UUI-1161 Enable setting/getting custom state param in auth flow

schibsted · Apr 23, 2024 · 0b20c0a · 0b20c0a
1 parent 7c96b62
commit 0b20c0a
Show file tree

Hide file tree

Showing 8 changed files with 62 additions and 17 deletions.
diff --git a/app/src/main/java/com/schibsted/account/example/LoggedInActivity.kt b/app/src/main/java/com/schibsted/account/example/LoggedInActivity.kt
@@ -43,6 +43,7 @@ class LoggedInActivity : AppCompatActivity() {
         initLogoutButton()
         initProfileDataButton()
         initExternalIdButton()
+        initGetCustomStateButton()
         initSessionExchangeButtonButton()
         initAccountPagesButtonButton()
         initMakeAuthenticatedRequestButton()
@@ -81,6 +82,14 @@ class LoggedInActivity : AppCompatActivity() {
         }
     }
 
+    private fun initGetCustomStateButton() {
+        binding.customStateButton.setOnClickListener {
+            if (isUserLoggedIn) {
+                Timber.i("Custom state ${client?.getState()} ")
+            }
+        }
+    }
+
     private fun initSessionExchangeButtonButton() {
         binding.sessionExchangeButton.setOnClickListener {
             if (isUserLoggedIn) {

diff --git a/app/src/main/java/com/schibsted/account/example/MainActivity.kt b/app/src/main/java/com/schibsted/account/example/MainActivity.kt
@@ -43,7 +43,7 @@ class MainActivity : AppCompatActivity() {
 
     private fun initializeButtons() {
         binding.loginButton.setOnClickListener {
-            startActivity(ExampleApp.client.getAuthenticationIntent(this))
+            startActivity(ExampleApp.client.getAuthenticationIntent(this, "customState"))
         }
         binding.manualLoginButton.setOnClickListener {
             startActivity(Intent(this, ManualLoginActivity::class.java))

diff --git a/app/src/main/java/com/schibsted/account/example/ManualLoginActivity.kt b/app/src/main/java/com/schibsted/account/example/ManualLoginActivity.kt
@@ -55,7 +55,7 @@ class ManualLoginActivity : AppCompatActivity() {
 
     private fun initLoginButton() {
         binding.loginButton.setOnClickListener {
-            client.launchAuth(this)
+            client.launchAuth(this, "customState")
         }
     }
 

diff --git a/app/src/main/res/layout/activity_logged_in.xml b/app/src/main/res/layout/activity_logged_in.xml
@@ -38,6 +38,12 @@
             android:layout_height="wrap_content"
             android:text="@string/fetch_external_id_button"/>
 
+        <Button
+            android:id="@+id/customStateButton"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:text="@string/get_custom_state_button"/>
+
         <Button
             android:id="@+id/sessionExchangeButton"
             android:layout_width="wrap_content"

diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
@@ -6,6 +6,7 @@
     <string name="logged_in_text">You\'re logged in!</string>
     <string name="fetch_profile_data_button">Fetch profile data</string>
     <string name="fetch_external_id_button">Fetch external Id for TCF</string>
+    <string name="get_custom_state_button">Get custom state</string>
     <string name="start_session_exchange_button">Start session exchange</string>
     <string name="account_pages_button">Account pages</string>
     <string name="logout_button">Logout</string>

diff --git a/webflows/src/main/java/com/schibsted/account/webflows/client/Client.kt b/webflows/src/main/java/com/schibsted/account/webflows/client/Client.kt
@@ -36,6 +36,7 @@ import org.json.JSONException
 import org.json.JSONObject
 import timber.log.Timber
 import java.security.MessageDigest
+import java.security.spec.MGF1ParameterSpec.SHA256
 import java.util.Date
 import kotlin.coroutines.resume
 
@@ -100,14 +101,17 @@ class Client {
      *
      * Requires [AuthorizationManagementActivity.setup] to have been called before this.
      *
-     * @param authRequest Authentication request parameters.
+     * @param context Context.
+     * @param state Optional string that overrides [state] query item of loginURL, which is otherwise a random 10 character string.
+     * @param authRequest Optional [AuthRequest] parameter.
      */
     @JvmOverloads
     fun getAuthenticationIntent(
         context: Context,
-        authRequest: AuthRequest = AuthRequest()
+        state: String? = null,
+        authRequest: AuthRequest = AuthRequest(),
     ): Intent {
-        val loginUrl = generateLoginUrl(authRequest)
+        val loginUrl = generateLoginUrl(authRequest, state)
         val intent: Intent = if (isCustomTabsSupported(context)) {
             buildCustomTabsIntent()
                 .apply {
@@ -122,11 +126,13 @@ class Client {
     /**
      * Start auth activity manually.
      *
-     * @param authRequest Authentication request parameters.
+     * @param context Context.
+     * @param state Optional string that overrides [state] query item of loginURL, which is otherwise a random 10 character string.
+     * @param authRequest Optional [AuthRequest] parameter.
      */
     @JvmOverloads
-    fun launchAuth(context: Context, authRequest: AuthRequest = AuthRequest()) {
-        val loginUrl = generateLoginUrl(authRequest)
+    fun launchAuth(context: Context, state: String?, authRequest: AuthRequest = AuthRequest()) {
+        val loginUrl = generateLoginUrl(authRequest, state)
         if (isCustomTabsSupported(context)) {
             buildCustomTabsIntent().launchUrl(context, loginUrl)
         } else {
@@ -161,13 +167,28 @@ class Client {
         }
     }
 
