Fix unnecessary authentication token being sent in requests
This commit is contained in:
parent
fccd7e70b1
commit
d4c7813c97
@ -21,7 +21,6 @@
|
||||
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-11">
|
||||
<attributes>
|
||||
<attribute name="maven.pomderived" value="true"/>
|
||||
<attribute name="module" value="true"/>
|
||||
</attributes>
|
||||
</classpathentry>
|
||||
<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
|
||||
|
@ -44,7 +44,6 @@ public final class LocalDB implements EventListener {
|
||||
private IDGenerator idGenerator;
|
||||
private CacheMap cacheMap = new CacheMap();
|
||||
private String authToken;
|
||||
private boolean saveToken;
|
||||
private boolean contactsChanged;
|
||||
|
||||
// Auto save timer
|
||||
@ -261,7 +260,7 @@ public final class LocalDB implements EventListener {
|
||||
Context.getInstance().getClient().isOnline() ? Instant.now() : lastSync);
|
||||
|
||||
// Save last login information
|
||||
if (saveToken && authToken != null)
|
||||
if (authToken != null)
|
||||
SerializationUtils.write(lastLoginFile, user, authToken);
|
||||
|
||||
// Save ID generator
|
||||
@ -489,10 +488,4 @@ public final class LocalDB implements EventListener {
|
||||
* @since Envoy Client v0.2-beta
|
||||
*/
|
||||
public String getAuthToken() { return authToken; }
|
||||
|
||||
/**
|
||||
* @param saveToken whether the token will be persisted or deleted on shutdown
|
||||
* @since Envoy Client v0.3-beta
|
||||
*/
|
||||
public void setSaveToken(boolean saveToken) { this.saveToken = saveToken; }
|
||||
}
|
||||
|
@ -153,8 +153,7 @@ public final class Client implements EventListener, Closeable {
|
||||
try {
|
||||
SerializationUtils.writeBytesWithLength(
|
||||
new AuthenticatedRequest<>(obj,
|
||||
Context.getInstance().getLocalDB().getUser().getID(),
|
||||
Context.getInstance().getLocalDB().getAuthToken()),
|
||||
Context.getInstance().getLocalDB().getUser().getID()),
|
||||
socket.getOutputStream());
|
||||
} catch (final IOException e) {
|
||||
throw new RuntimeException(e);
|
||||
|
@ -16,7 +16,7 @@ import envoy.data.LoginCredentials;
|
||||
import envoy.event.HandshakeRejection;
|
||||
import envoy.util.*;
|
||||
|
||||
import envoy.client.data.*;
|
||||
import envoy.client.data.ClientConfig;
|
||||
import envoy.client.ui.Startup;
|
||||
import envoy.client.util.IconUtil;
|
||||
|
||||
@ -81,9 +81,7 @@ public final class LoginScene implements EventListener {
|
||||
private void loginButtonPressed() {
|
||||
final String user = userTextField.getText(), pass = passwordField.getText(),
|
||||
repeatPass = repeatPasswordField.getText();
|
||||
|
||||
// Choose whether to persist the token or not
|
||||
Context.getInstance().getLocalDB().setSaveToken(cbStaySignedIn.isSelected());
|
||||
final boolean requestToken = cbStaySignedIn.isSelected();
|
||||
|
||||
// Prevent registration with unequal passwords
|
||||
if (registration && !pass.equals(repeatPass)) {
|
||||
@ -98,8 +96,8 @@ public final class LoginScene implements EventListener {
|
||||
} else {
|
||||
Instant lastSync = Startup.loadLastSync(userTextField.getText());
|
||||
Startup.performHandshake(registration
|
||||
? LoginCredentials.registration(user, pass, Startup.VERSION, lastSync)
|
||||
: LoginCredentials.login(user, pass, Startup.VERSION, lastSync));
|
||||
? LoginCredentials.registration(user, pass, requestToken, Startup.VERSION, lastSync)
|
||||
: LoginCredentials.login(user, pass, requestToken, Startup.VERSION, lastSync));
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -4,7 +4,7 @@ import java.io.Serializable;
|
||||
import java.util.Objects;
|
||||
|
||||
/**
|
||||
* Wraps any request sent to the server in the authentication details of a user.
|
||||
* Enables checking for the server whether the client is really who he is supposed to be.
