You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by vo...@apache.org on 2020/01/08 21:50:26 UTC

[fineract] branch develop updated: Change /authentication API to pass data in request body instead of URL arguments (FINERACT-726)

This is an automated email from the ASF dual-hosted git repository.

vorburger pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git


The following commit(s) were added to refs/heads/develop by this push:
     new a93a6b8  Change /authentication API to pass data in request body instead of URL arguments (FINERACT-726)
a93a6b8 is described below

commit a93a6b848732141494b2f0cc11de346623bc23e6
Author: Michael Vorburger <mi...@vorburger.ch>
AuthorDate: Sat Jan 4 13:24:24 2020 +0100

    Change /authentication API to pass data in request body instead of URL arguments (FINERACT-726)
---
 .../fineract/integrationtests/common/Utils.java    | 11 +++++--
 .../security/api/AuthenticationApiResource.java    | 35 ++++++++++++++++------
 .../api/SelfAuthenticationApiResource.java         | 12 ++++----
 3 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/common/Utils.java b/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/common/Utils.java
index cf4ee66..68142e0 100644
--- a/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/common/Utils.java
+++ b/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/common/Utils.java
@@ -34,6 +34,7 @@ import java.util.Random;
 import java.util.TimeZone;
 
 import com.jayway.restassured.RestAssured;
+import com.jayway.restassured.http.ContentType;
 import com.jayway.restassured.path.json.JsonPath;
 import com.jayway.restassured.response.Response;
 import com.jayway.restassured.specification.RequestSpecification;
@@ -62,7 +63,7 @@ public class Utils {
     public static final String TENANT_TIME_ZONE = "Asia/Kolkata";
 
     private static final String HEALTH_URL = "/fineract-provider/actuator/health";
-    private static final String LOGIN_URL  = "/fineract-provider/api/v1/authentication?username=mifos&password=password&" + TENANT_IDENTIFIER;
+    private static final String LOGIN_URL  = "/fineract-provider/api/v1/authentication?" + TENANT_IDENTIFIER;
 
     public static void initializeRESTAssured() {
         RestAssured.baseURI = "https://localhost";
@@ -116,9 +117,13 @@ public class Utils {
         try {
             logger.info("Logging in, for integration test...");
             System.out.println("-----------------------------------LOGIN-----------------------------------------");
-            final String json = RestAssured.post(LOGIN_URL).asString();
+            String json = RestAssured.given().contentType(ContentType.JSON)
+                .body("{\"username\":\"mifos\", \"password\":\"password\"}")
+                .expect().log().ifError().when().post(LOGIN_URL).asString();
             assertThat("Failed to login into fineract platform", StringUtils.isBlank(json), is(false));
-            return JsonPath.with(json).get("base64EncodedAuthenticationKey");
+            String key = JsonPath.with(json).get("base64EncodedAuthenticationKey");
+            assertThat("Failed to obtain key: " + json, StringUtils.isBlank(key), is(false));
+            return key;
         } catch (final Exception e) {
             if (e instanceof HttpHostConnectException) {
                 final HttpHostConnectException hh = (HttpHostConnectException) e;
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/api/AuthenticationApiResource.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/api/AuthenticationApiResource.java
index c99a4fd..7ddf2f8 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/api/AuthenticationApiResource.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/api/AuthenticationApiResource.java
@@ -22,6 +22,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Set;
 
+import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@@ -48,15 +49,22 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.stereotype.Component;
 
+import com.google.gson.Gson;
+
 import com.sun.jersey.core.util.Base64;
 
-@Path("/authentication")
 @Component
-@Profile("basicauth")
 @Scope("singleton")
+@Profile("basicauth")
+@Path("/authentication")
 @Api(value = "Authentication HTTP Basic", description = "An API capability that allows client applications to verify authentication details using HTTP Basic Authentication.")
 public class AuthenticationApiResource {
 
+    public static class AuthenticateRequest {
+        public String username;
+        public String password;
+    }
+
     private final DaoAuthenticationProvider customAuthenticationProvider;
     private final ToApiJsonSerializer<AuthenticatedUserData> apiJsonSerializerService;
     private final SpringSecurityPlatformSecurityContext springSecurityPlatformSecurityContext;
@@ -74,16 +82,25 @@ public class AuthenticationApiResource {
     }
 
     @POST
+    @Consumes({ MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_JSON })
     @ApiOperation(value = "Verify authentication", notes = "Authenticates the credentials provided and returns the set roles and permissions allowed.")
     @ApiResponses({@ApiResponse(code = 200, message = "", response = AuthenticationApiResourceSwagger.PostAuthenticationResponse.class), @ApiResponse(code = 400, message = "Unauthenticated. Please login")})
-    public String authenticate(@QueryParam("username") @ApiParam(value = "username") final String username, @QueryParam("password") @ApiParam(value = "password") final String password) {
+    public String authenticate(final String apiRequestBodyAsJson) {
+        // TODO FINERACT-819: sort out Jersey so JSON conversion does not have to be done explicitly via GSON here, but implicit by arg
+        AuthenticateRequest request = new Gson().fromJson(apiRequestBodyAsJson, AuthenticateRequest.class);
+        if (request == null) {
+            throw new IllegalArgumentException("Invalid JSON in BODY (no longer URL param; see FINERACT-726) of POST to /authentication: " + apiRequestBodyAsJson);
+        }
+        if (request.username == null || request.password == null) {
+            throw new IllegalArgumentException("Username or Password is null in JSON (see FINERACT-726) of POST to /authentication: " + apiRequestBodyAsJson + "; username=" + request.username + ", password=" + request.password);
+        }
 
-        final Authentication authentication = new UsernamePasswordAuthenticationToken(username, password);
+        final Authentication authentication = new UsernamePasswordAuthenticationToken(request.username, request.password);
         final Authentication authenticationCheck = this.customAuthenticationProvider.authenticate(authentication);
 
         final Collection<String> permissions = new ArrayList<>();
-        AuthenticatedUserData authenticatedUserData = new AuthenticatedUserData(username, permissions);
+        AuthenticatedUserData authenticatedUserData = new AuthenticatedUserData(request.username, permissions);
 
         if (authenticationCheck.isAuthenticated()) {
             final Collection<GrantedAuthority> authorities = new ArrayList<>(authenticationCheck.getAuthorities());
@@ -91,7 +108,7 @@ public class AuthenticationApiResource {
                 permissions.add(grantedAuthority.getAuthority());
             }
 
-            final byte[] base64EncodedAuthenticationKey = Base64.encode(username + ":" + password);
+            final byte[] base64EncodedAuthenticationKey = Base64.encode(request.username + ":" + request.password);
 
             final AppUser principal = (AppUser) authenticationCheck.getPrincipal();
             final Collection<RoleData> roles = new ArrayList<>();
@@ -111,11 +128,11 @@ public class AuthenticationApiResource {
             boolean isTwoFactorRequired = twoFactorUtils.isTwoFactorAuthEnabled() && !
                     principal.hasSpecificPermissionTo(TwoFactorConstants.BYPASS_TWO_FACTOR_PERMISSION);
             if (this.springSecurityPlatformSecurityContext.doesPasswordHasToBeRenewed(principal)) {
-                authenticatedUserData = new AuthenticatedUserData(username, principal.getId(),
+                authenticatedUserData = new AuthenticatedUserData(request.username, principal.getId(),
                         new String(base64EncodedAuthenticationKey), isTwoFactorRequired);
             } else {
 
-                authenticatedUserData = new AuthenticatedUserData(username, officeId, officeName, staffId, staffDisplayName,
+                authenticatedUserData = new AuthenticatedUserData(request.username, officeId, officeName, staffId, staffDisplayName,
                         organisationalRole, roles, permissions, principal.getId(),
                         new String(base64EncodedAuthenticationKey), isTwoFactorRequired);
             }
@@ -124,4 +141,4 @@ public class AuthenticationApiResource {
 
         return this.apiJsonSerializerService.serialize(authenticatedUserData);
     }
-}
\ No newline at end of file
+}
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/self/security/api/SelfAuthenticationApiResource.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/self/security/api/SelfAuthenticationApiResource.java
index b5b6671..d1bd98a 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/self/security/api/SelfAuthenticationApiResource.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/self/security/api/SelfAuthenticationApiResource.java
@@ -25,16 +25,17 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.context.annotation.Scope;
 import org.springframework.stereotype.Component;
 
+import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.MediaType;
 
-@Path("/self/authentication")
 @Component
-@Profile("basicauth")
 @Scope("singleton")
+@Profile("basicauth")
+@Path("/self/authentication")
 @Api(value = "Self Authentication", description = "")
 public class SelfAuthenticationApiResource {
 
@@ -47,12 +48,11 @@ public class SelfAuthenticationApiResource {
 	}
 
 	@POST
+	@Consumes({ MediaType.APPLICATION_JSON })
 	@Produces({ MediaType.APPLICATION_JSON })
 	@ApiOperation(value = "Verify authentication", httpMethod = "POST", notes = "Authenticates the credentials provided and returns the set roles and permissions allowed.\n\n" + "Please visit this link for more info - https://demo.openmf.org/api-docs/apiLive.htm#selfbasicauth")
 	@ApiResponses({@ApiResponse(code = 200, message = "OK", response = SelfAuthenticationApiResourceSwagger.PostSelfAuthenticationResponse.class)})
-	public String authenticate(@QueryParam("username") @ApiParam(value = "username") final String username,
-			@QueryParam("password") @ApiParam(value = "password") final String password) {
-		return this.authenticationApiResource.authenticate(username, password);
+	public String authenticate(final String apiRequestBodyAsJson) {
+		return this.authenticationApiResource.authenticate(apiRequestBodyAsJson);
 	}
-
 }