Luc Everse · fa04ae44 · 250cf1d6 · fa04ae44
--- a/core/src/main/java/nl/tudelft/ewi/auta/core/authentication/TokenAuthenticationFilter.java

+ 51

− 2

View file @ 250cf1d6

Open in Web IDE
+++ b/core/src/main/java/nl/tudelft/ewi/auta/core/authentication/TokenAuthenticationFilter.java

+ 51

− 2

View file @ 250cf1d6

Open in Web IDE
 @@ -2,7 +2,12 @@ package nl.tudelft.ewi.auta.core.authentication;

 import java.io.IOException;
 import java.sql.SQLException;
+import java.util.Spliterator;
+import java.util.Spliterators;
+import java.util.stream.Collectors;
+import java.util.stream.StreamSupport;

+import javax.annotation.Nullable;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 @@ -10,9 +15,11 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;

 import nl.tudelft.ewi.auta.core.authentication.database.DatabaseConnector;
+import nl.tudelft.ewi.auta.core.response.exception.InvalidTokenException;
 import nl.tudelft.ewi.auta.core.response.exception.MissingUserException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 import org.springframework.web.filter.GenericFilterBean;
 @@ -24,6 +31,11 @@ import org.springframework.web.filter.GenericFilterBean;
 public class TokenAuthenticationFilter extends GenericFilterBean {
    private static final Logger logger = LoggerFactory.getLogger(TokenAuthenticationFilter.class);

+    /**
+     * The prefix of AuTA authorization headers.
+     */
+    private static final String AUTH_PREFIX = "AutaToken ";
+
    /**
     * The authentication database to query.
     */
 @@ -53,8 +65,13 @@ public class TokenAuthenticationFilter extends GenericFilterBean {
            final FilterChain chain)
            throws IOException, ServletException {
        var httpRequest = (HttpServletRequest) request;
-        var token = httpRequest.getHeader("Auth-Token");
-        if (token == null && request.getParameter("auth-token") != null) {
+
+        @Nullable
+        var token = this.getAuthToken(httpRequest);
+        if (token == null) {
+            token = httpRequest.getHeader("Auth-Token");
+        }
+        if (token == null) {
            token = request.getParameter("auth-token");
        }

 @@ -65,6 +82,38 @@ public class TokenAuthenticationFilter extends GenericFilterBean {
        chain.doFilter(request, response);
    }

+    /**
+     * Returns the authentication token of the Authorization header.
+     *
+     * This only recognizes the Auta-Token type.
+     *
+     * @param req the request containing the Authorization header
+     *
+     * @return the token, or {@code null} if no token is present
+     *
+     * @throws InvalidTokenException if more than one token was present
+     */
+    @Nullable
+    private String getAuthToken(final HttpServletRequest req) {
+        final var tokens = StreamSupport.stream(
+                Spliterators.spliteratorUnknownSize(
+                        req.getHeaders(HttpHeaders.AUTHORIZATION).asIterator(), Spliterator.ORDERED
+                ), false
+        ).filter(h -> h.startsWith(AUTH_PREFIX))
+         .map(h -> h.substring(AUTH_PREFIX.length()))
+         .collect(Collectors.toList());
+
+        if (tokens.isEmpty()) {
+            return null;
+        }
+
+        if (tokens.size() > 1) {
+            throw new InvalidTokenException("More than one token was passed");
+        }
+
+        return tokens.get(0);
+    }
+
    /**
     * Sets the token for the current session.
     * @param token the token string