+    /**
+     * Returns state of current login session.
+     *
+     * @return State of current login session if state is saved, if not returns null.
+     */
+    fun getState(): String? {
+        return stateStorage.getValue(AUTH_STATE_KEY, AuthState::class)?.state
+    }
+
     private fun buildCustomTabsIntent(): CustomTabsIntent {
         return CustomTabsIntent.Builder()
             .build()
     }
 
-    private fun generateLoginUrl(authRequest: AuthRequest): Uri {
-        val loginUrl = urlBuilder.loginUrl(authRequest)
+    /**
+     * Generate login URL.
+     *
+     * @param authRequest Authentication request parameters.
+     * @param state State.
+     */
+    private fun generateLoginUrl(authRequest: AuthRequest, state: String?): Uri {
+        val loginUrl = urlBuilder.loginUrl(authRequest, state)
         Timber.d("Login url: $loginUrl")
         return Uri.parse(loginUrl)
     }
@@ -211,7 +232,7 @@ class Client {
             return
         }
 
-        stateStorage.removeValue(AUTH_STATE_KEY)
+        //stateStorage.removeValue(AUTH_STATE_KEY)
 
         if (error != null) {
             val oauthError = OAuthError(error, errorDescription)
@@ -327,13 +348,13 @@ class Client {
         context: Context,
         supportFragmentManager: FragmentManager,
         isCancelable: Boolean = true
-    ) : Boolean {
+    ): Boolean {
         val internalSessionFound = hasSessionStorage(configuration.clientId)
 
         return if (!internalSessionFound && userHasSessionOnDevice(context.applicationContext)) {
             LoginPromptManager(
                 LoginPromptConfig(
-                    this.getAuthenticationIntent(context),
+                    this.getAuthenticationIntent(context, null),
                     isCancelable
                 )
             ).showLoginPromptIfAbsent(supportFragmentManager)

diff --git a/webflows/src/main/java/com/schibsted/account/webflows/client/UrlBuilder.kt b/webflows/src/main/java/com/schibsted/account/webflows/client/UrlBuilder.kt
@@ -12,14 +12,14 @@ internal class UrlBuilder(
 ) {
     private val defaultScopeValues = setOf("openid", "offline_access")
 
-    fun loginUrl(authRequest: AuthRequest): String {
-        val state = Util.randomString(10)
+    fun loginUrl(authRequest: AuthRequest, state: String? = null): String {
+        val stateValue = state?.let { state } ?: Util.randomString(10)
         val nonce = Util.randomString(10)
         val codeVerifier = Util.randomString(60)
 
         stateStorage.setValue(
             authStateKey,
-            AuthState(state, nonce, codeVerifier, authRequest.mfa)
+            AuthState(stateValue, nonce, codeVerifier, authRequest.mfa)
         )
 
         val scopes = authRequest.extraScopeValues.union(defaultScopeValues)
@@ -30,7 +30,7 @@ internal class UrlBuilder(
             "client_id" to clientConfig.clientId,
             "redirect_uri" to clientConfig.redirectUri,
             "response_type" to "code",
-            "state" to state,
+            "state" to stateValue,
             "scope" to scopeString,
             "nonce" to nonce,
             "code_challenge" to codeChallenge,

diff --git a/webflows/src/test/java/com/schibsted/account/webflows/client/UrlBuilderTest.kt b/webflows/src/test/java/com/schibsted/account/webflows/client/UrlBuilderTest.kt
@@ -58,4 +58,12 @@ class UrlBuilderTest {
         assertNull(queryParams["prompt"])
         assertEquals(MfaType.OTP.value, queryParams["acr_values"])
     }
+
+    @Test
+    fun loginUrlShouldContainCustomStateSpecified() {
+        val loginUrl = getUrlBuilder().loginUrl(AuthRequest(), "customState")
+        val queryParams = Util.parseQueryParameters(URL(loginUrl).query)
+
+        assertEquals("customState", queryParams["state"])
+    }
 }