|
||||
*
|
||||
* @author Leon Hofmeister
|
||||
* @param <T> the type of object to be sent
|
||||
@ -13,7 +13,6 @@ import java.util.Objects;
|
||||
public final class AuthenticatedRequest<T extends Serializable> implements Serializable {
|
||||
|
||||
private final T request;
|
||||
private final String authentication;
|
||||
private final long userID;
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
@ -21,21 +20,13 @@ public final class AuthenticatedRequest<T extends Serializable> implements Seria
|
||||
/**
|
||||
* @param request the actual object that should be sent
|
||||
* @param userID the ID of the currently logged in user
|
||||
* @param authentication the authentication of the currently logged in user
|
||||
* @since Envoy Common v0.3-beta
|
||||
*/
|
||||
public AuthenticatedRequest(T request, long userID, String authentication) {
|
||||
public AuthenticatedRequest(T request, long userID) {
|
||||
this.request = Objects.requireNonNull(request);
|
||||
this.userID = userID;
|
||||
this.authentication = authentication == null ? "" : authentication;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the authentication token of the currently logged in user
|
||||
* @since Envoy Common v0.3-beta
|
||||
*/
|
||||
public String getAuthentication() { return authentication; }
|
||||
|
||||
/**
|
||||
* @return the request
|
||||
* @since Envoy Common v0.3-beta
|
||||
|
@ -15,18 +15,18 @@ import java.util.Objects;
|
||||
public final class LoginCredentials implements Serializable {
|
||||
|
||||
private final String identifier, password, clientVersion;
|
||||
private final boolean registration, token;
|
||||
private final boolean registration, token, requestToken;
|
||||
private final Instant lastSync;
|
||||
|
||||
private static final long serialVersionUID = 4;
|
||||
|
||||
private LoginCredentials(String identifier, String password, boolean registration,
|
||||
boolean token, String clientVersion,
|
||||
Instant lastSync) {
|
||||
boolean token, boolean requestToken, String clientVersion, Instant lastSync) {
|
||||
this.identifier = Objects.requireNonNull(identifier);
|
||||
this.password = Objects.requireNonNull(password);
|
||||
this.registration = registration;
|
||||
this.token = token;
|
||||
this.requestToken = requestToken;
|
||||
this.clientVersion = Objects.requireNonNull(clientVersion);
|
||||
this.lastSync = lastSync == null ? Instant.EPOCH : lastSync;
|
||||
}
|
||||
@ -36,14 +36,15 @@ public final class LoginCredentials implements Serializable {
|
||||
*
|
||||
* @param identifier the identifier of the user
|
||||
* @param password the password of the user
|
||||
* @param requestToken requests the server to generate an authentication token
|
||||
* @param clientVersion the version of the client sending these credentials
|
||||
* @param lastSync the timestamp of the last synchronization
|
||||
* @return the created login credentials
|
||||
* @since Envoy Common v0.2-beta
|
||||
*/
|
||||
public static LoginCredentials login(String identifier, String password,
|
||||
public static LoginCredentials login(String identifier, String password, boolean requestToken,
|
||||
String clientVersion, Instant lastSync) {
|
||||
return new LoginCredentials(identifier, password, false, false, clientVersion,
|
||||
return new LoginCredentials(identifier, password, false, false, requestToken, clientVersion,
|
||||
lastSync);
|
||||
}
|
||||
|
||||
@ -59,7 +60,7 @@ public final class LoginCredentials implements Serializable {
|
||||
*/
|
||||
public static LoginCredentials loginWithToken(String identifier, String token,
|
||||
String clientVersion, Instant lastSync) {
|
||||
return new LoginCredentials(identifier, token, false, true, clientVersion, lastSync);
|
||||
return new LoginCredentials(identifier, token, false, true, false, clientVersion, lastSync);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -67,24 +68,27 @@ public final class LoginCredentials implements Serializable {
|
||||
*
|
||||
* @param identifier the identifier of the user
|
||||
* @param password the password of the user
|
||||
* @param requestToken requests the server to generate an authentication token
|
||||
* @param clientVersion the version of the client sending these credentials
|
||||
* @param lastSync the timestamp of the last synchronization
|
||||
* @return the created login credentials
|
||||
* @since Envoy Common v0.2-beta
|
||||
*/
|
||||
public static LoginCredentials registration(String identifier, String password,
