fixing refresh token bugs

Author: IMDADMI

.gitignore

@@ -3,7 +3,7 @@ target/
 !.mvn/wrapper/maven-wrapper.jar
 !**/src/main/**/target/
 !**/src/test/**/target/
-
+src/main/resources/application.yml
 ### STS ###
 .apt_generated
 .classpath

pom.xml

@@ -40,6 +40,11 @@
             <scope>runtime</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-configuration-processor</artifactId>
+            <optional>true</optional>
+        </dependency>
         <dependency>
             <groupId>com.mysql</groupId>
             <artifactId>mysql-connector-j</artifactId>

src/main/java/com/admi/jwtauthenticationspringsecurity/JwtAuthenticationSpringSecurityApplication.java

@@ -1,13 +1,19 @@
 package com.admi.jwtauthenticationspringsecurity;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
 @SpringBootApplication
 public class JwtAuthenticationSpringSecurityApplication {
 
+    @Value("db.username")
+    String ss;
+
     public static void main(String[] args) {
-        SpringApplication.run(JwtAuthenticationSpringSecurityApplication.class, args);
+//        SpringApplication.run(JwtAuthenticationSpringSecurityApplication.class, args);
+        JwtAuthenticationSpringSecurityApplication application = new JwtAuthenticationSpringSecurityApplication();
+        System.out.println(application.ss);
     }
 
 }

src/main/java/com/admi/jwtauthenticationspringsecurity/configurations/SecurityConfiguration.java

@@ -5,11 +5,13 @@
 import com.admi.jwtauthenticationspringsecurity.security.CustomeUserDetailsService;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -35,19 +37,21 @@ public SecurityFilterChain securityFilterChain (HttpSecurity httpSecurity) throw
         authenticationManager = builder.build();
         return
                 httpSecurity
-                        .cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.disable())
+                        .cors(AbstractHttpConfigurer::disable)
+                        .csrf(AbstractHttpConfigurer::disable)
                         .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                         .headers(httpSecurityHeadersConfigurer -> httpSecurityHeadersConfigurer.frameOptions().disable())
                         .authorizeHttpRequests(
                                 authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry
-                                        .antMatchers("").permitAll()
+                                        .antMatchers(HttpMethod.POST,"/register/user").permitAll()
+                                        .antMatchers("/token/**","/login/**").permitAll()
                                         .anyRequest().authenticated())
                         .authenticationManager(authenticationManager)
                         .addFilter(new JwtAuthenticationFilter(authenticationManager))
                         .addFilterBefore(new JwtAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class)
                         .build();
 
-            }
+    }
     @Bean
     public PasswordEncoder passwordEncoder(){
         return new BCryptPasswordEncoder();

src/main/java/com/admi/jwtauthenticationspringsecurity/controllers/RestController.java

@@ -10,6 +10,8 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.interfaces.DecodedJWT;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.web.bind.annotation.*;
@@ -24,7 +26,7 @@
 @org.springframework.web.bind.annotation.RestController
 @CrossOrigin
 public class RestController {
-
+    private Logger logger = LoggerFactory.getLogger(this.getClass());
     private UserService userService;
     private RoleService roleService;
     private PasswordEncoder passwordEncoder;
@@ -35,29 +37,35 @@ public RestController(UserService userService, RoleService roleService, Password
         this.passwordEncoder = passwordEncoder;
     }
 
-    @PostMapping("/user")
+    @PostMapping("/register/user")
     public CustomUser addUser(@RequestBody CustomUser user){
         user.setPassword(passwordEncoder.encode(user.getPassword()));
+        logger.info("registering a user : \n{}",user);
         return userService.saveUser(user);
     }
     @PostMapping("/role")
     public CustomRole addRole(@RequestBody CustomRole role){
+        logger.info("adding new role : {}",role);
         return roleService.saveRole(role);
     }
     @PostMapping("/user/role")
     public void addRoleToUser(@RequestBody RoleToUser roleToUser){
+        logger.info("adding a role to a user {} -> {}",roleToUser.getRole(),roleToUser.getUser());
         userService.addRoleToUser(roleToUser.getUser(),roleToUser.getRole());
     }
     @GetMapping("/user")
     public List<CustomUser> listUsers (){
+        logger.info("listing the users");
         return userService.listUsers();
     }
     @GetMapping("/user/{id}")
     public CustomUser getUserById(@PathVariable String id){
+        logger.info("getting the user with the id = {}",id);
         return userService.loadUserById(Long.parseLong(id)).orElse(null);
     }
     @GetMapping("/token/refresh")
     public void requestAccessToken(HttpServletRequest request,HttpServletResponse response){
+        logger.info("requesting to refresh the token");
         String authorizationHeader = request.getHeader("Authorization");
         if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
             try {
@@ -74,8 +82,6 @@ public void requestAccessToken(HttpServletRequest request,HttpServletResponse re
                         request.getRequestURI().toString(),
                         ACCESS_TOKEN_EXPIRATION_TIME
                 );
-
-
 //                String newAccessToken = JWT.create()
 //                        .withSubject(user.getUsername())
 //                        .withExpiresAt(new Date(System.currentTimeMillis()+ACCESS_TOKEN_EXPIRATION_TIME))

