Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use RequestCache to clear REDIRECT_URI cookie without reflective lookups #16

Merged
merged 1 commit into from
Oct 23, 2023
Merged

fix: use RequestCache to clear REDIRECT_URI cookie without reflective lookups #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions src/main/java/com/gw2auth/oauth2/server/service/user/Gw2AuthTokenUserService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@
import com.gw2auth.oauth2.server.util.Pair;
import com.gw2auth.oauth2.server.util.SymEncryption;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.stereotype.Service;

import javax.crypto.SecretKey;
Expand All @@ -28,14 +30,16 @@ public class Gw2AuthTokenUserService implements Clocked {
private final RequestSessionMetadataExtractor requestSessionMetadataExtractor;
private final SessionMetadataService sessionMetadataService;
private final AccountService accountService;
private final RequestCache requestCache;
private Clock clock;

@Autowired
public Gw2AuthTokenUserService(Gw2AuthInternalJwtConverter jwtConverter, RequestSessionMetadataExtractor requestSessionMetadataExtractor, SessionMetadataService sessionMetadataService, AccountService accountService) {
public Gw2AuthTokenUserService(Gw2AuthInternalJwtConverter jwtConverter, RequestSessionMetadataExtractor requestSessionMetadataExtractor, SessionMetadataService sessionMetadataService, AccountService accountService, RequestCache requestCache) {
this.jwtConverter = jwtConverter;
this.requestSessionMetadataExtractor = requestSessionMetadataExtractor;
this.sessionMetadataService = sessionMetadataService;
this.accountService = accountService;
this.requestCache = requestCache;
this.clock = Clock.systemUTC();
}

Expand Down Expand Up @@ -116,7 +120,10 @@ public Optional<Gw2AuthUserV2> resolveUserForToken(HttpServletRequest request, S
user = new Gw2AuthUserV2(account.id(), accountFederation.issuer(), accountFederation.idAtIssuer(), sessionId, currentSessionMetadata, encryptionKeyBytes);
request.setAttribute(REQUEST_ATTRIBUTE_NAME, user);

CookieHelper.clearCookieIfPresent(request, AuthenticationHelper.getCurrentResponse().orElseThrow(), Constants.REDIRECT_URI_COOKIE_NAME);
HttpServletResponse response = AuthenticationHelper.getCurrentResponse().orElseThrow();
if (this.requestCache.getRequest(request, response) != null) {
this.requestCache.removeRequest(request, response);
}

return Optional.of(user);
}
Expand Down
17 changes: 0 additions & 17 deletions src/main/java/com/gw2auth/oauth2/server/util/Constants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,7 @@
package com.gw2auth.oauth2.server.util;

import org.springframework.security.web.savedrequest.CookieRequestCache;

import java.lang.reflect.Field;

public final class Constants {

public static final String LOGOUT_URL = "/auth/logout";
public static final String ACCESS_TOKEN_COOKIE_NAME = "BEARER";
public static final String REDIRECT_URI_COOKIE_NAME;

static {
try {
final Field field = CookieRequestCache.class.getDeclaredField("COOKIE_NAME");
final boolean wasAccessible = field.canAccess(null);
field.setAccessible(true);
REDIRECT_URI_COOKIE_NAME = (String) field.get(null);
field.setAccessible(wasAccessible);
} catch (ReflectiveOperationException e) {
throw new RuntimeException(e);
}
}
}
22 changes: 0 additions & 22 deletions src/main/java/com/gw2auth/oauth2/server/util/CookieHelper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,28 +19,6 @@ public static void addCookie(HttpServletRequest request, HttpServletResponse res
response.addCookie(cookie);
}

public static void clearCookie(HttpServletRequest request, HttpServletResponse response, String name) {
final Cookie cookie = new Cookie(name, null);
cookie.setMaxAge(0);
cookie.setPath(getRequestContext(request));
cookie.setSecure(request.isSecure());
cookie.setHttpOnly(true);

response.addCookie(cookie);
}

public static void clearCookieIfPresent(HttpServletRequest request, HttpServletResponse response, String name) {
final Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals(name)) {
clearCookie(request, response, name);
break;
}
}
}
}

private static String getRequestContext(HttpServletRequest request) {
String contextPath = request.getContextPath();
return contextPath.isEmpty() ? "/" : contextPath;
Expand Down