🐛fix: Token Verification and Public Endpoints Definition (#104)

* Fix roles conversion and public endpoints definition

* Fix typo

Author: Rahul Verma

src/main/java/org/overture/ego/config/SecureServerConfig.java

@@ -36,13 +36,20 @@
 @Profile("auth")
 public class SecureServerConfig extends WebSecurityConfigurerAdapter {
 
+  /*
+    Constants
+   */
+  private final String[] PUBLIC_ENDPOINTS =
+      new String[] {"/oauth/token","/oauth/google/token", "/oauth/facebook/token", "/oauth/token/public_key",
+          "/oauth/token/verify"};
+
   @Autowired
   private AuthenticationManager authenticationManager;
 
   @Bean
   @SneakyThrows
   public JWTAuthorizationFilter authorizationFilter() {
-    return new JWTAuthorizationFilter(authenticationManager);
+    return new JWTAuthorizationFilter(authenticationManager,PUBLIC_ENDPOINTS);
   }
 
   @Bean

src/main/java/org/overture/ego/model/entity/User.java

@@ -118,6 +118,17 @@ public List<String> getRoles(){
     return Arrays.asList(this.getRole());
   }
 
+  /*
+    Roles is an array only in JWT but a String in Database.
+    This is done for future compatibility - at the moment ego only needs one Role but this may change
+     as project progresses.
+     Currently, using the only role by extracting first role in the array
+   */
+  public void setRoles(@NonNull List<String> roles){
+    if(roles.size() > 0)
+      this.role = roles.get(0);
+  }
+
   public void addNewApplication(@NonNull Application app){
     initApplications();
     this.wholeApplications.add(app);

src/main/java/org/overture/ego/security/JWTAuthorizationFilter.java

@@ -34,18 +34,23 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.ArrayList;
+import java.util.Arrays;
 
 @Slf4j
 public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
 
+  private String[] publicEndpoints = null;
+
   @Value("${auth.token.prefix}")
   private String TOKEN_PREFIX;
 
   @Autowired
   private TokenService tokenService;
 
-  public JWTAuthorizationFilter(AuthenticationManager authManager) {
+
+  public JWTAuthorizationFilter(AuthenticationManager authManager, String[] publicEndpoints) {
     super(authManager);
+    this.publicEndpoints = publicEndpoints;
   }
 
   @Override
@@ -54,7 +59,9 @@ public void doFilterInternal(HttpServletRequest request,
                                HttpServletResponse response,
                                FilterChain chain) {
     String tokenPayload = "";
-    if("/oauth/token".equals(request.getServletPath())){
+
+    // No need to validate a token even if one is passed for public endpoints
+    if(isPublicEndpoint(request.getServletPath())){
       chain.doFilter(request,response);
       return;
     } else{
@@ -83,4 +90,10 @@ private String removeTokenPrefix(String token){
     return token.replace(TOKEN_PREFIX,"").trim();
   }
 
+  private boolean isPublicEndpoint(String endpointPath){
+    if(this.publicEndpoints != null){
+      return Arrays.stream(this.publicEndpoints).anyMatch(item -> item.equals(endpointPath));
+    } else return false;
+  }
+
 }

src/main/java/org/overture/ego/token/TokenService.java

@@ -124,7 +124,7 @@ public boolean validateToken(String token) {
   public User getTokenUserInfo(String token) {
     try {
       Claims body = getTokenClaims(token);
-      val tokenClaims = TypeUtils.convertToAnotherType(body, UserTokenClaims.class);
+      val tokenClaims = TypeUtils.convertToAnotherType(body, UserTokenClaims.class, Views.JWTAccessToken.class);
       return userService.get(tokenClaims.getSub());
     } catch (JwtException | ClassCastException e) {
       return null;