Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some more Snyk recommended fixes #29

Merged
merged 12 commits into from
May 28, 2024
Merged

Some more Snyk recommended fixes #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e65c2cd
Upgrade TIM to Spring Boot 3
RayDNoper May 17, 2024
7ddc5a7
Test another theory with SS6
RayDNoper May 23, 2024
39742fd
Log OAuth1 information
RayDNoper May 23, 2024
8d31fb0
Update SC
RayDNoper May 24, 2024
6c475b9
Update SC
RayDNoper May 24, 2024
24a0144
Update SC
RayDNoper May 24, 2024
d5dc5e0
Update AuthenticationSuccessHandler, fix Nimbus
RayDNoper May 24, 2024
cb06894
Update AuthenticationSuccessHandler, fix Nimbus
RayDNoper May 24, 2024
ed0bc39
Remove unnecessary debug flags / imports
RayDNoper May 24, 2024
ef947e4
Update according to Snyk
RayDNoper May 24, 2024
f84821b
Set HttpOnly to true in cookies
RayDNoper May 27, 2024
c97edb9
Merge branch 'buerokratt:dev' into spring-boot-3
RayDNoper May 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion src/main/java/ee/eesti/authentication/configuration/jwt/JwtUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.io.InputStream;
import java.net.URLEncoder;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
Expand Down Expand Up @@ -148,7 +149,9 @@ public Cookie getJwtCookie(SignedJWT signedJWT) {
public Cookie getLegacySessionCookie(HttpServletRequest request, SessionsEntity sessionsEntity, boolean alwaysCreateCookie) {

Supplier<Cookie> cookieSupplier = () -> {
Cookie sessionCookie = new Cookie(legacyPortalIntegrationConfig.getSessionCookieName(), sessionsEntity.getSessionId());
Cookie sessionCookie = new Cookie(legacyPortalIntegrationConfig.getSessionCookieName(),
sessionsEntity.getSessionId().replaceAll("[\n\r]+"," "));
sessionCookie.setHttpOnly(true);
sessionCookie.setSecure(secureCookie);
sessionCookie.setPath("/");
sessionCookie.setDomain(legacyPortalIntegrationConfig.getSessionCookieDomain());
Expand Down
4 changes: 2 additions & 2 deletions src/main/java/ee/eesti/authentication/controller/CustomJwtController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,10 @@ public ResponseEntity<?> createCustomJwtToken(@RequestBody @Valid CustomJwtToken
return emptyOkResponse;
}

Cookie cookie = new Cookie(request.getJwtName(), signedJWT.serialize());
Cookie cookie = new Cookie(request.getJwtName(), signedJWT.serialize().replaceAll("[\n\r]+"," "));
cookie.setHttpOnly(true);
cookie.setSecure(secureCookie);
cookie.setDomain(legacyPortalIntegrationConfig.getSessionCookieDomain());
cookie.setDomain(legacyPortalIntegrationConfig.getSessionCookieDomain().replaceAll("[\n\r]+"," "));

response.addCookie(cookie);

Expand Down
5 changes: 2 additions & 3 deletions src/main/java/ee/eesti/authentication/controller/JwtController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -358,7 +358,6 @@ private void extendSessionObtainedFromLegacySystem(SessionsEntity sessionEntity,
SignedJWT signedJwt = jwtUtils.createSignedJwt(jwtTokenId, userInfo);
jwtTokenInfoService.createJwtTokenInfo(jwtTokenId, sessionEntity.getSessionId(), new Timestamp(userInfo.getLoginExpireDate().getTime()));


Cookie legacySessionCookie = jwtUtils.getLegacySessionCookie(request, sessionEntity, true);
response.addCookie(legacySessionCookie);

Expand Down Expand Up @@ -433,10 +432,10 @@ public ResponseEntity<?> performBlacklist(

private void removeCookie(HttpServletResponse response, Cookie c, String domain, String path) {
Cookie cookie = new Cookie(c.getName(), null);
cookie.setDomain(domain);
cookie.setDomain(domain.replaceAll("[\n\r]+"," "));
cookie.setMaxAge(0);
cookie.setSecure(c.getSecure());
cookie.setPath(path);
cookie.setPath(path.replaceAll("[\n\r]+"," "));
response.addCookie(cookie);
}

Expand Down