src/main/java/com/admi/jwtauthenticationspringsecurity/entities/CustomRole.java

@@ -5,6 +5,8 @@
 import lombok.NoArgsConstructor;
 
 import javax.persistence.*;
+import java.util.ArrayList;
+import java.util.List;
 
 @Entity
 @Data
@@ -19,5 +21,8 @@ public class CustomRole {
     @Column(name = "role_name")
     private String roleName;
 
+    @ManyToMany(mappedBy = "roles")
+    private List<CustomUser> userList = new ArrayList<>();
+
 
 }

src/main/java/com/admi/jwtauthenticationspringsecurity/entities/CustomUser.java

@@ -6,8 +6,7 @@
 import lombok.NoArgsConstructor;
 
 import javax.persistence.*;
-import java.util.ArrayList;
-import java.util.Collection;
+import java.util.*;
 
 @Data
 @Entity
@@ -16,17 +15,23 @@
 public class CustomUser {
     @Id
     @GeneratedValue(strategy = GenerationType.IDENTITY)
-    @Column(name = "id", nullable = false)
+    @Column(name = "user_id", nullable = false)
     private Long id;
     @Column(nullable = false)
     private String username;
     @Column(nullable = false)
-    //this property ignore the password to be existed in the json response
     @JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
     private String password;
     @Column
     @ManyToMany(fetch = FetchType.EAGER)
-    Collection<CustomRole> roles = new ArrayList<>();
+    @JoinTable
+            (
+            name = "user_role_table",
+            joinColumns = {@JoinColumn(name = "user_id",referencedColumnName = "user_id")},
+            inverseJoinColumns = {@JoinColumn(name = "role_id", referencedColumnName = "role_id")}
+            )
+    Set<CustomRole> roles = new HashSet<>();
+
 
 
 }

src/main/java/com/admi/jwtauthenticationspringsecurity/repositories/RoleRepository.java

@@ -2,7 +2,9 @@
 
 import com.admi.jwtauthenticationspringsecurity.entities.CustomRole;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
 
+@Repository
 public interface RoleRepository extends JpaRepository<CustomRole,Long> {
     CustomRole findCustomRoleByRoleName(String roleName);
 }

src/main/java/com/admi/jwtauthenticationspringsecurity/security/JwtAuthorizationFilter.java

