Enhance Authentication with JWT and Refresh Token Mechanism #264 (#288)

Co-authored-by: Alexander Stanik <astanik@users.noreply.github.com>

Author: gflachs

README.md

@@ -3,7 +3,7 @@
 ![GitHub Release](https://img.shields.io/github/v/release/remsfal/remsfal-backend?label=latest%20release)
 ![Build Status](https://img.shields.io/badge/build-passing-brightgreen)
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=remsfal_remsfal-backend&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=remsfal_remsfal-backend)
-![Contributors](https://img.shields.io/github/contributors/remsfal/remsfal-backend)  
+![Contributors](https://img.shields.io/github/contributors/remsfal/remsfal-backend)
 
 # Open Source Facility Management Software (Backend)
 
@@ -12,11 +12,12 @@ It works together with the [`remsfal-frontend`](https://github.com/remsfal/remsf
 You can see a live version at https://remsfal.de.
 
 ## Prerequisits
-You will need 
-- Java 17 or higher  
-- Maven 3.8.1 or higher
--  a **mysql** database
 
+You will need
+
+- Java 17 or higher
+- Maven 3.8.1 or higher
+- a **mysql** database
 
 ## How to get started
 
@@ -27,17 +28,23 @@ docker compose up -d
 ```
 
 ### Configuration
-Furthermore you will need to configurate at least the [database](#database) and [Google Oauth](#google-oauth) to run the application in [application.properties](remsfal-service/src/main/resources/application.properties) or specific them directly as JVM argument.  
+
+Furthermore you will need to configurate at least the [database](#database) and [Google Oauth](#google-oauth) to run the
+application in [application.properties](remsfal-service/src/main/resources/application.properties) or specific them
+directly as JVM argument.
 
 #### database
+
 Adjust the configuration for your database, don't use the provided ones in production!
+
 ```properties
 quarkus.datasource.username=root
 quarkus.datasource.jdbc.url=jdbc:mysql://localhost:3306/REMSFAL
 quarkus.datasource.devservices.enabled=false
 ```
 
 Or use JVM agruments
+
 ```sh
 java -Dquarkus.datasource.username=root \
      -Dquarkus.datasource.jdbc.url=jdbc:mysql://localhost:3306/REMSFAL \
@@ -46,62 +53,86 @@ java -Dquarkus.datasource.username=root \
 ```
 
 #### Google OAuth
-You will also need to provide your own secrets for [Google OAuth](https://developers.google.com/identity/protocols/oauth2?hl=de). As mentioned before you may also use JVM arguments.
+
+You will also need to provide your own secrets
+for [Google OAuth](https://developers.google.com/identity/protocols/oauth2?hl=de). As mentioned before you may also use
+JVM arguments.
+
 ```properties
 de.remsfal.auth.oidc.client-id=<YOUR-ID>.apps.googleusercontent.com
 de.remsfal.auth.oidc.client-secret=<YOUR-SECRET>
 de.remsfal.auth.session.secret=<YOUR-CUSTOM-SESSION-SECRET>
 ```
 
-#### Run 
+## JWT Token
+
+For the JWT token its highly recommended to replace the default private key and public key with your own.
+
+### Generate new keys in PEM format using openssl
+
+```sh
+openssl genrsa -out private.pem 2048
+openssl rsa -in private.pem -pubout -out public.pem
+```
+
+#### Run
 
 To package and execute the application
+
 ```sh
 ./mvnw package
 java -jar remsfal-service/target/remsfal-service-runner.jar
 ```
 
 After execution `remsfal-backend` will be available under [`https://localhost:8080/api`](https://localhost:8080/api).
 
-
 ## Contributing
-When contributing to this repository, please **first** discuss the change you wish to make by creating an issue before making a change.
+
+When contributing to this repository, please **first** discuss the change you wish to make by creating an issue before
+making a change.
 
 Once you got feedback on your idea feel free to fork the project and open a pull request.
 
 Please only make changes in files directly related to your issue.
 
