71654: Authorization for Downloads of restricted Bitstreams

- Short lived tokens can't be used to login, or generate other tokens
DSpace · Jun 30, 2020 · d364ac6 · d364ac6
1 parent 27e733c
commit d364ac6
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/jwt/JWTTokenHandler.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/jwt/JWTTokenHandler.java
@@ -43,6 +43,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.crypto.keygen.BytesKeyGenerator;
 import org.springframework.security.crypto.keygen.KeyGenerators;
 
@@ -57,6 +58,8 @@
 public abstract class JWTTokenHandler {
 
     private static final int MAX_CLOCK_SKEW_SECONDS = 60;
+    private static final String AUTHORIZATION_TOKEN_PARAMETER = "token";
+
     private static final Logger log = LoggerFactory.getLogger(JWTTokenHandler.class);
 
     @Autowired
@@ -165,6 +168,11 @@ public EPerson parseEPersonFromToken(String token, HttpServletRequest request, C
     public String createTokenForEPerson(Context context, HttpServletRequest request, Date previousLoginDate,
                                         List<Group> groups) throws JOSEException, SQLException {
 
+        // Verify that the user isn't trying to use a short lived token to generate another token
+        if (StringUtils.isNotBlank(request.getParameter(AUTHORIZATION_TOKEN_PARAMETER))) {
+            throw new AccessDeniedException("Short lived tokens can't be used to generate other tokens");
+        }
+
         // Update the saved session salt for the currently logged in user, returning the user object
         EPerson ePerson = updateSessionSalt(context, previousLoginDate);
 

diff --git a/dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java b/dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
@@ -855,6 +855,25 @@ public void testShortLivedAndLoginTokenSeparation() throws Exception {
             .andExpect(jsonPath("$.authenticated", is(true)));
     }
 
+    // TODO: fix the exception. For now we want to verify a short lived token can't be used to login
+    @Test(expected = Exception.class)
+    public void testLoginWithShortLivedToken() throws Exception {
+        String shortLivedToken = getShortLivedToken(eperson);
+
+        getClient().perform(post("/api/authn/login?token=" + shortLivedToken))
+            .andExpect(status().isInternalServerError());
+        // TODO: This internal server error needs to be fixed. This should actually produce a forbidden status
+        //.andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void testGenerateShortLivedTokenWithShortLivedToken() throws Exception {
+        String shortLivedToken = getShortLivedToken(eperson);
+
+        getClient().perform(post("/api/authn/shortlivedtokens?token=" + shortLivedToken))
+            .andExpect(status().isForbidden());
+    }
+
     private String getShortLivedToken(EPerson requestUser) throws Exception {
         ObjectMapper mapper = new ObjectMapper();