AccessTokenAsParameterFilter.java

/*
 * Copyright 2023 Global Crop Diversity Trust
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.genesys.server.servlet.filter;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;

import org.genesys.blocks.tokenauth.spring.ApiTokenAuthenticationFilter;
import org.genesys.util.UrlUtils;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.filter.OncePerRequestFilter;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Converts the API _access_token request parameter OR cookie to the "Authorization" HTTP request header if provided.
 *
 * @author Maxym Borodenko
 * @author Matija Obreza
 */
public class AccessTokenAsParameterFilter extends OncePerRequestFilter {

	public static final Logger LOG = LoggerFactory.getLogger(AccessTokenAsParameterFilter.class);

	private static final String ACCESS_TOKEN_PARAM_NAME = "_access_token";
	private static final String API_TOKEN_PARAM_NAME = "_api_token";

	@Value("${base.url}")
	private String baseUrl;

	@Override
	public void afterPropertiesSet() throws ServletException {
		
	}

	@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

		String authorizationHeader = request.getHeader("Authorization");
		String accessToken = null;
		
		// Check if _api_token is present
		if (authorizationHeader == null) {
			String apiToken = StringUtils.defaultIfBlank(request.getParameter(API_TOKEN_PARAM_NAME), null);
			if (apiToken != null) {
				LOG.info("Applying API token as request parameter {}", API_TOKEN_PARAM_NAME);
				request = new CustomHeadersRequest(request);
				((CustomHeadersRequest) request).addHeader("Authorization", ApiTokenAuthenticationFilter.AUTHORIZATION_TYPE + " " + apiToken);
				filterChain.doFilter(request, response);
				return;
			}
		}

		// 1. Check if _access_token is present
		if (authorizationHeader == null) {
			// if (request.getQueryString().contains(ACCESS_TOKEN_PARAM_NAME.concat("="))) {
			// 	throw new InvalidApiUsageException(ACCESS_TOKEN_PARAM_NAME + " can only be used as a form parameter");
			// }
			accessToken = StringUtils.defaultIfBlank(request.getParameter(ACCESS_TOKEN_PARAM_NAME), null);
			if (accessToken != null) {
				LOG.info("Found access token as request parameter {}", ACCESS_TOKEN_PARAM_NAME);
			}
		}

		// 3. Apply form or cookie token using CustomHeadersRequest only if Authorization header is missing
		if (authorizationHeader == null && StringUtils.isNotBlank(accessToken)) {
			LOG.debug("Applying access token from parameters");
			request = new CustomHeadersRequest(request);
			((CustomHeadersRequest) request).addHeader("Authorization", "Bearer " + accessToken);
		}

		filterChain.doFilter(request, response);
	}

	static class CustomHeadersRequest extends HttpServletRequestWrapper {
		private Map<String, String> customHeaders = new HashMap<>();

		public CustomHeadersRequest(HttpServletRequest request) {
			super(request);
		}

		public void addHeader(String name, String value) {
			customHeaders.put(name, value);
		}

		@Override
		public String getHeader(String name) {
			if (customHeaders.containsKey(name)) {
				return customHeaders.get(name);
			}
			return super.getHeader(name);
		}

		@Override
		public Enumeration<String> getHeaderNames() {
			List<String> names = Collections.list(super.getHeaderNames());
			names.addAll(customHeaders.keySet());
			return Collections.enumeration(names);
		}

		@Override
		public Enumeration<String> getHeaders(String name) {
			List<String> values = Collections.list(super.getHeaders(name));
			if (customHeaders.containsKey(name)) {
				values.add(customHeaders.get(name));
			}
			return Collections.enumeration(values);
		}
	}
}
Created with JaCoCo 0.8.12.202403310830