-This project uses [Checkstyle](https://github.com/checkstyle/checkstyle) for code formatting. Please ensure your code adheres to the style defined in the [checkstyle.xml](src/main/style/checkstyle.xml).
+This project uses [Checkstyle](https://github.com/checkstyle/checkstyle) for code formatting. Please ensure your code
+adheres to the style defined in the [checkstyle.xml](src/main/style/checkstyle.xml).
 
 ### CI/CD
-This project utilizes Github Actions to check the code quality using [SonarCloud](https://sonarcloud.io/summary/new_code?id=remsfal_remsfal-backend&branch=main) therefore its mandatory to pass the specified **Quality Gates** before a pull request can be merged.
 
+This project utilizes Github Actions to check the code quality
+using [SonarCloud](https://sonarcloud.io/summary/new_code?id=remsfal_remsfal-backend&branch=main) therefore its
+mandatory to pass the specified **Quality Gates** before a pull request can be merged.
 
 ### Development
 
 The project is structured into multiple modules:
 
 **remsfal-core**: Contains core business logic and API interfaces.  
-**remsfal-service**: Implements the REST API and application services.  
-
+**remsfal-service**: Implements the REST API and application services.
 
 At first you well need to start the db as described in [Prerequisits](#prerequisits).
 
 Next run the project using the following command:
+
 ```sh
 ./mvnw clean install
 ./mvnw compile quarkus:dev -pl remsfal-service
 ```
+
 It will automatically recompile when you change something.
 
 ### Stylecheck
 
 To run the stylecheck use the following command:
+
 ```sh
 ./mvnw checkstyle:checkstyle
 ```
 
 ## Copyright
+
 All licenses in this repository are copyrighted by their respective authors.   
-Everything else is released under Apache 2.0. See [LICENSE](https://github.com/remsfal/remsfal-backend?tab=Apache-2.0-1-ov-file#readme) for details.
+Everything else is released under Apache 2.0.
+See [LICENSE](https://github.com/remsfal/remsfal-backend?tab=Apache-2.0-1-ov-file#readme) for details.
 

remsfal-core/src/main/java/de/remsfal/core/model/UserAuthenticationModel.java

@@ -0,0 +1,6 @@
+package de.remsfal.core.model;
+
+public interface UserAuthenticationModel {
+    UserModel getUser();
+    String getRefreshToken();
+}

remsfal-service/pom.xml

@@ -148,6 +148,10 @@
             <artifactId>quarkus-jacoco</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-jwt</artifactId>
+        </dependency>
     </dependencies>
     <build>
         <finalName>remsfal-service</finalName>

remsfal-service/src/main/java/de/remsfal/service/boundary/AuthenticationResource.java

@@ -1,31 +1,28 @@
 package de.remsfal.service.boundary;
 
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import de.remsfal.core.api.AuthenticationEndpoint;
+import de.remsfal.core.model.UserModel;
+import de.remsfal.service.boundary.authentication.GoogleAuthenticator;
+import de.remsfal.service.boundary.authentication.SessionManager;
+import de.remsfal.service.boundary.exception.UnauthorizedException;
+import de.remsfal.service.control.UserController;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.NewCookie;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriBuilder;
 import jakarta.ws.rs.core.UriInfo;
-
-import java.net.URI;
-
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.eclipse.microprofile.metrics.MetricUnits;
 import org.eclipse.microprofile.metrics.annotation.Counted;
 import org.eclipse.microprofile.metrics.annotation.Timed;
 import org.jboss.logging.Logger;
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-
-import de.remsfal.core.api.AuthenticationEndpoint;
-import de.remsfal.core.model.UserModel;
-import de.remsfal.service.boundary.authentication.GoogleAuthenticator;
-import de.remsfal.service.boundary.authentication.SessionInfo;
-import de.remsfal.service.boundary.authentication.SessionManager;
-import de.remsfal.service.boundary.exception.UnauthorizedException;
-import de.remsfal.service.control.UserController;
