From b61e9a667b389f2f045e0d1bc0a5a1ac1e2b7dd3 Mon Sep 17 00:00:00 2001 From: inoshperera Date: Tue, 4 Aug 2020 20:12:37 +0530 Subject: [PATCH] Improve token validation login in valve --- .../device/mgt/common/spi/OTPManagementService.java | 5 +++-- .../core/otp/mgt/service/OTPManagementServiceImpl.java | 10 +++++----- .../authenticator/OneTimeTokenAuthenticator.java | 10 ++++++++-- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/spi/OTPManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/spi/OTPManagementService.java index 6ce92c27c9..1d23b20b03 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/spi/OTPManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/spi/OTPManagementService.java @@ -19,6 +19,7 @@ package org.wso2.carbon.device.mgt.common.spi; import org.wso2.carbon.device.mgt.common.exceptions.BadRequestException; import org.wso2.carbon.device.mgt.common.exceptions.OTPManagementException; +import org.wso2.carbon.device.mgt.common.otp.mgt.dto.OTPMailDTO; import org.wso2.carbon.device.mgt.common.otp.mgt.wrapper.OTPMailWrapper; public interface OTPManagementService { @@ -35,9 +36,9 @@ public interface OTPManagementService { /** * Check the validity of the OTP * @param oneTimeToken OTP - * @return Ture if OTP is valid one, otherise returns false + * @return The OTP data * @throws OTPManagementException if error occurred whle verifying validity of the OPT * @throws BadRequestException if found an null value for OTP */ - boolean isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException; + OTPMailDTO isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException; } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java index 1df9b13b32..78276c45b5 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java @@ -105,7 +105,7 @@ public class OTPManagementServiceImpl implements OTPManagementService { } @Override - public boolean isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException { + public OTPMailDTO isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException { OTPMailDTO otpMailDTO = getOTPDataByToken(oneTimeToken); if (otpMailDTO == null) { String msg = "Couldn't found OTP data for the requesting OTP " + oneTimeToken + " In the system."; @@ -115,11 +115,11 @@ public class OTPManagementServiceImpl implements OTPManagementService { if (otpMailDTO.isExpired()) { log.warn("Token is expired. OTP: " + oneTimeToken); - return false; + return null; } if (otpMailDTO.isTenantCreated()) { log.warn("Tenant is already created for the token. OTP: " + oneTimeToken); - return false; + return null; } Calendar calendar = Calendar.getInstance(); @@ -133,9 +133,9 @@ public class OTPManagementServiceImpl implements OTPManagementService { Gson gson = new Gson(); OTPMailWrapper otpMailWrapper = gson.fromJson(otpMailDTO.getMetaInfo(), OTPMailWrapper.class); resendUserVerifyingMail(otpMailWrapper.getFirstName(), renewedOTP, otpMailDTO.getEmail()); - return false; + return null; } - return true; + return otpMailDTO; } /** diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java index 41f43eea9d..c5e9d90824 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java @@ -20,9 +20,11 @@ package org.wso2.carbon.webapp.authenticator.framework.authenticator; import org.apache.catalina.connector.Response; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.device.mgt.common.otp.mgt.dto.OTPMailDTO; import org.wso2.carbon.device.mgt.common.spi.OTPManagementService; import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo; import org.wso2.carbon.webapp.authenticator.framework.Constants; +import org.wso2.carbon.webapp.authenticator.framework.Utils.Utils; import org.wso2.carbon.webapp.authenticator.framework.internal.AuthenticatorFrameworkDataHolder; import java.util.Properties; @@ -47,9 +49,13 @@ public class OneTimeTokenAuthenticator implements WebappAuthenticator { try { OTPManagementService otpManagementService = AuthenticatorFrameworkDataHolder.getInstance() .getOtpManagementService(); - if (otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders.ONE_TIME_TOKEN_HEADER))) { + OTPMailDTO validOTP = otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders + .ONE_TIME_TOKEN_HEADER)); + if (validOTP != null) { authenticationInfo.setStatus(Status.CONTINUE); - authenticationInfo.setTenantId(-1); + authenticationInfo.setTenantId(validOTP.getTenantId()); + authenticationInfo.setTenantDomain(Utils.getTenantDomain(validOTP.getTenantId())); + authenticationInfo.setUsername(validOTP.getUsername()); } else { authenticationInfo.setStatus(Status.FAILURE); authenticationInfo.setMessage("Invalid OTP token.");