added passwordless auth filter supporting externally authenticated us…

…ers (external SSO) like SAML, LDAP, etc.

para-server/pom.xml

@@ -207,7 +207,7 @@
 		<dependency>
 			<groupId>com.nimbusds</groupId>
 			<artifactId>nimbus-jose-jwt</artifactId>
-			<version>7.2.1</version>
+			<version>7.8</version>
 		</dependency>
 		<dependency>
 			<groupId>com.microsoft.azure.iothub-java-client</groupId>

para-server/src/main/java/com/erudika/para/security/JWTRestfulAuthFilter.java

@@ -31,6 +31,7 @@
 import com.erudika.para.core.User;
 import com.erudika.para.rest.RestUtils;
 import com.erudika.para.security.filters.LdapAuthFilter;
+import com.erudika.para.security.filters.PasswordlessAuthFilter;
 import com.erudika.para.security.filters.SlackAuthFilter;
 import com.erudika.para.utils.Config;
 import com.erudika.para.utils.Utils;
@@ -79,6 +80,7 @@ public class JWTRestfulAuthFilter extends GenericFilterBean {
 	private GenericOAuth2Filter oauth2Auth;
 	private LdapAuthFilter ldapAuth;
 	private PasswordAuthFilter passwordAuth;
+	private PasswordlessAuthFilter passwordlessAuth;
 
 	/**
 	 * The default filter mapping.
@@ -304,8 +306,8 @@ private UserAuthentication getOrCreateUser(App app, String identityProvider, Str
 			return ldapAuth.getOrCreateUser(app, accessToken);
 		} else if ("password".equalsIgnoreCase(identityProvider)) {
 			return passwordAuth.getOrCreateUser(app, accessToken);
-		} else if ("password_verified".equalsIgnoreCase(identityProvider)) {
-			return passwordAuth.getOrCreateUser(app, accessToken, true);
+		} else if ("passwordless".equalsIgnoreCase(identityProvider)) {
+			return passwordlessAuth.getOrCreateUser(app, accessToken);
 		}
 		return null;
 	}
@@ -467,6 +469,21 @@ public void setPasswordAuth(PasswordAuthFilter passwordAuth) {
 		this.passwordAuth = passwordAuth;
 	}
 
+	/**
+	 * @return auth filter
+	 */
+	public PasswordlessAuthFilter getPasswordlessAuth() {
+		return passwordlessAuth;
+	}
+
+	/**
+	 * @param passwordlessAuth auth filter
+	 */
+	@Inject
+	public void setPasswordlessAuth(PasswordlessAuthFilter passwordlessAuth) {
+		this.passwordlessAuth = passwordlessAuth;
+	}
+
 	private void validateDelegatedTokenIfNecessary(JWTAuthentication jwt) throws AuthenticationException, IOException {
 		User user = SecurityUtils.getAuthenticatedUser(jwt);
 		if (user != null && jwt != null) {

para-server/src/main/java/com/erudika/para/security/SecurityConfig.java

@@ -28,6 +28,7 @@
 import com.erudika.para.security.filters.FacebookAuthFilter;
 import static com.erudika.para.ParaServer.getInstance;
 import com.erudika.para.security.filters.LdapAuthFilter;
+import com.erudika.para.security.filters.PasswordlessAuthFilter;
 import com.erudika.para.security.filters.SAMLAuthFilter;
 import com.erudika.para.security.filters.SAMLMetadataFilter;
 import com.erudika.para.security.filters.SlackAuthFilter;
@@ -70,6 +71,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	private final CachedCsrfTokenRepository csrfTokenRepository;
 	private final SimpleRememberMeServices rememberMeServices;
 	private final PasswordAuthFilter passwordFilter;
+	private final PasswordlessAuthFilter passwordlessFilter;
 	private final OpenIDAuthFilter openidFilter;
 	private final FacebookAuthFilter facebookFilter;
 	private final GoogleAuthFilter googleFilter;
@@ -91,6 +93,7 @@ public SecurityConfig() {
 		csrfTokenRepository = getInstance(CachedCsrfTokenRepository.class);
 		rememberMeServices = getInstance(SimpleRememberMeServices.class);
 		passwordFilter = getInstance(PasswordAuthFilter.class);
+		passwordlessFilter = getInstance(PasswordlessAuthFilter.class);
 		openidFilter = getInstance(OpenIDAuthFilter.class);
 		facebookFilter = getInstance(FacebookAuthFilter.class);
 		googleFilter = getInstance(GoogleAuthFilter.class);
@@ -200,6 +203,11 @@ private void registerAuthFilters(HttpSecurity http) throws Exception {
 			http.addFilterAfter(passwordFilter, BasicAuthenticationFilter.class);
 		}
 
+		if (passwordlessFilter != null) {
+			passwordlessFilter.setAuthenticationManager(authenticationManager());
+			http.addFilterAfter(passwordlessFilter, BasicAuthenticationFilter.class);
+		}
+
 		if (openidFilter != null) {
 			openidFilter.setAuthenticationManager(authenticationManager());
 			http.addFilterAfter(openidFilter, BasicAuthenticationFilter.class);

para-server/src/main/java/com/erudika/para/security/SecurityModule.java

@@ -28,6 +28,7 @@
 import com.erudika.para.security.filters.FacebookAuthFilter;
 import com.erudika.para.cache.Cache;
 import com.erudika.para.security.filters.LdapAuthFilter;
+import com.erudika.para.security.filters.PasswordlessAuthFilter;
 import com.erudika.para.security.filters.SAMLAuthFilter;
 import com.erudika.para.security.filters.SAMLMetadataFilter;
 import com.erudika.para.security.filters.SlackAuthFilter;
@@ -50,6 +51,7 @@ public class SecurityModule extends AbstractModule {
 	private SimpleAuthenticationFailureHandler failureHandler;
 	private SimpleRememberMeServices rememberMeServices;
 	private PasswordAuthFilter passwordFilter;
+	private PasswordlessAuthFilter passwordlessFilter;
 	private OpenIDAuthFilter openidFilter;
 	private FacebookAuthFilter facebookFilter;
 	private GoogleAuthFilter googleFilter;
@@ -172,6 +174,27 @@ public void setPasswordFilter(PasswordAuthFilter passwordFilter) {
 		this.passwordFilter = passwordFilter;
 	}
 
+	/**
+	 * @return filter
+	 */
+	@Provides
+	public PasswordlessAuthFilter getPasswordlessFilter() {
+		if (passwordlessFilter == null) {
+			passwordlessFilter = new PasswordlessAuthFilter("/" + PasswordlessAuthFilter.PASSWORDLESS_ACTION);
+			passwordlessFilter.setAuthenticationSuccessHandler(getSuccessHandler());
+			passwordlessFilter.setAuthenticationFailureHandler(getFailureHandler());
+			passwordlessFilter.setRememberMeServices(getRemembeMeServices());
+		}
+		return passwordlessFilter;
+	}
+
+	/**
+	 * @param passwordlessFilter filter
+	 */
+	public void setPasswordlessFilter(PasswordlessAuthFilter passwordlessFilter) {
+		this.passwordlessFilter = passwordlessFilter;
+	}
+
 	/**
 	 * @return filter
 	 */
@@ -437,12 +460,14 @@ public void setSamlMetadataFilter(SAMLMetadataFilter samleMetaFilter) {
 	 * @param oAuth2 filter
 	 * @param ldAuth filter
 	 * @param pwAuth filter
+	 * @param plAuth filter
 	 * @return filter
 	 */
 	@Provides
 	public JWTRestfulAuthFilter getJWTAuthFilter(FacebookAuthFilter fbAuth, GoogleAuthFilter gpAuth,
 			GitHubAuthFilter ghAuth, LinkedInAuthFilter liAuth, TwitterAuthFilter twAuth,
-			MicrosoftAuthFilter msAuth, GenericOAuth2Filter oAuth2, LdapAuthFilter ldAuth, PasswordAuthFilter pwAuth) {
+			MicrosoftAuthFilter msAuth, GenericOAuth2Filter oAuth2, LdapAuthFilter ldAuth,
+			PasswordAuthFilter pwAuth, PasswordlessAuthFilter plAuth) {
 		if (jwtFilter == null) {
 			jwtFilter = new JWTRestfulAuthFilter("/" + JWTRestfulAuthFilter.JWT_ACTION);
 			jwtFilter.setFacebookAuth(fbAuth);
@@ -454,6 +479,7 @@ public JWTRestfulAuthFilter getJWTAuthFilter(FacebookAuthFilter fbAuth, GoogleAu
 			jwtFilter.setGenericOAuth2Auth(oAuth2);
 			jwtFilter.setLdapAuth(ldAuth);
 			jwtFilter.setPasswordAuth(pwAuth);
+			jwtFilter.setPasswordlessAuth(plAuth);
 		}
 		return jwtFilter;
 	}

para-server/src/main/java/com/erudika/para/security/filters/PasswordAuthFilter.java

@@ -73,7 +73,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 			user = new User();
 			user.setIdentifier(request.getParameter(EMAIL));
 			user.setPassword(request.getParameter(PASSWORD));
-			String appid = request.getParameter(Config._APPID);
+			String appid = SecurityUtils.getAppidFromAuthRequest(request);
 			if (!App.isRoot(appid)) {
 				App app = Para.getDAO().read(App.id(appid));
 				if (app != null) {
@@ -89,7 +89,6 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 		return SecurityUtils.checkIfActive(userAuth, user, true);
 	}
 
-
 	/**
 	 * Authenticates or creates a {@link User} using an email and password.
 	 * Access token must be in the format: "email:full_name:password" or "email::password_hash"
@@ -98,20 +97,6 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 	 * @return {@link UserAuthentication} object or null if something went wrong
 	 */
 	public UserAuthentication getOrCreateUser(App app, String accessToken) {
-		return getOrCreateUser(app, accessToken,
-				Boolean.parseBoolean(SecurityUtils.getSettingForApp(app, "security.allow_unverified_emails",
-						Config.getConfigParam("security.allow_unverified_emails", "false"))));
-	}
-
-	/**
-	 * Authenticates or creates a {@link User} using an email and password.
-	 * Access token must be in the format: "email:full_name:password" or "email::password_hash"
-	 * @param app the app where the user will be created, use null for root app
-	 * @param accessToken token in the format "email:full_name:password" or "email::password_hash"
-	 * @param verified is the user verified already, e.g. coming from LDAP, SAML, etc. sets "active:true"
-	 * @return {@link UserAuthentication} object or null if something went wrong
-	 */
-	public UserAuthentication getOrCreateUser(App app, String accessToken, boolean verified) {
 		UserAuthentication userAuth = null;
 		User user = new User();
 		if (accessToken != null && accessToken.contains(Config.SEPARATOR)) {
@@ -131,7 +116,8 @@ public UserAuthentication getOrCreateUser(App app, String accessToken, boolean v
 			user = User.readUserForIdentifier(u);
 			if (user == null) {
 				user = new User();
-				user.setActive(verified);
+				user.setActive(Boolean.parseBoolean(SecurityUtils.getSettingForApp(app, "security.allow_unverified_emails",
+						Config.getConfigParam("security.allow_unverified_emails", "false"))));
 				user.setAppid(appid);
 				user.setName(name);
 				user.setIdentifier(email);

para-server/src/main/java/com/erudika/para/security/filters/PasswordlessAuthFilter.java

@@ -0,0 +1,132 @@
+/*
+ * Copyright 2013-2019 Erudika. https://erudika.com
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * For issues and patches go to: https://github.com/erudika
+ */
+package com.erudika.para.security.filters;
+
+import com.erudika.para.Para;
+import com.erudika.para.core.App;
+import com.erudika.para.core.User;
+import com.erudika.para.security.AuthenticatedUserDetails;
+import com.erudika.para.security.SecurityUtils;
+import com.erudika.para.security.UserAuthentication;
+import com.erudika.para.utils.Config;
+import com.nimbusds.jwt.SignedJWT;
+import java.io.IOException;
+import java.text.ParseException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+
+/**
+ * A filter which simply authenticates a users without a password by just verifying a simple JWT. The assumption here
+ * is that users are verified and authenticated externally - LDAP, SAML, custom authentication (SSO).
+ * @author Alex Bogdanovski [alex@erudika.com]
+ */
+public class PasswordlessAuthFilter extends AbstractAuthenticationProcessingFilter {
+
+	/**
+	 * The default filter mapping.
+	 */
+	public static final String PASSWORDLESS_ACTION = "passwordless_auth";
+
+	/**
+	 * Default constructor.
+	 * @param defaultFilterProcessesUrl the url of the filter
+	 */
+	public PasswordlessAuthFilter(String defaultFilterProcessesUrl) {
+		super(defaultFilterProcessesUrl);
+	}
+
+	/**
+	 * Handles an authentication request.
+	 * @param request HTTP request
+	 * @param response HTTP response
+	 * @return an authentication object that contains the principal object if successful.
+	 * @throws IOException ex
+	 * @throws ServletException ex
+	 */
+	@Override
+	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+			throws IOException, ServletException {
+		String requestURI = request.getRequestURI();
+		UserAuthentication userAuth = null;
+		User user = null;
+
+		if (requestURI.endsWith(PASSWORDLESS_ACTION)) {
+			String appid = SecurityUtils.getAppidFromAuthRequest(request);
+			String token = request.getParameter("token"); // JWT
+			App app = Para.getDAO().read(App.id(appid));
+			if (app != null) {
+				userAuth = getOrCreateUser(app, token);
+				if (userAuth != null) {
+					user = (User) userAuth.getPrincipal();
+					user.setAppid(app.getAppIdentifier());
+				}
+			}
+		}
+		return SecurityUtils.checkIfActive(userAuth, user, true);
+	}
+
+	/**
+	 * Authenticates or creates a {@link User} using an signed JWT token.
+	 * Access token must be a valid JWT signed with "para.app_secret_key".
+	 * @param app the app where the user will be created, use null for root app
+	 * @param accessToken JWT
+	 * @return {@link UserAuthentication} object or null if something went wrong
+	 */
+	public UserAuthentication getOrCreateUser(App app, String accessToken) {
+		UserAuthentication userAuth = null;
+		User user = new User();
+		String secret = SecurityUtils.getSettingForApp(app, "app_secret_key", "");
+		try {
+			SignedJWT jwt = SignedJWT.parse(accessToken);
+			if (SecurityUtils.isValidJWToken(secret, jwt) && app != null) {
+				String email = jwt.getJWTClaimsSet().getStringClaim(Config._EMAIL);
+				String name = jwt.getJWTClaimsSet().getStringClaim(Config._NAME);
+				String identifier = jwt.getJWTClaimsSet().getStringClaim(Config._IDENTIFIER);;
+				String appid = app.getAppIdentifier();
+
+				User u = new User();
+				u.setAppid(appid);
+				u.setIdentifier(identifier);
+				u.setEmail(email);
+				// NOTE TO SELF:
+				// do not overwrite 'u' here - overwrites the password hash!
+				user = User.readUserForIdentifier(u);
+				if (user == null) {
+					user = new User();
+					user.setActive(true);
+					user.setAppid(appid);
+					user.setName(name);
+					user.setIdentifier(identifier);
+					user.setEmail(email);
+					if (user.create() != null) {
+						// allow temporary first-time login without verifying email address
+						userAuth = new UserAuthentication(new AuthenticatedUserDetails(user));
+					}
+				} else {
+					userAuth = new UserAuthentication(new AuthenticatedUserDetails(user));
+				}
+			}
+		} catch (ParseException e) {
+			logger.warn("Invalid token: " + e.getMessage());
+		}
+		return SecurityUtils.checkIfActive(userAuth, user, false);
+	}
+}