NFC-47 Show errors for mobile. Fix index.html to correct auth uri. Fix CSRF header and token order in login page HTML template. Use records AuthPayload and AuthUri instead of Map.of.

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java

@@ -22,6 +22,7 @@
 
 package eu.webeid.example.security;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import jakarta.servlet.FilterChain;
@@ -39,7 +40,6 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
-import java.util.Map;
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
@@ -67,14 +67,17 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
         String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
             .path(loginPath).build().toUriString();
 
-        String payloadJson = OBJECT_MAPPER.writeValueAsString(Map.of(
-            "challenge", challenge.getBase64EncodedNonce(),
-            "login_uri", loginUri
-        ));
+        String payloadJson = OBJECT_MAPPER.writeValueAsString(
+            new AuthPayload(challenge.getBase64EncodedNonce(), loginUri)
+        );
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
         String eidAuthUri = "web-eid-mobile://auth#" + encoded;
 
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-        OBJECT_MAPPER.writeValue(response.getWriter(), Map.of("auth_uri", eidAuthUri));
+        OBJECT_MAPPER.writeValue(response.getWriter(), new AuthUri(eidAuthUri));
     }
+
+    record AuthPayload(String challenge, @JsonProperty("login_uri") String loginUri) ;
+
+    record AuthUri(@JsonProperty("auth_uri") String authUri) ;
 }

example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java

@@ -51,15 +51,29 @@ public WebEidLoginPageGeneratingFilter(String path) {
               <title>Signing you in…</title>
             </head>
             <body>
-            <script>
+            <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+              <div class="message"></div>
+              <pre class="details"></pre>
+            </div>
+
+            <script type="module">
+            import { showErrorMessage } from "/js/errors.js";
             (function () {
               const frag = location.hash ? location.hash.substring(1) : "";
-              if (!frag) { location.replace("/?mobileAuthError=missing_payload"); return; }
+              if (!frag) { showErrorMessage({ code: "MISSING_PAYLOAD", message: "Missing payload" }); return; }
 
               let payload;
               try { payload = JSON.parse(atob(frag)); } catch (e) {
                 console.error("Failed to parse payload", e);
-                location.replace("/?mobileAuthError=bad_payload");
+                showErrorMessage({ code: "BAD_PAYLOAD", message: "Failed to parse mobile payload" });
+                return;
+              }
+
+              if (payload["error"]) {
+                showErrorMessage({
+                  code: "MOPP_ERROR",
+                  message: payload["message"] ?? "Authentication failed in mobile app"
+                });
                 return;
               }
 
@@ -80,7 +94,7 @@ public WebEidLoginPageGeneratingFilter(String path) {
               })
               .catch(e => {
                 console.error("Login failed", e);
-                window.location.replace("/?mobileAuthError=login_failed");
+                showErrorMessage({ code: "LOGIN_FAILED", message: e.message });
               });
             })();
             </script>
@@ -102,16 +116,17 @@ protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull Ht
             csrf = (CsrfToken) request.getAttribute("_csrf");
         }
 
-        String html = generateHtml(
-            csrf != null ? csrf.getToken() : "",
-            csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN"
-        );
+        String html = generateHtml(csrf);
 
         response.setContentType(MediaType.TEXT_HTML_VALUE + ";charset=UTF-8");
         response.getWriter().write(html);
     }
 
-    private String generateHtml(String csrfToken, String csrfHeaderName) {
-        return String.format(LOGIN_PAGE_HTML, csrfToken, csrfHeaderName);
+    private String generateHtml(CsrfToken csrf) {
+        return String.format(
+            LOGIN_PAGE_HTML,
+            csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN",
+            csrf != null ? csrf.getToken() : ""
+        );
     }
 }

example/src/main/resources/templates/index.html

@@ -275,8 +275,8 @@ <h3><a id="for-developers"></a>For developers</h3>
                 });
 
                 await checkHttpError(resp);
-                const { eidAuthUri } = await resp.json();
-                window.location.href = eidAuthUri;
+                const { auth_uri } = await resp.json();
+                window.location.href = auth_uri;
                 return;
             }
 

example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java

@@ -70,7 +70,7 @@ void challengeReturnsNonceWithExpectedBase64Length() throws Exception {
 
     @Test
     void mobileInitBuildsDeepLinkWithEmbeddedChallenge() throws Exception {
-        MvcResult result = mvc.perform(post("/auth/mobile/auth/init")
+        MvcResult result = mvc.perform(post("/auth/mobile/init")
                 .with(csrf())
                 .accept(MediaType.APPLICATION_JSON))
             .andExpect(status().isOk())