NFC-47 Fix redirection from app after authentication

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -26,6 +26,7 @@
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -43,20 +44,37 @@
 public class ApplicationConfiguration implements WebMvcConfigurer {
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig) throws Exception {
+    SecurityFilterChain filterChain(
+        HttpSecurity http,
+        AuthTokenDTOAuthenticationProvider provider,
+        AuthenticationConfiguration authConfig) throws Exception {
+
+        var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
+
         return http
-                .authenticationProvider(authTokenDTOAuthenticationProvider)
-                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()),
-                        UsernamePasswordAuthenticationFilter.class)
-                .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
-                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
-                .build();
+            .csrf(csrf -> csrf.ignoringRequestMatchers("/auth/login"))
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/", "/welcome", "/error").permitAll()
+                .requestMatchers("/auth/challenge", "/auth/mobile/challenge").permitAll()
+                .requestMatchers(HttpMethod.GET, "/auth/eid/login").permitAll()
+                .requestMatchers(
+                    "/favicon.ico",
+                    "/css/**", "/js/**", "/images/**", "/webjars/**"
+                ).permitAll()
+                .anyRequest().authenticated()
+            )
+            .authenticationProvider(provider)
+            .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
+            .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
+            .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
+            .build();
     }
 
     @Override
     public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/").setViewName("index");
         registry.addViewController("/welcome").setViewName("welcome");
+        registry.addViewController("/auth/eid/login").setViewName("eid-login");
     }
 
 }

example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java

@@ -71,7 +71,14 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         final List<GrantedAuthority> authorities = Collections.singletonList(USER_ROLE);
 
         try {
-            final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
+            String nonce;
+            if (authToken.getChallenge() != null && !authToken.getChallenge().isEmpty()) {
+                nonce = authToken.getChallenge();
+                LOG.info("Using challenge from token itself");
+            } else {
+                nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
+                LOG.info("Using challenge from session store");
+            }
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
             return WebEidAuthentication.fromCertificate(userCertificate, authorities);
         } catch (AuthTokenException e) {

example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java

@@ -29,6 +29,8 @@
 import eu.webeid.example.security.dto.AuthTokenDTO;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
@@ -90,4 +92,18 @@ protected void successfulAuthentication(HttpServletRequest request, HttpServletR
         super.successfulAuthentication(request, response, chain, authResult);
         securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
     }
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+        throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) req;
+
+        if (!HttpMethod.POST.matches(request.getMethod())) {
+            chain.doFilter(req, res);
+            return;
+        }
+
+        super.doFilter(req, res, chain);
+    }
 }

example/src/main/resources/templates/eid-login.html

@@ -0,0 +1,32 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>Signing you in…</title>
+</head>
+<body>
+<script>
+    (function () {
+      const frag = location.hash ? location.hash.substring(1) : "";
+      if (!frag) { location.replace("/?mobileAuthError=missing_payload"); return; }
+
+      let payload;
+      try { payload = JSON.parse(atob(frag)); } catch (e) {
+        location.replace("/?mobileAuthError=bad_payload"); return;
+      }
+
+      const authToken = payload["auth-token"] ?? payload;
+
+      fetch("/auth/login", {
+        method: "POST",
+        headers: {"Content-Type": "application/json"},
+        body: JSON.stringify({ "auth-token": authToken })
+      }).then(r => {
+        if (!r.ok) throw new Error("HTTP " + r.status);
+        location.replace("/welcome");
+      }).catch(() => location.replace("/?mobileAuthError=login_failed"));
+    })();
+</script>
+Signing you in…
+</body>
+</html>

example/src/main/resources/templates/index.html

@@ -279,17 +279,14 @@ <h3><a id="for-developers"></a>For developers</h3>
             const {nonce} = await challengeResponse.json();
 
             if (isMobileDevice()) {
-                const loginUri = encodeURIComponent(window.location.origin + "/");
+                const loginUri = encodeURIComponent(window.location.origin + "/auth/eid/login");
                 const payload = {
                     challenge: nonce,
                     login_uri: loginUri
                 };
                 const encoded = btoa(JSON.stringify(payload));
+                const eidAppUri = `web-eid-mobile://auth#${encoded}`;
 
-                // TODO: Replace with actual URL once DigiDoc app supports app links
-                const eidAppUri = `TODO-MOBILE-EID-APP-LAUNCH-URL#${encoded}`;
-
-                alert("Opening eID app for authentication...\n\nIf nothing happens, the app may not yet support mobile login.");
                 window.location.href = eidAppUri;
                 return;
             }