Fix unnecessary authentication token being sent in requests

2020-10-23 18:45:40 +02:00 · 2020-10-23 18:45:40 +02:00 · d4c7813c97
parent fccd7e70b1
commit d4c7813c97
8 changed files with 64 additions and 79 deletions
--- a/client/.classpath
+++ b/client/.classpath
@ -21,7 +21,6 @@
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-11">
 		<attributes>
 			<attribute name="maven.pomderived" value="true"/>
 			<attribute name="module" value="true"/>
 		</attributes>
 	</classpathentry>
 	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
--- a/client/src/main/java/envoy/client/data/LocalDB.java
+++ b/client/src/main/java/envoy/client/data/LocalDB.java
@ -44,7 +44,6 @@ public final class LocalDB implements EventListener {
 	private IDGenerator				idGenerator;
 	private CacheMap				cacheMap	= new CacheMap();
 	private String					authToken;
 	private boolean					saveToken;
 	private boolean					contactsChanged;
 	// Auto save timer
@ -261,7 +260,7 @@ public final class LocalDB implements EventListener {
 						Context.getInstance().getClient().isOnline() ? Instant.now() : lastSync);
 			// Save last login information
-			if (saveToken && authToken != null)
+			if (authToken != null)
 				SerializationUtils.write(lastLoginFile, user, authToken);
 			// Save ID generator
@ -489,10 +488,4 @@ public final class LocalDB implements EventListener {
 	 * @since Envoy Client v0.2-beta
 	 */
 	public String getAuthToken() { return authToken; }
 	/**
 	 * @param saveToken whether the token will be persisted or deleted on shutdown
 	 * @since Envoy Client v0.3-beta
 	 */
 	public void setSaveToken(boolean saveToken) { this.saveToken = saveToken; }
 }
--- a/client/src/main/java/envoy/client/net/Client.java
+++ b/client/src/main/java/envoy/client/net/Client.java
@ -153,8 +153,7 @@ public final class Client implements EventListener, Closeable {
 		try {
 			SerializationUtils.writeBytesWithLength(
 				new AuthenticatedRequest<>(obj,
-					Context.getInstance().getLocalDB().getUser().getID(),
+					Context.getInstance().getLocalDB().getUser().getID()),
 					Context.getInstance().getLocalDB().getAuthToken()),
 				socket.getOutputStream());
 		} catch (final IOException e) {
 			throw new RuntimeException(e);
--- a/client/src/main/java/envoy/client/ui/controller/LoginScene.java
+++ b/client/src/main/java/envoy/client/ui/controller/LoginScene.java
@ -16,7 +16,7 @@ import envoy.data.LoginCredentials;
 import envoy.event.HandshakeRejection;
 import envoy.util.*;
-import envoy.client.data.*;
+import envoy.client.data.ClientConfig;
 import envoy.client.ui.Startup;
 import envoy.client.util.IconUtil;
@ -79,11 +79,9 @@ public final class LoginScene implements EventListener {
 	@FXML
 	private void loginButtonPressed() {
-		final String user = userTextField.getText(), pass = passwordField.getText(),
+		final String	user			= userTextField.getText(), pass = passwordField.getText(),
 			repeatPass = repeatPasswordField.getText();
-
+		final boolean	requestToken	= cbStaySignedIn.isSelected();
 		// Choose whether to persist the token or not
 		Context.getInstance().getLocalDB().setSaveToken(cbStaySignedIn.isSelected());
 		// Prevent registration with unequal passwords
 		if (registration && !pass.equals(repeatPass)) {
@ -98,8 +96,8 @@ public final class LoginScene implements EventListener {
 		} else {
 			Instant lastSync = Startup.loadLastSync(userTextField.getText());
 			Startup.performHandshake(registration
-				? LoginCredentials.registration(user, pass, Startup.VERSION, lastSync)
+				? LoginCredentials.registration(user, pass, requestToken, Startup.VERSION, lastSync)
-				: LoginCredentials.login(user, pass, Startup.VERSION, lastSync));
+				: LoginCredentials.login(user, pass, requestToken, Startup.VERSION, lastSync));
 		}
 	}
--- a/common/src/main/java/envoy/data/AuthenticatedRequest.java
+++ b/common/src/main/java/envoy/data/AuthenticatedRequest.java
@ -4,7 +4,7 @@ import java.io.Serializable;
 import java.util.Objects;
 /**
- * Wraps any request sent to the server in the authentication details of a user.
+ * Enables checking for the server whether the client is really who he is supposed to be.
