OAP-128 SSO: verify user validity during cookie validation

oaplatform · May 8, 2024 · a170ad0 · a170ad0
1 parent 81a20cb
commit a170ad0
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 13 deletions.
diff --git a/oap-ws/oap-ws-sso-api/src/main/java/oap/ws/sso/UserProvider.java b/oap-ws/oap-ws-sso-api/src/main/java/oap/ws/sso/UserProvider.java
@@ -30,14 +30,6 @@
 import java.util.function.Function;
 
 public interface UserProvider {
-    Optional<? extends User> getUser( String email );
-
-    Result<? extends User, AuthenticationFailure> getAuthenticated( String email, String password, Optional<String> tfaCode );
-
-    Result<? extends User, AuthenticationFailure> getAuthenticated( String email, Optional<String> tfaCode );
-
-    Optional<? extends User> getAuthenticatedByApiKey( String accessKey, String apiKey );
-
     //eliminating most used letters in english from source
     static String toAccessKey( String email ) {
         int[] transitions = { 6, 11, 3, 10, 4, 1, 5, 0, 7, 2, 9, 8 };
@@ -60,4 +52,14 @@ static String toAccessKey( String email ) {
         }
         return result.toString();
     }
+
+    Optional<? extends User> getUser( String email );
+
+    Result<? extends User, String> getValidUser( String email );
+
+    Result<? extends User, AuthenticationFailure> getAuthenticated( String email, String password, Optional<String> tfaCode );
+
+    Result<? extends User, AuthenticationFailure> getAuthenticated( String email, Optional<String> tfaCode );
+
+    Optional<? extends User> getAuthenticatedByApiKey( String accessKey, String apiKey );
 }
diff --git a/oap-ws/oap-ws-sso-api/src/main/java/oap/ws/sso/interceptor/JWTSecurityInterceptor.java b/oap-ws/oap-ws-sso-api/src/main/java/oap/ws/sso/interceptor/JWTSecurityInterceptor.java
@@ -25,6 +25,7 @@
 package oap.ws.sso.interceptor;
 
 import lombok.extern.slf4j.Slf4j;
+import oap.util.Result;
 import oap.ws.InvocationContext;
 import oap.ws.Response;
 import oap.ws.interceptor.Interceptor;
@@ -87,11 +88,11 @@ public Optional<Response> before( InvocationContext context ) {
             final String email = jwtExtractor.getUserEmail( token );
             organization = jwtExtractor.getOrganizationId( token );
 
-            User user = userProvider.getUser( email ).orElse( null );
-            if( user == null ) {
-                return Optional.of( new Response( FORBIDDEN, "User not found with email: " + email ) );
+            Result<? extends User, String> validUser = userProvider.getValidUser( email );
+            if( !validUser.isSuccess() ) {
+                return Optional.of( new Response( FORBIDDEN, validUser.failureValue ) );
             }
-            context.session.set( SESSION_USER_KEY, user );
+            context.session.set( SESSION_USER_KEY, validUser.successValue );
             context.session.set( ISSUER, issuerName );
         }
         Optional<WsSecurity> wss = context.method.findAnnotation( WsSecurity.class );

diff --git a/pom.xml b/pom.xml
@@ -70,7 +70,7 @@
     </distributionManagement>
 
     <properties>
-        <oap.project.version>22.1.5</oap.project.version>
+        <oap.project.version>22.2.0</oap.project.version>
 
         <oap.deps.config.version>21.0.0</oap.deps.config.version>
         <oap.deps.oap-teamcity.version>21.0.1</oap.deps.oap-teamcity.version>