NFC-47 Review findings. Replace mockNfcAuthToken with mockV11AuthToken. Replace VALID_NFC_AUTH_TOKEN with VALID_WEB_EID_1_1AUTH_TOKEN. Return html with spring security filter.

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -24,6 +24,7 @@
 
 import eu.webeid.example.security.AuthTokenDTOAuthenticationProvider;
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
+import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
@@ -64,6 +65,7 @@ SecurityFilterChain filterChain(
                 .anyRequest().authenticated()
             )
             .authenticationProvider(provider)
+            .addFilterBefore(new WebEidLoginPageGeneratingFilter(), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
@@ -74,7 +76,6 @@ SecurityFilterChain filterChain(
     public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/").setViewName("index");
         registry.addViewController("/welcome").setViewName("welcome");
-        registry.addViewController("/auth/eid/login").setViewName("eid-login");
     }
 
 }

example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java

@@ -0,0 +1,77 @@
+package eu.webeid.example.security.ui;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter {
+
+    private final RequestMatcher requestMatcher = new AntPathRequestMatcher("/auth/eid/login", "GET");
+    private static final String LOGIN_PAGE_HTML = """
+    <!doctype html>
+    <html lang="en">
+    <head>
+      <meta charset="utf-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1">
+      <title>Signing you in…</title>
+      <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self';">
+    </head>
+    <body>
+    <script>
+      (function () {
+        const frag = location.hash ? location.hash.substring(1) : "";
+        if (!frag) { location.replace("/?mobileAuthError=missing_payload"); return; }
+
+        let payload;
+        try { payload = JSON.parse(atob(frag)); } catch (e) {
+          location.replace("/?mobileAuthError=bad_payload"); return;
+        }
+
+        const authToken = payload["auth-token"] ?? payload;
+
+        fetch("/auth/login", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ "auth-token": authToken })
+        })
+        .then(r => {
+          if (!r.ok) throw new Error("HTTP " + r.status);
+          location.replace("/welcome");
+        })
+        .catch(() => location.replace("/?mobileAuthError=login_failed"));
+      })();
+    </script>
+    Signing you in…
+    </body>
+    </html>
+    """;
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request,
+                                    HttpServletResponse response,
+                                    FilterChain filterChain)
+        throws ServletException, IOException {
+
+        if (!this.requestMatcher.matches(request)) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        String html = generateHtml();
+        byte[] bytes = html.getBytes(StandardCharsets.UTF_8);
+        response.setContentType("text/html;charset=UTF-8");
+        response.setContentLength(bytes.length);
+        response.getOutputStream().write(bytes);
+    }
+
+    private String generateHtml() {
+        return LOGIN_PAGE_HTML;
+    }
+}

example/src/main/resources/templates/eid-login.html

@@ -171,7 +171,7 @@ public FileDTO signContainer(SignatureDTO signatureDTO) {
         MockHttpSession session = new MockHttpSession();
         session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
-        MvcResult result = HttpHelper.login(mvcBuilder, session, ObjectMother.mockNfcAuthToken());
+        MvcResult result = HttpHelper.login(mvcBuilder, session, ObjectMother.mockV11AuthToken());
         MockHttpServletResponse response = result.getResponse();
         assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":\"[ROLE_USER]\"}", response.getContentAsString());
     }

example/src/test/java/eu/webeid/example/WebApplicationTest.java

@@ -62,13 +62,13 @@ void testAttemptAuthentication() throws Exception {
     }
 
     @Test
-    void testAttemptAuthentication_NfcToken() throws Exception {
+    void testAttemptAuthentication_V11AuthToken() throws Exception {
         final HttpServletRequest request = mock(HttpServletRequest.class);
         final HttpServletResponse response = mock(HttpServletResponse.class);
         when(request.getMethod()).thenReturn(HttpMethod.POST.name());
         when(request.getHeader("Content-type")).thenReturn("application/json");
 
-        var jsonBody = ObjectMother.toJson(Map.of("auth-token", ObjectMother.mockNfcAuthToken().getToken()));
+        var jsonBody = ObjectMother.toJson(Map.of("auth-token", ObjectMother.mockV11AuthToken().getToken()));
 
         when(request.getReader()).thenReturn(new BufferedReader(new StringReader(jsonBody)));
 

example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java

@@ -48,7 +48,7 @@ public class ObjectMother {
     private static final String TEST_PKI_CONTAINER = "src/test/resources/signout.p12";
     private static final String TEST_PKI_CONTAINER_PASSWORD = "test";
     private static final WebEidAuthToken VALID_AUTH_TOKEN;
-    private static final WebEidAuthToken VALID_NFC_AUTH_TOKEN;
+    private static final WebEidAuthToken VALID_WEB_EID_1_1AUTH_TOKEN;
 
     static {
         try {
@@ -66,7 +66,7 @@ public class ObjectMother {
 
     static {
         try {
-            VALID_NFC_AUTH_TOKEN = MAPPER.readValue(
+            VALID_WEB_EID_1_1AUTH_TOKEN = MAPPER.readValue(
                 "{\"algorithm\":\"ES384\"," +
                     "\"unverifiedCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
                     "\"unverifiedSigningCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
@@ -88,9 +88,9 @@ public static AuthTokenDTO mockAuthToken() {
         return authToken;
     }
 
-    public static AuthTokenDTO mockNfcAuthToken() {
+    public static AuthTokenDTO mockV11AuthToken() {
         AuthTokenDTO authToken = new AuthTokenDTO();
-        authToken.setToken(VALID_NFC_AUTH_TOKEN);
+        authToken.setToken(VALID_WEB_EID_1_1AUTH_TOKEN);
         return authToken;
     }