 *
 * @author Leon Hofmeister
 * @param <T> the type of object to be sent
@ -12,30 +12,21 @@ import java.util.Objects;
 */
 public final class AuthenticatedRequest<T extends Serializable> implements Serializable {
-	private final T			request;
+	private final T		request;
-	private final String	authentication;
+	private final long	userID;
 	private final long		userID;
 	private static final long serialVersionUID = 1L;
 	/**
-	 * @param request        the actual object that should be sent
+	 * @param request the actual object that should be sent
-	 * @param userID         the ID of the currently logged in user
+	 * @param userID  the ID of the currently logged in user
 	 * @param authentication the authentication of the currently logged in user
 	 * @since Envoy Common v0.3-beta
 	 */
-	public AuthenticatedRequest(T request, long userID, String authentication) {
+	public AuthenticatedRequest(T request, long userID) {
-		this.request		= Objects.requireNonNull(request);
+		this.request	= Objects.requireNonNull(request);
-		this.userID			= userID;
+		this.userID		= userID;
 		this.authentication	= authentication == null ? "" : authentication;
 	}
 	/**
 	 * @return the authentication token of the currently logged in user
 	 * @since Envoy Common v0.3-beta
 	 */
 	public String getAuthentication() { return authentication; }
 	/**
 	 * @return the request
 	 * @since Envoy Common v0.3-beta
--- a/common/src/main/java/envoy/data/LoginCredentials.java
+++ b/common/src/main/java/envoy/data/LoginCredentials.java
@ -15,18 +15,18 @@ import java.util.Objects;
 public final class LoginCredentials implements Serializable {
 	private final String	identifier, password, clientVersion;
-	private final boolean	registration, token;
+	private final boolean	registration, token, requestToken;
 	private final Instant	lastSync;
 	private static final long serialVersionUID = 4;
 	private LoginCredentials(String identifier, String password, boolean registration,
-		boolean token, String clientVersion,
+		boolean token, boolean requestToken, String clientVersion, Instant lastSync) {
 		Instant lastSync) {
 		this.identifier		= Objects.requireNonNull(identifier);
 		this.password		= Objects.requireNonNull(password);
 		this.registration	= registration;
 		this.token			= token;
 		this.requestToken	= requestToken;
 		this.clientVersion	= Objects.requireNonNull(clientVersion);
 		this.lastSync		= lastSync == null ? Instant.EPOCH : lastSync;
 	}
@ -36,14 +36,15 @@ public final class LoginCredentials implements Serializable {
 	 *
 	 * @param identifier    the identifier of the user
 	 * @param password      the password of the user
 	 * @param requestToken  requests the server to generate an authentication token
 	 * @param clientVersion the version of the client sending these credentials
 	 * @param lastSync      the timestamp of the last synchronization
 	 * @return the created login credentials
 	 * @since Envoy Common v0.2-beta
 	 */
-	public static LoginCredentials login(String identifier, String password,
+	public static LoginCredentials login(String identifier, String password, boolean requestToken,
 		String clientVersion, Instant lastSync) {
-		return new LoginCredentials(identifier, password, false, false, clientVersion,
+		return new LoginCredentials(identifier, password, false, false, requestToken, clientVersion,
 			lastSync);
 	}
@ -59,7 +60,7 @@ public final class LoginCredentials implements Serializable {
 	 */
 	public static LoginCredentials loginWithToken(String identifier, String token,
 		String clientVersion, Instant lastSync) {
-		return new LoginCredentials(identifier, token, false, true, clientVersion, lastSync);
+		return new LoginCredentials(identifier, token, false, true, false, clientVersion, lastSync);
 	}
 	/**
@ -67,24 +68,27 @@ public final class LoginCredentials implements Serializable {
 	 *
 	 * @param identifier    the identifier of the user
 	 * @param password      the password of the user
 	 * @param requestToken  requests the server to generate an authentication token
 	 * @param clientVersion the version of the client sending these credentials
 	 * @param lastSync      the timestamp of the last synchronization
 	 * @return the created login credentials
 	 * @since Envoy Common v0.2-beta
 	 */
 	public static LoginCredentials registration(String identifier, String password,
 		boolean requestToken,
 		String clientVersion, Instant lastSync) {
-		return new LoginCredentials(identifier, password, true, false, clientVersion,
+		return new LoginCredentials(identifier, password, true, false, requestToken, clientVersion,
 			lastSync);
 	}
 	@Override
 	public String toString() {
 		return String.format(
