fixed PasswordlessAuthFilter exception and allowed it to return the a…

…uth JWT directly with a new request parameter

para-server/src/main/java/com/erudika/para/server/security/SecurityUtils.java

@@ -25,6 +25,7 @@
 import com.erudika.para.core.utils.CoreUtils;
 import com.erudika.para.core.utils.Para;
 import com.erudika.para.core.utils.Utils;
+import com.erudika.para.server.security.filters.PasswordlessAuthFilter;
 import com.erudika.para.server.security.filters.SAMLAuthFilter;
 import com.erudika.para.server.utils.BufferedRequestWrapper;
 import com.nimbusds.jose.JOSEException;
@@ -34,6 +35,7 @@
 import com.nimbusds.jose.JWSVerifier;
 import com.nimbusds.jose.crypto.MACSigner;
 import com.nimbusds.jose.crypto.MACVerifier;
+import com.nimbusds.jose.util.Base64URL;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import java.io.IOException;
@@ -462,6 +464,18 @@ public static String getAppidFromAuthRequest(HttpServletRequest request) {
 		if (StringUtils.isBlank(appidFromState) && StringUtils.isBlank(appidFromAppid)) {
 			if (StringUtils.startsWith(request.getRequestURI(), SAMLAuthFilter.SAML_ACTION + "/")) {
 				return StringUtils.trimToNull(request.getRequestURI().substring(SAMLAuthFilter.SAML_ACTION.length() + 1));
+			} else if (StringUtils.startsWith(request.getRequestURI(), "/" + PasswordlessAuthFilter.PASSWORDLESS_ACTION)) {
+				String token = request.getParameter("token"); // JWT
+				JWTClaimsSet claims = null;
+				try {
+					SignedJWT jwt = new SignedJWT(Base64URL.from(StringUtils.substringBefore(token, ".")),
+							Base64URL.from(StringUtils.substringBetween(token, ".")),
+							Base64URL.from(StringUtils.substringAfterLast(token, ".")));
+					claims = jwt.getJWTClaimsSet();
+				} catch (ParseException ex) {
+					logger.error(null, ex);
+				}
+				return claims != null ? (String) claims.getClaim(Config._APPID) : null;
 			} else {
 				return null;
 			}

para-server/src/main/java/com/erudika/para/server/security/filters/PasswordlessAuthFilter.java

@@ -34,6 +34,8 @@
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 
@@ -72,21 +74,34 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 			throws IOException, ServletException {
 		String requestURI = request.getRequestURI();
 		UserAuthentication userAuth = null;
+		boolean redirect = !"false".equals(request.getParameter("redirect"));
 		User user = null;
-
+		App app = null;
 		if (requestURI.endsWith(PASSWORDLESS_ACTION)) {
 			String appid = SecurityUtils.getAppidFromAuthRequest(request);
 			String token = request.getParameter("token"); // JWT
-			App app = Para.getDAO().read(App.id(appid));
+			app = Para.getDAO().read(App.id(appid));
 			if (app != null) {
 				userAuth = getOrCreateUser(app, token);
 				if (userAuth != null) {
-					user = (User) userAuth.getPrincipal();
+					user = ((AuthenticatedUserDetails) userAuth.getPrincipal()).getUser();
 					user.setAppid(app.getAppIdentifier());
 				}
 			}
 		}
-		return SecurityUtils.checkIfActive(userAuth, user, true);
+		UserAuthentication auth = SecurityUtils.checkIfActive(userAuth, user, redirect);
+		if (!redirect) {
+			if (auth == null) {
+				response.sendError(HttpStatus.FORBIDDEN.value());
+				response.setStatus(HttpStatus.FORBIDDEN.value());
+			} else {
+				response.setContentType(MediaType.TEXT_PLAIN_VALUE);
+				response.setStatus(HttpStatus.OK.value());
+				response.getWriter().print(SecurityUtils.generateJWToken(user, app).serialize());
+			}
+			return null;
+		}
+		return auth;
 	}
 
 	/**