NFC-47 Authentication flow fixes and updates

Signed-off-by: Sander Kondratjev [email protected]

Author: aarmam

example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java

@@ -41,12 +41,14 @@
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
+    private static final String WEB_EID_MOBILE_AUTH_PATH = "auth";
     private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writer();
     private final RequestMatcher requestMatcher;
     private final ChallengeNonceGenerator nonceGenerator;
@@ -79,10 +81,20 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
                 webEidMobileProperties.requestSigningCert() ? Boolean.TRUE : null)
         );
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
-        String eidAuthUri = "web-eid-mobile://auth#" + encoded;
+        String authUri = getAuthUri(encoded);
 
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-        OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(eidAuthUri));
+        OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(authUri));
+    }
+
+    private String getAuthUri(String encodedPayload) {
+        UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(webEidMobileProperties.baseRequestUri());
+        if (webEidMobileProperties.baseRequestUri().startsWith("http")) {
+            builder.pathSegment(WEB_EID_MOBILE_AUTH_PATH);
+        } else {
+            builder.host(WEB_EID_MOBILE_AUTH_PATH);
+        }
+        return builder.fragment(encodedPayload).toUriString();
     }
 
     @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)

example/src/main/resources/templates/webeid-login.html

@@ -1,42 +1,59 @@
 <!doctype html>
 <html lang="en">
-    <head>
-        <meta charset="utf-8" />
-        <title>Signing you in…</title>
-        <link rel="stylesheet" href="/css/bootstrap.min.css" />
-        <link rel="stylesheet" href="/css/main.css" />
-    </head>
-    <body>
-        <div id="error-message" class="alert alert-danger" style="display: none" role="alert">
-            <div class="message"></div>
-            <pre class="details"></pre>
-        </div>
+<head>
+    <meta charset="utf-8">
+    <title>Signing you in…</title>
+    <link rel="stylesheet" href="/css/bootstrap.min.css"/>
+    <link rel="stylesheet" href="/css/main.css"/>
+</head>
+<body>
+<div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+    <div class="message"></div>
+    <pre class="details"></pre>
+</div>
 
-        <script type="module" th:inline="javascript">
-            import { showErrorMessage, checkHttpError } from "/js/errors.js";
-            import { parsePayload } from "/js/payload.js";
+<script type="module" th:inline="javascript">
+    import {showErrorMessage, checkHttpError} from "/js/errors.js";
 
-            // Using an async IIFE for mobile WebView compatibility:
-            // top-level await is not supported in some mobile browsers/WebViews.
-            (async function () {
-                const payload = parsePayload("Authentication");
-                const authToken = payload["auth_token"];
-                const response = await fetch(/*[[${loginProcessingPath}]]*/, {
-                    method: "POST",
-                    headers: {
-                        "Content-Type": "application/json",
-                        "X-CSRF-TOKEN": /*[[${csrfToken}]]*/
-                    },
-                    body: JSON.stringify(authToken),
-                    credentials: "include"
-                });
-                await checkHttpError(response);
+    // Using an async IIFE for mobile WebView compatibility:
+    // top-level await is not supported in some mobile browsers/WebViews.
+    (async function () {
+        const fragment = window.location.hash.slice(1);
+        if (!fragment) {
+            throw new Error("Missing authentication payload");
+        }
 
-                window.location.replace("/welcome");
-            })().catch((error) => {
-                console.error(error);
-                showErrorMessage(error);
-            });
-        </script>
-    </body>
+        let payload;
+        try {
+            payload = JSON.parse(atob(fragment));
+        } catch (e) {
+            console.error(e)
+            throw new Error("Failed to parse the authentication response");
+        }
+
+        if (payload.error) {
+            const error = new Error(payload.message ?? "Authentication failed");
+            error.code = payload.code;
+            throw error;
+        }
+
+        const authToken = payload["auth_token"];
+        const response = await fetch(/*[[${loginProcessingPath}]]*/, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "X-CSRF-TOKEN": /*[[${csrfToken}]]*/
+            },
+            body: JSON.stringify(authToken),
+            credentials: "include"
+        });
+        await checkHttpError(response);
+
+        window.location.replace("/welcome");
+    })().catch((error) => {
+        console.error(error);
+        showErrorMessage(error);
+    });
+</script>
+</body>
 </html>