+import java.net.URI;
 
 /**
  * @author Alexander Stanik [alexander.stanik@htw-berlin.de]
@@ -38,7 +35,7 @@ public class AuthenticationResource implements AuthenticationEndpoint {
 
     @Context
     UriInfo uri;
-    
+
     @Context
     HttpHeaders headers;
 
@@ -53,14 +50,15 @@ public class AuthenticationResource implements AuthenticationEndpoint {
 
     @Inject
     Logger logger;
+    @Inject
+    HttpHeaders httpHeaders;
 
 
     @Override
-    @Timed(name = "checksTimerLogin",unit = MetricUnits.MILLISECONDS)
+    @Timed(name = "checksTimerLogin", unit = MetricUnits.MILLISECONDS)
     @Counted(name = "countedLogin")
     public Response login(final String route) {
-        final String redirectUri = getAbsoluteUri()
-            .toASCIIString().replace("/login", "/session");
+        final String redirectUri = getAbsoluteUri().toASCIIString().replace("/login", "/session");
         final URI redirectUrl = authenticator.getAuthorizationCodeURI(redirectUri, route);
         return redirect(redirectUrl).build();
     }
@@ -83,33 +81,26 @@ public Response session(final String code, final String state, final String erro
     }
 
     private Response createSession(final UserModel user, final String route) {
-        final URI redirectUri = getAbsoluteUriBuilder()
-            .replacePath(route)
-            .build();
-        final SessionInfo sessionInfo = sessionManager.sessionInfoBuilder()
-            .userId(user.getId())
-            .userEmail(user.getEmail())
-            .build();
-        return redirect(redirectUri)
-            .cookie(sessionManager.encryptSessionCookie(sessionInfo))
-            .build();
+        final URI redirectUri = getAbsoluteUriBuilder().replacePath(route).build();
+        final NewCookie accessToken = sessionManager.generateAccessToken(
+            sessionManager.sessionInfoBuilder(SessionManager.ACCESS_COOKIE_NAME).userId(user.getId())
+                .userEmail(user.getEmail()).build());
+        final NewCookie refreshToken = sessionManager.generateRefreshToken(user.getId(), user.getEmail());
+        return redirect(redirectUri).cookie(accessToken, refreshToken).build();
     }
 
-    @Timed(name = "checksTimerLogout",unit = MetricUnits.MILLISECONDS)
+    @Timed(name = "checksTimerLogout", unit = MetricUnits.MILLISECONDS)
     @Counted(name = "countedLogout")
     @Override
     public Response logout() {
-        final URI redirectUri = getAbsoluteUriBuilder()
-            .replacePath("/")
-            .build();
-        return redirect(redirectUri)
-            .cookie(sessionManager.removalSessionCookie())
-            .build();
+        final URI redirectUri = getAbsoluteUriBuilder().replacePath("/").build();
+        sessionManager.logout(httpHeaders.getCookies());
+        return redirect(redirectUri).cookie(sessionManager.removalCookie(SessionManager.ACCESS_COOKIE_NAME),
+            sessionManager.removalCookie(SessionManager.REFRESH_COOKIE_NAME)).build();
     }
 
     private Response.ResponseBuilder redirect(final URI redirectUrl) {
-        return Response.status(302)
-            .header("location", redirectUrl);
+        return Response.status(302).header("location", redirectUrl);
     }
 
     private URI getAbsoluteUri() {
@@ -118,19 +109,19 @@ private URI getAbsoluteUri() {
 
     private UriBuilder getAbsoluteUriBuilder() {
         final String forwardedHostHeader = headers.getHeaderString("X-Forwarded-Host");
-        if(enableForwardedHost && forwardedHostHeader != null) {
+        if (enableForwardedHost && forwardedHostHeader != null) {
             logger.infov("Proxy is enabled. X-Forwarded-Host: {0}", forwardedHostHeader);
             final UriBuilder builder = uri.getAbsolutePathBuilder();
             final String[] parts = forwardedHostHeader.split(":");
-            if(parts.length > 0) {
+            if (parts.length > 0) {
