ID-3562: Fjerne basic-auth for login-api (#162)

* Bump org.mariadb.jdbc:mariadb-java-client from 3.2.0 to 3.3.0 Bumps [org.mariadb.jdbc:mariadb-java-client](https://github.com/mariadb-corporation/mariadb-connector-j) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/mariadb-corporation/mariadb-connector-j/releases) - [Changelog](https://github.com/mariadb-corporation/mariadb-connector-j/blob/master/CHANGELOG.md) - [Commits](mariadb-corporation/mariadb-connector-j@3.2.0...3.3.0) --- updated-dependencies: - dependency-name: org.mariadb.jdbc:mariadb-java-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * ID-3562: Fjerne basic-auth for login-api * ID-3562: api-key must be present --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
felleslosninger · Nov 22, 2023 · 843d6d5 · 843d6d5
1 parent 4ce7bf8
commit 843d6d5
Show file tree

Hide file tree

Showing 9 changed files with 7 additions and 62 deletions.
diff --git a/docker/settings.xml b/docker/settings.xml
@@ -19,14 +19,6 @@
             </repositories>
         </profile>
     </profiles>
-    <mirrors>
-        <mirror>
-            <id>difi-artifactory-http-unblock</id>
-            <mirrorOf>difi-artifactory</mirrorOf>
-            <name>Dummy mirror to override default blocking mirror that blocks http</name>
-            <url>http://eid-artifactory.dmz.local:8080/artifactory/libs-release</url>
-        </mirror>
-    </mirrors>
     <servers>
         <server>
             <id>github</id>

diff --git a/pom.xml b/pom.xml
@@ -70,7 +70,7 @@
         <dependency>
             <groupId>org.mariadb.jdbc</groupId>
             <artifactId>mariadb-java-client</artifactId>
-            <version>3.2.0</version>
+            <version>3.3.0</version>
         </dependency>
         <dependency>
             <groupId>com.h2database</groupId>

diff --git a/src/main/java/no/idporten/userservice/config/TokenAuthenticationFilter.java b/src/main/java/no/idporten/userservice/config/TokenAuthenticationFilter.java
@@ -6,6 +6,8 @@
 import jakarta.servlet.http.HttpFilter;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
@@ -15,38 +17,32 @@
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
+import org.springframework.validation.annotation.Validated;
 
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
 import java.util.ArrayList;
-import java.util.Base64;
 import java.util.Collection;
 
 @WebFilter(urlPatterns = "/login/*")
 @Order(Ordered.HIGHEST_PRECEDENCE)
 @Component
+@Validated
 public class TokenAuthenticationFilter extends HttpFilter {
 
     public static final String API_KEY_NAME = "api-key";
 
     @Value("${spring.security.api-key}")
+    @NotBlank(message = "api-key must not be blank")
     private String apiKey;
 
-    @Value("${spring.security.user.name}") //TODO: remove this when login is updated with api-key
-    private String basicUsername;
-
-    @Value("${spring.security.user.password}") //TODO: remove this when login is updated with api-key
-    private String basicPassword;
-
     @Override
     public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
         // get api-key from request header
 
         if (request.getRequestURI().contains("login")) {
 
             String apiKeyRecived = request.getHeader(API_KEY_NAME);
-            boolean isBasicAuth = isBasicAuth(request);
-            if ((apiKey == null || !apiKey.equals(apiKeyRecived)) && !isBasicAuth) {
+            if (apiKey == null || !apiKey.equals(apiKeyRecived)) {
                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
             } else {
                 // create default user and add to context
@@ -61,29 +57,4 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
         chain.doFilter(request, response);
     }
 
-    /**
-     * Check if request is using basic auth and verify it
-     *
-     * TODO: REMOVE when login has changed to api-key
-     *
-     * @param request
-     * @return
-     * @throws UnsupportedEncodingException
-     */
-    private boolean isBasicAuth(HttpServletRequest request) throws UnsupportedEncodingException {
-        String basicauth = request.getHeader("Authorization");
-        if (basicauth == null || !basicauth.startsWith("Basic ")) {
-            return false;
-        }
-        byte[] decoded = Base64.getDecoder().decode(basicauth.substring("Basic ".length()));
-        if (decoded == null) {
-            return false;
-        }
-        String[] credentials = new String(decoded, "UTF-8").split(":");
-        if (credentials == null || credentials.length != 2) {
-            return false;
-        }
-        return basicUsername.equals(credentials[0]) && basicPassword.equals(credentials[1]);
-
-    }
 }
diff --git a/src/main/resources/application-docker.yaml b/src/main/resources/application-docker.yaml
@@ -39,9 +39,6 @@ spring:
       max-lifetime: 500 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: mytoken-docker
-    user:
-      name: user
-      password: password
     oauth2:
       resource:
         jwt:

diff --git a/src/main/resources/application-local-dev.yaml b/src/main/resources/application-local-dev.yaml
@@ -18,9 +18,6 @@ spring:
       max-lifetime: 500 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: mytoken
-    user:
-      name: user
-      password: password
     oauth2:
       resource:
         jwt:

diff --git a/src/main/resources/application-local-h2.yaml b/src/main/resources/application-local-h2.yaml
@@ -14,9 +14,6 @@ spring:
     database-platform: org.hibernate.dialect.H2Dialect
   security:
     api-key: mytoken
-    user:
-      name: user
-      password: password
     oauth2:
       resource:
         jwt:

diff --git a/src/main/resources/application-prod.yaml b/src/main/resources/application-prod.yaml
@@ -13,9 +13,6 @@ spring:
       max-lifetime: 1000 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: ${API_KEY}
-    user:
-      name: ${API_USER}
-      password: ${API_USER_PASSWORD}
     oauth2:
       resource:
         jwt:

diff --git a/src/main/resources/application-systest.yaml b/src/main/resources/application-systest.yaml
@@ -18,9 +18,6 @@ spring:
       max-lifetime: 1000 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: ${API_KEY}
-    user:
-      name: ${API_USER}
-      password: ${API_USER_PASSWORD}
     oauth2:
       resource:
         jwt:

diff --git a/src/main/resources/application-test.yaml b/src/main/resources/application-test.yaml
@@ -13,9 +13,6 @@ spring:
       max-lifetime: 1000 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: ${API_KEY}
-    user:
-      name: ${API_USER}
-      password: ${API_USER_PASSWORD}
     oauth2:
       resource:
         jwt: