "auth-token": authToken }),
                 credentials: "include"
               })
-              .then(r => { if (!r.ok) throw new Error("HTTP " + r.status); location.replace("/welcome"); })
-              .catch(() => location.replace("/?mobileAuthError=login_failed"));
+              .then(r => {
+                if (!r.ok) throw new Error("HTTP " + r.status);
+                window.location.replace("/welcome");
+              })
+              .catch(e => {
+                console.error("Login failed", e);
+                window.location.replace("/?mobileAuthError=login_failed");
+              });
             })();
             </script>
             Signing you in…
             </body>
             </html>
             """;
 
-    public WebEidLoginPageGeneratingFilter(MobileAuthStateStore stateStore, ChallengeNonceStore challengeNonceStore) {
-        this.stateStore = stateStore;
-        this.challengeNonceStore = challengeNonceStore;
-    }
-
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain chain)
             throws IOException, ServletException {
@@ -74,22 +77,19 @@ protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull Ht
             return;
         }
 
-        String state = request.getParameter("state");
-        if (state != null && !state.isBlank()) {
-            var challenge = stateStore.consume(state);
-            var session = request.getSession(true);
-            var sid = (session != null ? session.getId() : "null");
-            if (challenge != null) {
-                challengeNonceStore.put(challenge);
-                LOG.info("LOGIN PAGE: rehydrated challenge via state={}, sessionId={}", state, sid);
-            } else {
-                LOG.warn("LOGIN PAGE: state missing/expired: {}, sessionId={}", state, sid);
-            }
+        var session = request.getSession(false);
+        LOG.info("LOGIN PAGE: rendering login page for sessionId={}", session != null ? session.getId() : "null");
+
+        var csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+        if (csrf == null) {
+            csrf = (CsrfToken) request.getAttribute("_csrf");
         }
 
-        var csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute(org.springframework.security.web.csrf.CsrfToken.class.getName());
-        if (csrf == null) csrf = (org.springframework.security.web.csrf.CsrfToken) request.getAttribute("_csrf");
-        String html = generateHtml(csrf != null ? csrf.getToken() : "", csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN");
+        String html = generateHtml(
+                csrf != null ? csrf.getToken() : "",
+                csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN"
+        );
+
         response.setContentType("text/html;charset=UTF-8");
         response.getWriter().write(html);
     }

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public class SameSiteCookieConfiguration implements WebMvcConfigurer {`
`35`	`35`	`public TomcatContextCustomizer configureSameSiteCookies() {`
`36`	`36`	`return context -> {`
`37`	`37`	`final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();`
`38`		`- cookieProcessor.setSameSiteCookies("strict");`
	`38`	`+ cookieProcessor.setSameSiteCookies("lax");`
`39`	`39`	`context.setCookieProcessor(cookieProcessor);`
`40`	`40`	`};`
`41`	`41`	`}`