                 logger.debugv("Host: {0}", parts[0]);
                 builder.host(parts[0]);
             }
-            if(parts.length > 1) {
+            if (parts.length > 1) {
                 try {
                     logger.debugv("Port: {0}", parts[1]);
                     builder.port(Integer.parseUnsignedInt(parts[1]));
-                } catch(NumberFormatException e) {
+                } catch (NumberFormatException e) {
                     logger.errorv("Invalid port in X-Forwarded-Host header {0}", parts[1], e);
                 }
             }

remsfal-service/src/main/java/de/remsfal/service/boundary/authentication/HeaderExtensionResponseFilter.java

@@ -1,5 +1,7 @@
 package de.remsfal.service.boundary.authentication;
 
+import de.remsfal.core.api.AuthenticationEndpoint;
+import de.remsfal.service.boundary.exception.TokenExpiredException;
 import jakarta.annotation.Priority;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.Priorities;
@@ -13,7 +15,7 @@
 
 @Provider
 @Priority(Priorities.HEADER_DECORATOR + 1)
-public class HeaderExtensionResponseFilter  implements ContainerResponseFilter {
+public class HeaderExtensionResponseFilter implements ContainerResponseFilter {
 
     @Inject
     SessionManager sessionManager;
@@ -22,22 +24,43 @@ public class HeaderExtensionResponseFilter  implements ContainerResponseFilter {
     Logger logger;
 
     @Override
-    public void filter(ContainerRequestContext requestContext,
-                       ContainerResponseContext responseContext) {
-        try{
-            final Cookie sessionCookie = sessionManager.findSessionCookie(requestContext.getCookies());
-            if (sessionCookie != null) {
-                SessionInfo sessionInfo = sessionManager.decryptSessionCookie(sessionCookie);
-
-                if (sessionInfo != null && sessionInfo.isValid()) {
-                    if (sessionInfo.shouldRenew()) {
-                        Cookie newSessionCookie = sessionManager.renewSessionCookie(sessionInfo);
-                        responseContext.getHeaders().add("Set-Cookie", newSessionCookie.getValue());
-                    }
+    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {
+
+        if (AuthenticationEndpoint.isAuthenticationPath(requestContext.getUriInfo().getPath())) {
+            logger.infov("Skipping HeaderExtensionResponseFilter for authentication path: {0}",
+                requestContext.getUriInfo().getPath());
+            return;
+        }
+        try {
+            Cookie accessToken = sessionManager.findAccessTokenCookie(requestContext.getCookies());
+            if (accessToken == null) {
+                Cookie refreshToken = sessionManager.findRefreshTokenCookie(requestContext.getCookies());
+                if (refreshToken != null) {
+                    renewTokens(requestContext, responseContext);
+                }
+            }
+            if (accessToken != null) {
+                try {
+                    sessionManager.decryptAccessTokenCookie(accessToken);
+                } catch (TokenExpiredException e) {
+                    logger.info("Access token expired: " + e.getMessage());
+                    renewTokens(requestContext, responseContext);
                 }
             }
         } catch (Exception e) {
             logger.error("Error in HeaderExtensionResponseFilter: " + e.getMessage());
         }
     }
+
+    private void renewTokens(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {
+        try {
+            SessionManager.TokenRenewalResponse response = sessionManager.renewTokens(requestContext.getCookies());
+            responseContext.getHeaders().add("Set-Cookie", response.getAccessToken());
+            responseContext.getHeaders().add("Set-Cookie", response.getRefreshToken());
+        } catch (Exception e) {
+            logger.error("Error renewing tokens: " + e.getMessage());
+        }
+    }
+
+
 }