Commit 971a23c

committed

Validate account status in OneTimeTokenAuthenticationProvider

The main problem is that OneTimeTokenAuthenticationProvider does not extend from AbstractUserDetailsAuthenticationProvider, which has a preauthentication check for user details. However, we do not need to extend from it because it does not fit the context of the class. In this regard, I decided to add my own checker to this commit, which performs a preauthentication check before authorizing the account, similar to how it is done in AbstractUserDetailsAuthenticationProvider. I also added a test to OneTimeTokenAuthenticationProviderTests that identifies this problem. Closes: gh-17655 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>

1 parent f61a8de commit 971a23cCopy full SHA for 971a23c

File tree

2 files changed

+67

-1

lines changed

core/src
- main/java/org/springframework/security/authentication/ott
  - OneTimeTokenAuthenticationProvider.java
- test/java/org/springframework/security/authentication/ott
  - OneTimeTokenAuthenticationProviderTests.java

2 files changed

+67

-1

lines changed

`‎core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java‎`

Lines changed: 54 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -16,11 +16,21 @@`
`16`	`16`
`17`	`17`	`package org.springframework.security.authentication.ott;`
`18`	`18`
	`19`	`+import org.apache.commons.logging.Log;`
	`20`	`+import org.apache.commons.logging.LogFactory;`
	`21`	`+import org.springframework.context.MessageSource;`
	`22`	`+import org.springframework.context.MessageSourceAware;`
	`23`	`+import org.springframework.context.support.MessageSourceAccessor;`
	`24`	`+import org.springframework.security.authentication.AccountExpiredException;`
`19`	`25`	`import org.springframework.security.authentication.AuthenticationProvider;`
`20`	`26`	`import org.springframework.security.authentication.BadCredentialsException;`
	`27`	`+import org.springframework.security.authentication.DisabledException;`
	`28`	`+import org.springframework.security.authentication.LockedException;`
`21`	`29`	`import org.springframework.security.core.Authentication;`
`22`	`30`	`import org.springframework.security.core.AuthenticationException;`
	`31`	`+import org.springframework.security.core.SpringSecurityMessageSource;`
`23`	`32`	`import org.springframework.security.core.userdetails.UserDetails;`
	`33`	`+import org.springframework.security.core.userdetails.UserDetailsChecker;`
`24`	`34`	`import org.springframework.security.core.userdetails.UserDetailsService;`
`25`	`35`	`import org.springframework.security.core.userdetails.UsernameNotFoundException;`
`26`	`36`	`import org.springframework.util.Assert;`
`@@ -31,14 +41,21 @@`
`31`	`41`	`* {@link UserDetailsService} to fetch user authorities.`
`32`	`42`	`*`
`33`	`43`	`* @author Marcus da Coregio`
	`44`	`+ * @author Andrey Litvitski`
`34`	`45`	`* @since 6.4`
`35`	`46`	`*/`
`36`		`-public final class OneTimeTokenAuthenticationProvider implements AuthenticationProvider {`
	`47`	`+public final class OneTimeTokenAuthenticationProvider implements AuthenticationProvider, MessageSourceAware {`
`37`	`48`
`38`	`49`	`private final OneTimeTokenService oneTimeTokenService;`
`39`	`50`
`40`	`51`	`private final UserDetailsService userDetailsService;`
`41`	`52`
	`53`	`+ private final Log logger = LogFactory.getLog(getClass());`
	`54`	`+`
	`55`	`+ private UserDetailsChecker authenticationChecks = new DefaultAuthenticationChecks();`
	`56`	`+`
	`57`	`+ private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();`
	`58`	`+`
`42`	`59`	`public OneTimeTokenAuthenticationProvider(OneTimeTokenService oneTimeTokenService,`
`43`	`60`	`UserDetailsService userDetailsService) {`
`44`	`61`	`Assert.notNull(oneTimeTokenService, "oneTimeTokenService cannot be null");`
`@@ -56,6 +73,7 @@ public Authentication authenticate(Authentication authentication) throws Authent`
`56`	`73`	`}`
`57`	`74`	`try {`
`58`	`75`	`UserDetails user = this.userDetailsService.loadUserByUsername(consumed.getUsername());`
	`76`	`+ this.authenticationChecks.check(user);`
`59`	`77`	`OneTimeTokenAuthenticationToken authenticated = OneTimeTokenAuthenticationToken.authenticated(user,`
`60`	`78`	`user.getAuthorities());`
`61`	`79`	`authenticated.setDetails(otpAuthenticationToken.getDetails());`
`@@ -71,4 +89,39 @@ public boolean supports(Class<?> authentication) {`
`71`	`89`	`return OneTimeTokenAuthenticationToken.class.isAssignableFrom(authentication);`
`72`	`90`	`}`
`73`	`91`
	`92`	`+ @Override`
	`93`	`+ public void setMessageSource(MessageSource messageSource) {`
	`94`	`+ this.messages = new MessageSourceAccessor(messageSource);`
	`95`	`+ }`
	`96`	`+`
	`97`	`+ public void setAuthenticationChecks(UserDetailsChecker authenticationChecks) {`
	`98`	`+ this.authenticationChecks = authenticationChecks;`
	`99`	`+ }`
	`100`	`+`
	`101`	`+ private class DefaultAuthenticationChecks implements UserDetailsChecker {`
	`102`	`+`
	`103`	`+ @Override`
	`104`	`+ public void check(UserDetails user) {`
	`105`	`+ if (!user.isAccountNonLocked()) {`
	`106`	`+ OneTimeTokenAuthenticationProvider.this.logger`
	`107`	`+ .debug("Failed to authenticate since user account is locked");`
	`108`	`+ throw new LockedException(OneTimeTokenAuthenticationProvider.this.messages`
	`109`	`+ .getMessage("AbstractUserDetailsAuthenticationProvider.locked", "User account is locked"));`
	`110`	`+ }`
	`111`	`+ if (!user.isEnabled()) {`
	`112`	`+ OneTimeTokenAuthenticationProvider.this.logger`
	`113`	`+ .debug("Failed to authenticate since user account is disabled");`
	`114`	`+ throw new DisabledException(OneTimeTokenAuthenticationProvider.this.messages`
	`115`	`+ .getMessage("AbstractUserDetailsAuthenticationProvider.disabled", "User is disabled"));`
	`116`	`+ }`
	`117`	`+ if (!user.isAccountNonExpired()) {`
	`118`	`+ OneTimeTokenAuthenticationProvider.this.logger`
	`119`	`+ .debug("Failed to authenticate since user account has expired");`
	`120`	`+ throw new AccountExpiredException(OneTimeTokenAuthenticationProvider.this.messages`
	`121`	`+ .getMessage("AbstractUserDetailsAuthenticationProvider.expired", "User account has expired"));`
	`122`	`+ }`
	`123`	`+ }`
	`124`	`+`
	`125`	`+ }`
	`126`	`+`
`74`	`127`	`}`

