Commit 79a1b274 authored by Matija Obreza's avatar Matija Obreza

ATiC: Use request Origin for API access token cookie name

parent dc144ad0
......@@ -17,6 +17,8 @@
package org.genesys2.server.servlet.filter;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
......@@ -37,9 +39,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.filter.OncePerRequestFilter;
import static org.eclipse.jetty.http.HttpCookie.SAME_SITE_STRICT_COMMENT;
/**
* Converts the "access_token" cookie to the "Authorization" HTTP request header.
* Converts the API cookie to the "Authorization" HTTP request
* header if provided.
*
* Will Set-Cookie when cookie is missing.
*
* @author Maxym Borodenko
* @author Matija Obreza
......@@ -48,25 +54,37 @@ public class AccessTokenInCookieFilter extends OncePerRequestFilter {
public static final Logger LOG = LoggerFactory.getLogger(AccessTokenInCookieFilter.class);
private static final String ACCESS_TOKEN_COOKIE_NAME = "APITOKEN";
private static final String ACCESS_TOKEN_COOKIE_PREFIX = "GENESYS_";
@Value("${host.name}") // we're using the API host name for cookie domain here
private String cookieDomain;
@Value("${base.cookie-secure}")
private boolean cookieSecure;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String authorizationHeader = request.getHeader("Authorization");
Cookie[] cookies = request.getCookies();
String accessToken = null;
URL sourceUrl = null;
try {
sourceUrl = getRequestSource(request);
} catch (MalformedURLException e) {
LOG.debug("Could not obtain source URL: {}", e.getMessage());
}
if (sourceUrl == null) {
filterChain.doFilter(request, response);
return;
}
String tokenCookieName = ACCESS_TOKEN_COOKIE_PREFIX + sourceUrl.getHost();
if (authorizationHeader == null && cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equalsIgnoreCase(ACCESS_TOKEN_COOKIE_NAME)) {
if (cookie.getName().equalsIgnoreCase(tokenCookieName)) {
accessToken = cookie.getValue();
break;
}
......@@ -82,17 +100,18 @@ public class AccessTokenInCookieFilter extends OncePerRequestFilter {
return;
}
// Register the "access_token" cookie if Authorization is provided, but cookie is missing or not matching
// Register the "access_token" cookie if Authorization is provided, but cookie
// is missing or not matching
if (request.getHeader("Authorization") != null) {
Optional<Cookie> tokenCookie = Optional.empty();
if (cookies != null) {
tokenCookie = Arrays.stream(cookies).filter(cookie -> cookie.getName().equals(ACCESS_TOKEN_COOKIE_NAME)).findFirst();
tokenCookie = Arrays.stream(cookies).filter(cookie -> cookie.getName().equals(tokenCookieName)).findFirst();
}
accessToken = authorizationHeader.substring(7); // Remove "Bearer "
if (!tokenCookie.isPresent() || tokenCookie.get().getValue().equals(accessToken)) {
Cookie cookie = new Cookie(ACCESS_TOKEN_COOKIE_NAME, accessToken);
cookie.setComment("Genesys API access token");
Cookie cookie = new Cookie(tokenCookieName, accessToken);
cookie.setComment(SAME_SITE_STRICT_COMMENT);
cookie.setHttpOnly(true);
cookie.setSecure(cookieSecure);
if (StringUtils.isNotBlank(cookieDomain)) {
......@@ -109,6 +128,20 @@ public class AccessTokenInCookieFilter extends OncePerRequestFilter {
filterChain.doFilter(request, response);
}
private URL getRequestSource(HttpServletRequest request) throws MalformedURLException {
String origin = request.getHeader("Origin");
if (StringUtils.isNotBlank(origin)) {
return new URL(origin);
}
String referrer = request.getHeader("Referer");
if (StringUtils.isNotBlank(referrer)) {
return new URL(referrer);
}
return null;
}
static class CustomHeadersRequest extends HttpServletRequestWrapper {
private Map<String, String> customHeaders = new HashMap<>();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment