All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.vertx.ext.web.handler.impl.JWTAuthHandlerImpl Maven / Gradle / Ivy

There is a newer version: 5.0.0.CR1
Show newest version
/*
 * Copyright 2014 Red Hat, Inc.
 *
 *  All rights reserved. This program and the accompanying materials
 *  are made available under the terms of the Eclipse Public License v1.0
 *  and Apache License v2.0 which accompanies this distribution.
 *
 *  The Eclipse Public License is available at
 *  http://www.eclipse.org/legal/epl-v10.html
 *
 *  The Apache License v2.0 is available at
 *  http://www.opensource.org/licenses/apache2.0.php
 *
 *  You may elect to redistribute this code under either of these licenses.
 */

package io.vertx.ext.web.handler.impl;

import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.jwt.JWTAuth;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.HttpException;
import io.vertx.ext.web.handler.JWTAuthHandler;

import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/**
 * @author Paulo Lopes
 */
public class JWTAuthHandlerImpl extends HTTPAuthorizationHandler implements JWTAuthHandler, ScopedAuthentication {

  private final List scopes;
  private final String delimiter;

  public JWTAuthHandlerImpl(JWTAuth authProvider, String realm) {
    super(authProvider, Type.BEARER, realm);
    scopes = new ArrayList<>();
    this.delimiter  = " ";
  }

  private JWTAuthHandlerImpl(JWTAuthHandlerImpl base, List scopes, String delimiter) {
    super(base.authProvider, Type.BEARER, base.realm);
    this.scopes = scopes;
    this.delimiter = delimiter;
  }

  @Override
  public void authenticate(RoutingContext context, Handler> handler) {

    parseAuthorization(context, parseAuthorization -> {
      if (parseAuthorization.failed()) {
        handler.handle(Future.failedFuture(parseAuthorization.cause()));
        return;
      }

      String token = parseAuthorization.result();
      int segments = 0;
      for (int i = 0; i < token.length(); i++) {
        char c = token.charAt(i);
        if (c == '.') {
          if (++segments == 3) {
            handler.handle(Future.failedFuture(new HttpException(400, "Too many segments in token")));
            return;
          }
          continue;
        }
        if (Character.isLetterOrDigit(c) || c == '-' || c == '_') {
          continue;
        }
        // invalid character
        handler.handle(Future.failedFuture(new HttpException(400, "Invalid character in token: " + (int) c)));
        return;
      }

      authProvider.authenticate(new TokenCredentials(token), authn -> {
        if (authn.failed()) {
          handler.handle(Future.failedFuture(new HttpException(401, authn.cause())));
        } else {
          handler.handle(authn);
        }
      });
    });
  }

  @Override
  public JWTAuthHandler withScope(String scope) {
    List updatedScopes = new ArrayList<>(this.scopes);
    updatedScopes.add(scope);
    return new JWTAuthHandlerImpl(this, updatedScopes, delimiter);
  }

  @Override
  public JWTAuthHandler withScopes(List scopes) {
    return new JWTAuthHandlerImpl(this, scopes, delimiter);
  }

  @Override
  public JWTAuthHandler scopeDelimiter(String delimeter) {
    return new JWTAuthHandlerImpl(this, scopes, delimeter);
  }

  /**
   * The default behavior for post-authentication
   */
  @Override
  public void postAuthentication(RoutingContext ctx) {
    final User user = ctx.user();
    if (user == null) {
      // bad state
      ctx.fail(403, new IllegalStateException("no user in the context"));
      return;
    }
    // the user is authenticated, however the user may not have all the required scopes
    if (scopes.size() > 0) {
      final JsonObject jwt = user.get("accessToken");
      if (jwt == null) {
        ctx.fail(403, new IllegalStateException("Invalid JWT: null"));
        return;
      }

      if(jwt.getValue("scope") == null) {
        ctx.fail(403, new IllegalStateException("Invalid JWT: scope claim is required"));
        return;
      }

      List target;
      if (jwt.getValue("scope") instanceof String) {
        target =
          Stream.of(jwt.getString("scope")
            .split(delimiter))
            .collect(Collectors.toList());
      } else {
        target = jwt.getJsonArray("scope").getList();
      }

      if (target != null) {
        for (String scope : scopes) {
          if (!target.contains(scope)) {
            ctx.fail(403, new IllegalStateException("JWT scopes != handler scopes"));
            return;
          }
        }
      }
    }
    ctx.next();
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy