feat: The client backend now also supports the use of a refresh token…#803
Merged
jekutzsche merged 5 commits intodevelopfrom Jun 21, 2022
Merged
feat: The client backend now also supports the use of a refresh token…#803jekutzsche merged 5 commits intodevelopfrom
jekutzsche merged 5 commits intodevelopfrom
Conversation
jekutzsche
force-pushed
the
feature/integrate_refresh_token
branch
from
14f5f16 to
da3da99
Compare
jekutzsche
force-pushed
the
feature/use_httponly_cookies
branch
from
9c84ce0 to
c18eeb8
Compare
jekutzsche
force-pushed
the
feature/integrate_refresh_token
branch
from
da3da99 to
1ca3cb2
Compare
jekutzsche
force-pushed
the
feature/use_httponly_cookies
branch
from
c18eeb8 to
54ecc68
Compare
jekutzsche
force-pushed
the
feature/integrate_refresh_token
branch
from
1ca3cb2 to
e16a9f6
Compare
jekutzsche
force-pushed
the
feature/use_httponly_cookies
branch
from
2cb8279 to
3a07f7b
Compare
jekutzsche
force-pushed
the
feature/integrate_refresh_token
branch
from
07f64b6 to
6628d0f
Compare
jekutzsche
force-pushed
the
develop
branch
2 times, most recently
from
1f556c6 to
eef57e6
Compare
…, which can be used to extend the short validity of the authentication. This makes it more convenient to use, especially in conjunction with a two-factor authentication. Login now returns a Refresh JWT in an HTTP-only cookie in addition to the authentication token in the response. A JWT can be refreshed via the `/refreshtoken` path. This requires an expired but whitelisted JWT and a valid whitelisted refresh JWT (both in the corresponding cookie). Both must contain the same username. The response then contains an HTTP-only cookie with the new valid JWT. For the paths `/login` and `/refreshtoken` the token cookie is now ignored. This avoids unnecessary errors due to the delivery of invalid stale cookies, and the cookies also play no role for these endpoints. The logout also clears the refresh tokens and returns an empty token and refresh token.
…rExceptionHandler The http only cookies should only be deleted if an AuthenticationException occurs during login or refresh token (thus in the controller). To enable a token refresh that is done after a 401 response, the http only cookies must not be deleted when the AuthenticationException occurs in a filter, otherwise the basis for the refresh will be disposed of.
jekutzsche
force-pushed
the
feature/integrate_refresh_token
branch
from
6628d0f to
d4b48f4
Compare
…s to the NGINX config
lucky-lusa
approved these changes
Jun 21, 2022
jekutzsche
pushed a commit
that referenced
this pull request
Jun 22, 2022
# [1.6.0-rc.1](v1.5.1...v1.6.0-rc.1) (2022-06-22) ### Bug Fixes * add support for multi-column sort query parameters (fixes broken table sort of iris-message list) ([9daf6a1](9daf6a1)), closes [#801](#801) * **Dependencies:** Updates version of jackson-databind to fix the vulnerability: avd.aquasec.com/nvd/cve-2020-36518 ([84a4b04](84a4b04)) * **Deps:** updates Spring Boot to 2.6.6 to fix the vulnerability avd.aquasec.com/nvd/cve-2022-22965 ([46a50b5](46a50b5)) * fix dependabot security alert and update multiple npm dependencies ([7b71e64](7b71e64)), closes [#729](#729) * fix e2e tests by correcting the spec order ([53fd088](53fd088)), closes [#764](#764) * Fixes a validation error when changing user data of admins. This could lead to an admin not being able to change their data under certain circumstances (only admin and role not transferred with). ([61f6bc3](61f6bc3)), closes [#703](#703) * ga-gotham config tls communication between internal eps ([4b6cf41](4b6cf41)) * removed line breaks at the end of certificates. ([64104a0](64104a0)) ### Features * For JSON-RPC calls (calls from EPS), the client name submitted by EPS is now used as user (if available). Thus, the metadata of records created via JSON-RPC now also contain a user as creator and it is easier to see by whom the data was created. ([71ff56f](71ff56f)), closes [#826](#826) * **Messages:** Messages can now be used to exchange guests of events between health departments. This makes it possible to transmit the guests received through a data request to the responsible department. The data can be transferred directly from the event overview to a message or can also be added to a message as an attachment. This is the beginning, more data types will follow. ([9c3c8cd](9c3c8cd)), closes [#640](#640) * **Messages:** Messages can now be used to exchange vaccination reports between health departments. This makes it possible to transmit received records to the appropriate department through a data transfer. The data can be transferred directly from the vaccination report overview to a message or can also be added as an attachment to a message. ([64636ba](64636ba)), closes [#762](#762) * Old messages are deleted after a configurable time (default is after 180 days) with all associated data. ([d768632](d768632)), closes [#773](#773) * The authentication tokens (JWT) now retain their validity beyond the restart of the IRIS client. This means that, ideally, users notice only little of a restart of the application. ([2442685](2442685)), closes [#804](#804) * The client backend now also supports the use of a refresh token, which can be used to extend the short validity of the authentication. This makes it more convenient to use, especially in conjunction with a two-factor authentication. ([b20ed86](b20ed86)), closes [#803](#803) * The client is now a bit more secure against attacks and authentication token (JWT) stealing. For this, the JWT is now transferred and processed in HTTP-only cookies. In this context, XSRF protection with XSRF-TOKEN cookies has also been enabled. ([ae25da8](ae25da8)), closes [#802](#802) * Users are no longer deleted immediately, but marked as deleted. The marked users can no longer be used and are no longer displayed. However, the data is still available, for example, for working with the audit logs. After all references to the users are deleted according to the respective deadline or after a specified time, the users are finally anonymized. Procedure and time periods are configurable. ([a913eaf](a913eaf)), closes [iris-connect/iris-backlog#235](https://github.com/iris-connect/iris-backlog/issues/235) [#761](#761) * Users can be marked as locked. This makes it possible to temporarily lock users when they are absent. The locked users are not deleted, they are still available in the overview, but cannot be used for a login. ([68d55ec](68d55ec)), closes [#775](#775) ### Reverts * Revert "chore(Deps): removes unnecessary Postgres version (spring declares the same) and improves jackson dependency" ([90bb5fa](90bb5fa))
Member
Author
|
🎉 This PR is included in version 1.6.0-rc.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
jekutzsche
pushed a commit
that referenced
this pull request
Jun 30, 2022
# [1.6.0](v1.5.1...v1.6.0) (2022-06-30) ### Bug Fixes * add support for multi-column sort query parameters (fixes broken table sort of iris-message list) ([9daf6a1](9daf6a1)), closes [#801](#801) * Changes NGINX Content-Security-Policy configuration to allow data urls as image src and adds `data:` to the forbidden keywords. ([cedf240](cedf240)), closes [#862](#862) * **Dependencies:** Updates version of jackson-databind to fix the vulnerability: avd.aquasec.com/nvd/cve-2020-36518 ([84a4b04](84a4b04)) * **Deps:** updates Spring Boot to 2.6.6 to fix the vulnerability avd.aquasec.com/nvd/cve-2022-22965 ([46a50b5](46a50b5)) * fix dependabot security alert and update multiple npm dependencies ([7b71e64](7b71e64)), closes [#729](#729) * fix e2e tests by correcting the spec order ([53fd088](53fd088)), closes [#764](#764) * Fixes a validation error when changing user data of admins. This could lead to an admin not being able to change their data under certain circumstances (only admin and role not transferred with). ([61f6bc3](61f6bc3)), closes [#703](#703) * Fixes an occasional `ConstraintViolationException` that can only be caused by parallel processing of multiple requests from the same IP. ([71c1c98](71c1c98)), closes [#828](#828) * ga-gotham config tls communication between internal eps ([4b6cf41](4b6cf41)) * HTTP status code is now set correctly for validation errors with JSON-RPC (400). Related to this, there is now a central place to handle exceptions with JSON-RPC and to configure the correct HTTP status code. ([e0b98f7](e0b98f7)), closes [#827](#827) * removed line breaks at the end of certificates. ([64104a0](64104a0)) * When checking incoming and entered data for possible attacks, case is now ignored for keywords. ([a378e58](a378e58)), closes [#864](#864) ### Features * For JSON-RPC calls (calls from EPS), the client name submitted by EPS is now used as user (if available). Thus, the metadata of records created via JSON-RPC now also contain a user as creator and it is easier to see by whom the data was created. ([71ff56f](71ff56f)), closes [#826](#826) * In the `.env` (see `.env.sample`) now the configuration for the mail dispatch can be done. With this it is now possible to send notifications when new data has been transferred to the IRIS client (at the moment implemented for the data of an event). ([4310bd0](4310bd0)), closes [#557](#557) [#858](#858) * **Messages:** Messages can now be used to exchange guests of events between health departments. This makes it possible to transmit the guests received through a data request to the responsible department. The data can be transferred directly from the event overview to a message or can also be added to a message as an attachment. This is the beginning, more data types will follow. ([9c3c8cd](9c3c8cd)), closes [#640](#640) * **Messages:** Messages can now be used to exchange vaccination reports between health departments. This makes it possible to transmit received records to the appropriate department through a data transfer. The data can be transferred directly from the vaccination report overview to a message or can also be added as an attachment to a message. ([64636ba](64636ba)), closes [#762](#762) * Old messages are deleted after a configurable time (default is after 180 days) with all associated data. ([d768632](d768632)), closes [#773](#773) * The authentication tokens (JWT) now retain their validity beyond the restart of the IRIS client. This means that, ideally, users notice only little of a restart of the application. ([2442685](2442685)), closes [#804](#804) * The client backend now also supports the use of a refresh token, which can be used to extend the short validity of the authentication. This makes it more convenient to use, especially in conjunction with a two-factor authentication. ([b20ed86](b20ed86)), closes [#803](#803) * The client is now a bit more secure against attacks and authentication token (JWT) stealing. For this, the JWT is now transferred and processed in HTTP-only cookies. In this context, XSRF protection with XSRF-TOKEN cookies has also been enabled. ([ae25da8](ae25da8)), closes [#802](#802) * Users are no longer deleted immediately, but marked as deleted. The marked users can no longer be used and are no longer displayed. However, the data is still available, for example, for working with the audit logs. After all references to the users are deleted according to the respective deadline or after a specified time, the users are finally anonymized. Procedure and time periods are configurable. ([a913eaf](a913eaf)), closes [iris-connect/iris-backlog#235](https://github.com/iris-connect/iris-backlog/issues/235) [#761](#761) * Users can be marked as locked. This makes it possible to temporarily lock users when they are absent. The locked users are not deleted, they are still available in the overview, but cannot be used for a login. ([68d55ec](68d55ec)), closes [#775](#775) * Users can now use two-factor authentication with time-based one-time password (TOTP). If it is enabled, a TOTP is expected and verified by a corresponding app after the conventional login. To set up the app, the user is displayed a QR code by IRIS. It is also possible for the admin to activate this mandatorily via environment variable. If a 2FA is expected but has not yet been finally configured for a user with a successful verification, the QR code is displayed after the successful conventional login and the verification is performed. ([03b915c](03b915c)), closes [iris-connect/iris-backlog#251](https://github.com/iris-connect/iris-backlog/issues/251) [#840](#840) ### Reverts * Revert "chore(Deps): removes unnecessary Postgres version (spring declares the same) and improves jackson dependency" ([90bb5fa](90bb5fa))
Member
Author
|
🎉 This PR is included in version 1.6.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…, which can be used to extend the short validity of the authentication. This makes it more convenient to use, especially in conjunction with a two-factor authentication.
Login now returns a Refresh JWT in an HTTP-only cookie in addition to the authentication token in the response.
A JWT can be refreshed via the
/refreshtokenpath. This requires an expired but whitelisted JWT and a valid whitelisted refresh JWT (both in the corresponding cookie). Both must contain the same username. The response then contains an HTTP-only cookie with the new valid JWT.For the paths
/loginand/refreshtokenthe token cookie is now ignored. This avoids unnecessary errors due to the delivery of invalid stale cookies, and the cookies also play no role for these endpoints.The logout also clears the refresh tokens and returns an empty token and refresh token.