-			"LoginCredentials[identifier=%s,registration=%b,token=%b,clientVersion=%s,lastSync=%s]",
+			"LoginCredentials[identifier=%s,registration=%b,token=%b,requestToken=%b,clientVersion=%s,lastSync=%s]",
 			identifier,
 			registration,
 			token,
 			requestToken,
 			clientVersion,
 			lastSync);
 	}
@ -116,6 +120,14 @@ public final class LoginCredentials implements Serializable {
 		return token;
 	}
 	/**
 	 * @return {@code true} if the server should generate a new authentication token
 	 * @since Envoy Common v0.2-beta
 	 */
 	public boolean requestToken() {
 		return requestToken;
 	}
 	/**
 	 * @return the version of the client sending these credentials
 	 * @since Envoy Common v0.1-beta
--- a/server/src/main/java/envoy/server/net/ObjectMessageProcessor.java
+++ b/server/src/main/java/envoy/server/net/ObjectMessageProcessor.java
@ -6,12 +6,11 @@ import java.util.Set;
 import java.util.logging.*;
 import com.jenkov.nioserver.*;
 import com.jenkov.nioserver.Message;
 import envoy.data.AuthenticatedRequest;
 import envoy.util.EnvoyLog;
-import envoy.server.data.*;
+import envoy.server.data.PersistenceManager;
 import envoy.server.processors.ObjectProcessor;
 /**
@ -49,32 +48,25 @@ public final class ObjectMessageProcessor implements IMessageProcessor {
 			// authenticate requests if necessary
 			boolean authenticated = false;
 			if (obj instanceof AuthenticatedRequest)
 				try {
 					authenticated = PersistenceManager
 						.getInstance().getUserByID(((AuthenticatedRequest<?>) obj).getUserID())
 						.getID() == ConnectionManager.getInstance()
 							.getUserIDBySocketID(message.socketId);
-			if (obj instanceof AuthenticatedRequest) {
+					// Class cast exception and NullPointerException are valid here and signify a
-				Contact contact = PersistenceManager.getInstance()
+					// failed authentication
-					.getContactByID(((AuthenticatedRequest<?>) obj).getUserID());
+				} catch (ClassCastException | NullPointerException e) {} finally {
-
+					obj = ((AuthenticatedRequest<?>) obj).getRequest();
 				// Validating the authenticity of the request
 				if (contact == null || contact instanceof Group
 					|| !((AuthenticatedRequest<?>) obj).getAuthentication()
 						.equals(((User) contact).getAuthToken())) {
 					// Invalid request
 					logger.log(Level.INFO,
 						"A user tried to perform an authenticated request but could not identify himself. Discarding request.");
 					return;
 				}
-
+			logger.log(Level.INFO,
-				// Valid request
+				"Received " + (authenticated ? "" : "un") + "authenticated " + obj);
 				logger.log(Level.INFO, "A user successfully authenticated a request for " + obj);
 				authenticated	= true;
 				obj				= ((AuthenticatedRequest<?>) obj).getRequest();
 			} else
 				logger.log(Level.FINE, "Received unauthenticated " + obj);
 			refer(message.socketId, writeProxy, obj, authenticated);
 		} catch (IOException | ClassNotFoundException e) {
-			e.printStackTrace();
+			logger.log(Level.WARNING,
 				"An exception occurred when reading in an object: " + e);
 		}
 	}
--- a/server/src/main/java/envoy/server/processors/LoginCredentialProcessor.java
+++ b/server/src/main/java/envoy/server/processors/LoginCredentialProcessor.java
@ -124,22 +124,23 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
 		UserStatusChangeProcessor.updateUserStatus(user, ONLINE);
 		// Process token request
-		String token;
+		if (credentials.requestToken()) {
-		if (user.getAuthToken() != null && user.getAuthTokenExpiration().isAfter(Instant.now()))
+			String token;
 			if (user.getAuthToken() != null && user.getAuthTokenExpiration().isAfter(Instant.now()))
-			// Reuse existing token and delay expiration date
+				// Reuse existing token and delay expiration date
-			token = user.getAuthToken();
+				token = user.getAuthToken();
-		else {
+			else {
-			// Generate new token
+				// Generate new token
-			token = AuthTokenGenerator.nextToken();
+				token = AuthTokenGenerator.nextToken();
-			user.setAuthToken(token);
+				user.setAuthToken(token);
 			}
 			user.setAuthTokenExpiration(Instant.now().plus(
 				ServerConfig.getInstance().getAuthTokenExpiration().longValue(), ChronoUnit.DAYS));
 			persistenceManager.updateContact(user);
 			writeProxy.write(socketID, new NewAuthToken(token));
 		}
 		user.setAuthTokenExpiration(Instant.now().plus(
 			ServerConfig.getInstance().getAuthTokenExpiration().longValue(), ChronoUnit.DAYS));
 		persistenceManager.updateContact(user);
 		writeProxy.write(socketID, new NewAuthToken(token));
 		final var pendingMessages =
 			PersistenceManager.getInstance().getPendingMessages(user, credentials.getLastSync());
 		pendingMessages.removeIf(GroupMessage.class::isInstance);