`‎core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProviderTests.java‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@`
`26`	`26`	`import org.mockito.junit.jupiter.MockitoExtension;`
`27`	`27`
`28`	`28`	`import org.springframework.security.authentication.BadCredentialsException;`
	`29`	`+import org.springframework.security.core.AuthenticationException;`
`29`	`30`	`import org.springframework.security.core.userdetails.User;`
`30`	`31`	`import org.springframework.security.core.userdetails.UserDetailsService;`
`31`	`32`	`import org.springframework.security.core.userdetails.UsernameNotFoundException;`
`@@ -42,6 +43,7 @@`
`42`	`43`	`* Tests for {@link OneTimeTokenAuthenticationProvider}.`
`43`	`44`	`*`
`44`	`45`	`* @author Max Batischev`
	`46`	`+ * @author Andrey Litvitski`
`45`	`47`	`*/`
`46`	`48`	`@ExtendWith(MockitoExtension.class)`
`47`	`49`	`public class OneTimeTokenAuthenticationProviderTests {`
`@@ -79,6 +81,17 @@ void authenticateWhenAuthenticationTokenIsPresentThenAuthenticates() {`
`79`	`81`	`assertThat(CollectionUtils.isEmpty(user.getAuthorities())).isTrue();`
`80`	`82`	`}`
`81`	`83`
	`84`	`+ @Test`
	`85`	`+ void authenticateWhenAuthenticationTokenIsPresentThenFails() {`
	`86`	`+ given(this.oneTimeTokenService.consume(any()))`
	`87`	`+ .willReturn(new DefaultOneTimeToken(TOKEN, USERNAME, Instant.now().plusSeconds(120)));`
	`88`	`+ given(this.userDetailsService.loadUserByUsername(anyString()))`
	`89`	`+ .willReturn(new User(USERNAME, PASSWORD, false, false, false, false, List.of()));`
	`90`	`+ OneTimeTokenAuthenticationToken token = new OneTimeTokenAuthenticationToken(TOKEN);`
	`91`	`+`
	`92`	`+ assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> this.provider.authenticate(token));`
	`93`	`+ }`
	`94`	`+`
`82`	`95`	`@Test`
`83`	`96`	`void authenticateWhenOneTimeTokenIsNotFoundThenFails() {`
`84`	`97`	`given(this.oneTimeTokenService.consume(any())).willReturn(null);`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 971a23c

File tree

2 files changed

2 files changed

`‎core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java‎`

`‎core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProviderTests.java‎`

0 commit comments