@@ -5,46 +5,52 @@
 import com.auth0.jwt.JWTVerifier;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.interfaces.DecodedJWT;
-import org.springframework.beans.factory.annotation.Value;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.security.SignatureException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 
 public class JwtAuthorizationFilter extends OncePerRequestFilter {
+
+    private Logger logger = LoggerFactory.getLogger(this.getClass());
+
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
         String authorizationHeader = request.getHeader("Authorization");
-        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
-            try {
-                String accessToken = authorizationHeader.substring(7);
-                Algorithm algorithm = Algorithm.HMAC256(SecurityUtils.HMAC_KEY);
-                JWTVerifier verifier = JWT.require(algorithm).build();
-                DecodedJWT jwt = verifier.verify(accessToken);
-                String username = jwt.getSubject();
-                String roles[] = jwt.getClaim("roles").asArray(String.class);
-                Collection<GrantedAuthority> authorities = new ArrayList<>();
-                Arrays.stream(roles).forEach(role -> authorities.add(new SimpleGrantedAuthority(role)));
-                UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, null, authorities);
-                SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+        if(!SecurityUtils.verifyPath(request.getServletPath())){
+            if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
+                logger.info("a Bearer container request ");
+                try {
+                    String accessToken = authorizationHeader.substring(7);
+                    Algorithm algorithm = Algorithm.HMAC256(SecurityUtils.HMAC_KEY);
+                    JWTVerifier verifier = JWT.require(algorithm).build();
+                    DecodedJWT jwt = verifier.verify(accessToken);
+                    String username = jwt.getSubject();
+                    String roles[] = jwt.getClaim("roles").asArray(String.class);
+                    Collection<GrantedAuthority> authorities = new ArrayList<>();
+                    Arrays.stream(roles).forEach(role -> authorities.add(new SimpleGrantedAuthority(role)));
+                    UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, null, authorities);
+                    SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+                    filterChain.doFilter(request, response);
+                } catch (Exception e) {
+                    logger.error("the token is expired");
+                    response.setHeader("error", "the token is expired");
+                    response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                }
+            } else
                 filterChain.doFilter(request, response);
-            } catch (Exception e) {
-                logger.error("the token is expired");
-                response.setHeader("error","the token is expired");
-                response.sendError(HttpServletResponse.SC_FORBIDDEN);
-            }
         }else
             filterChain.doFilter(request,response);
 

src/main/java/com/admi/jwtauthenticationspringsecurity/utils/DataBaseProperty.java

@@ -0,0 +1,15 @@
+package com.admi.jwtauthenticationspringsecurity.utils;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@ConfigurationProperties("database")
+@Configuration
+@Data
+public class DataBaseProperty {
+    private String username;
+    private String password;
+    private String url;
+
+}

src/main/java/com/admi/jwtauthenticationspringsecurity/utils/SecurityUtils.java

@@ -5,17 +5,16 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import org.springframework.security.core.GrantedAuthority;
 
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
+import java.util.*;
 
 public class SecurityUtils {
     public static final String HMAC_KEY = "#YOUR$KEY@HERE!";
-    public static final int ACCESS_TOKEN_EXPIRATION_TIME = 5 * 60 * 1000;
-    public static final int REFRESH_TOKEN_EXPIRATION_TIME = 30 * 24 * 3600 * 1000;
+    public static final long ACCESS_TOKEN_EXPIRATION_TIME = 5 * 60 * 1000;
+    public static final long REFRESH_TOKEN_EXPIRATION_TIME = 10 * 24 * 3600 * 1000;
+    public static final long REMEMBER_ME_REFRESH_TOKEN_EXPIRATION_TIME = 20 * 24 * 3600 * 1000;
+    private static List<String> ignoredPaths = List.of("/token/refresh","/login","/register/user");
 
-    public static String generateToken (String username, List<String> authorities, String issuer,int expiredAt){
+    public static String generateToken (String username, List<String> authorities, String issuer,long expiredAt){
         JWTCreator.Builder token = JWT.create()
                 .withSubject(username)
                 .withExpiresAt(new Date(System.currentTimeMillis()+expiredAt))
@@ -25,4 +24,11 @@ public static String generateToken (String username, List<String> authorities, S
             return token.sign(Algorithm.HMAC256(HMAC_KEY));
         return token.withClaim("roles",authorities).sign(Algorithm.HMAC256(HMAC_KEY));
     }
+
+    public static boolean verifyPath(String path) {
+        for(String p : ignoredPaths)
+            if(p.equals(path))
+                return true;
+        return false;
+    }
 }

src/main/resources/application.properties

@@ -1,8 +1,8 @@
-spring.datasource.url=jdbc:mysql://localhost:3306/auth
-spring.datasource.username=root
-spring.datasource.password=@Dmi2020
+spring.datasource.url=${database.url}
+spring.datasource.username=${database.username}
+spring.datasource.password=${database.password}
 spring.jpa.hibernate.ddl-auto=update
-spring.jpa.show-sql=true
+spring.jpa.show-sql=false
 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
-spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQLDialect
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL8Dialect
 spring.jpa.properties.hibernate.format_sql=true

src/main/resources/application.yml

@@ -0,0 +1,5 @@
+database:
+  url: jdbc:mysql://localhost:3306/auth
+  username: root
+  password: @Dmi2020
+  #you can also inject the class as a bean and user the fields to get the values from this property file