|
||||
boolean requestToken,
|
||||
String clientVersion, Instant lastSync) {
|
||||
return new LoginCredentials(identifier, password, true, false, clientVersion,
|
||||
return new LoginCredentials(identifier, password, true, false, requestToken, clientVersion,
|
||||
lastSync);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return String.format(
|
||||
"LoginCredentials[identifier=%s,registration=%b,token=%b,clientVersion=%s,lastSync=%s]",
|
||||
"LoginCredentials[identifier=%s,registration=%b,token=%b,requestToken=%b,clientVersion=%s,lastSync=%s]",
|
||||
identifier,
|
||||
registration,
|
||||
token,
|
||||
requestToken,
|
||||
clientVersion,
|
||||
lastSync);
|
||||
}
|
||||
@ -116,6 +120,14 @@ public final class LoginCredentials implements Serializable {
|
||||
return token;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return {@code true} if the server should generate a new authentication token
|
||||
* @since Envoy Common v0.2-beta
|
||||
*/
|
||||
public boolean requestToken() {
|
||||
return requestToken;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the version of the client sending these credentials
|
||||
* @since Envoy Common v0.1-beta
|
||||
|
@ -6,12 +6,11 @@ import java.util.Set;
|
||||
import java.util.logging.*;
|
||||
|
||||
import com.jenkov.nioserver.*;
|
||||
import com.jenkov.nioserver.Message;
|
||||
|
||||
import envoy.data.AuthenticatedRequest;
|
||||
import envoy.util.EnvoyLog;
|
||||
|
||||
import envoy.server.data.*;
|
||||
import envoy.server.data.PersistenceManager;
|
||||
import envoy.server.processors.ObjectProcessor;
|
||||
|
||||
/**
|
||||
@ -49,32 +48,25 @@ public final class ObjectMessageProcessor implements IMessageProcessor {
|
||||
|
||||
// authenticate requests if necessary
|
||||
boolean authenticated = false;
|
||||
if (obj instanceof AuthenticatedRequest)
|
||||
try {
|
||||
authenticated = PersistenceManager
|
||||
.getInstance().getUserByID(((AuthenticatedRequest<?>) obj).getUserID())
|
||||
.getID() == ConnectionManager.getInstance()
|
||||
.getUserIDBySocketID(message.socketId);
|
||||
|
||||
if (obj instanceof AuthenticatedRequest) {
|
||||
Contact contact = PersistenceManager.getInstance()
|
||||
.getContactByID(((AuthenticatedRequest<?>) obj).getUserID());
|
||||
|
||||
// Validating the authenticity of the request
|
||||
if (contact == null || contact instanceof Group
|
||||
|| !((AuthenticatedRequest<?>) obj).getAuthentication()
|
||||
.equals(((User) contact).getAuthToken())) {
|
||||
|
||||
// Invalid request
|
||||
logger.log(Level.INFO,
|
||||
"A user tried to perform an authenticated request but could not identify himself. Discarding request.");
|
||||
return;
|
||||
}
|
||||
|
||||
// Valid request
|
||||
logger.log(Level.INFO, "A user successfully authenticated a request for " + obj);
|
||||
authenticated = true;
|
||||
// Class cast exception and NullPointerException are valid here and signify a
|
||||
// failed authentication
|
||||
} catch (ClassCastException | NullPointerException e) {} finally {
|
||||
obj = ((AuthenticatedRequest<?>) obj).getRequest();
|
||||
} else
|
||||
logger.log(Level.FINE, "Received unauthenticated " + obj);
|
||||
}
|
||||
logger.log(Level.INFO,
|
||||
"Received " + (authenticated ? "" : "un") + "authenticated " + obj);
|
||||
|
||||
refer(message.socketId, writeProxy, obj, authenticated);
|
||||
} catch (IOException | ClassNotFoundException e) {
|
||||
e.printStackTrace();
|
||||
logger.log(Level.WARNING,
|
||||
"An exception occurred when reading in an object: " + e);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -124,6 +124,7 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
|
||||
UserStatusChangeProcessor.updateUserStatus(user, ONLINE);
|
||||
|
||||
// Process token request
|
||||
if (credentials.requestToken()) {
|
||||
String token;
|
||||
if (user.getAuthToken() != null && user.getAuthTokenExpiration().isAfter(Instant.now()))
|
||||
|
||||
@ -139,7 +140,7 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
|
||||
ServerConfig.getInstance().getAuthTokenExpiration().longValue(), ChronoUnit.DAYS));
|
||||
persistenceManager.updateContact(user);
|
||||
writeProxy.write(socketID, new NewAuthToken(token));
|
||||
|
||||
}
|
||||
final var pendingMessages =
|
||||
PersistenceManager.getInstance().getPendingMessages(user, credentials.getLastSync());
|
||||
pendingMessages.removeIf(GroupMessage.class::isInstance);
|
||||
|
Reference in New Issue
Block a user