Klargjør for innlogging og brukersesjon (hardkodet)

Author: Sigurdomnes

backend/pom.xml

@@ -26,6 +26,8 @@
         <exposed.version>0.44.0</exposed.version>
         <logback.version>1.5.0</logback.version>
         <kotlin-logging.version>3.0.5</kotlin-logging.version>
+        <jose.version>9.31</jose.version>
+        <bcrypt.version>0.10.2</bcrypt.version>
 
         <!-- ===================== -->
         <!-- Dev dependencies      -->
@@ -53,9 +55,15 @@
         </dependency>
 
         <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-api</artifactId>
-            <version>${slf4j-api.version}</version>
+            <groupId>at.favre.lib</groupId>
+            <artifactId>bcrypt</artifactId>
+            <version>${bcrypt.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>${jose.version}</version>
         </dependency>
 
         <dependency>

backend/src/main/kotlin/no/nais/cloud/testnais/sandbox/bachelorurlforkorter/UrlForkorterApi.kt

@@ -1,5 +1,7 @@
 package no.nais.cloud.testnais.sandbox.bachelorurlforkorter
 
+import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
+import com.fasterxml.jackson.module.kotlin.registerKotlinModule
 import io.javalin.Javalin
 import io.javalin.apibuilder.ApiBuilder.get
 import io.javalin.apibuilder.ApiBuilder.path
@@ -9,8 +11,11 @@ import io.javalin.http.HttpResponseException
 import io.javalin.http.HttpStatus
 import io.javalin.http.UnauthorizedResponse
 import io.javalin.http.staticfiles.Location
+import io.javalin.json.JavalinJackson
 import io.javalin.security.RouteRole
 import mu.KotlinLogging
+import no.nais.cloud.testnais.sandbox.bachelorurlforkorter.auth.Auth
+import no.nais.cloud.testnais.sandbox.bachelorurlforkorter.auth.Auth.validateJwtToken
 import no.nais.cloud.testnais.sandbox.bachelorurlforkorter.common.config.*
 import no.nais.cloud.testnais.sandbox.bachelorurlforkorter.common.db.DatabaseInit
 import org.slf4j.MDC
@@ -25,13 +30,17 @@ fun main() {
 
 fun startAppServer(config: Config) {
     val app = Javalin.create { javalinConfig ->
+        javalinConfig.jsonMapper(JavalinJackson(jacksonObjectMapper().registerKotlinModule()))
         javalinConfig.staticFiles.add("/public", Location.CLASSPATH)
         javalinConfig.router.apiBuilder {
             path("api") {
                 post("sjekk", UrlForkorterController::sjekk, Rolle.Alle)
-                post("forkort", UrlForkorterController::forkort, Rolle.Alle)
+                post("forkort", UrlForkorterController::forkort, Rolle.InternNavInnlogget)
                 post("slett", UrlForkorterController::slett, Rolle.Alle)
                 get("hentalle", UrlForkorterController::hentAlleMedMetadata, Rolle.Alle)
+                post("logginn", Auth::loggInn, Rolle.Alle)
+                get("bruker", Auth::hentInnloggetBruker, Rolle.Alle)
+                post("loggut", Auth::loggUt, Rolle.Alle)
             }
             get("{korturl}") { ctx ->
                 if (ctx.pathParam("korturl") == "index.html") {
@@ -70,7 +79,7 @@ fun startAppServer(config: Config) {
 
     app.beforeMatched { ctx ->
         if (ctx.path().startsWith("/api/")) {
-            checkAccessToEndpoint(ctx, config)
+            checkAccessToEndpoint(ctx)
         }
     }
 
@@ -97,20 +106,21 @@ enum class Rolle : RouteRole {
     AdminNavInnlogget
 }
 
-private fun checkAccessToEndpoint(ctx: Context, config: Config) {
+private fun checkAccessToEndpoint(ctx: Context) {
     when {
         ctx.routeRoles().isEmpty() -> {
             logger.error { "Manglende tilgangsstyring på endepunkt ${ctx.path()}" }
             throw UnauthorizedResponse()
         }
 
-        ctx.routeRoles().contains(Rolle.InternNavInnlogget) -> {
-            val isValidUsername = config.authConfig.basicAuthUsername == ctx.basicAuthCredentials()?.username
-            val isValidPassword = config.authConfig.basicAuthPassword.value == ctx.basicAuthCredentials()?.password
+        ctx.routeRoles().contains(Rolle.InternNavInnlogget) || ctx.routeRoles().contains(Rolle.AdminNavInnlogget) -> {
+            val (username, role) = validateJwtToken(ctx)
+                ?: throw UnauthorizedResponse("Invalid or expired token")
 
-            if (!isValidUsername || !isValidPassword) {
-                logger.error { "Feil ved autentisering av innlogget bruker" }
-                throw UnauthorizedResponse()
+            ctx.attribute("username", username)
+
+            if (!ctx.routeRoles().contains(role)) {
+                throw UnauthorizedResponse("Manglende autorisasjon på endepunkt")
             }
         }
 

backend/src/main/kotlin/no/nais/cloud/testnais/sandbox/bachelorurlforkorter/auth/Auth.kt

@@ -0,0 +1,124 @@
+package no.nais.cloud.testnais.sandbox.bachelorurlforkorter.auth
+
+import com.fasterxml.jackson.annotation.JsonCreator
+import com.fasterxml.jackson.annotation.JsonProperty
+import com.nimbusds.jose.JWSAlgorithm
+import com.nimbusds.jose.JWSHeader
+import com.nimbusds.jose.JWSVerifier
+import com.nimbusds.jose.crypto.MACSigner
+import com.nimbusds.jose.crypto.MACVerifier
+import com.nimbusds.jwt.JWTClaimsSet
+import com.nimbusds.jwt.SignedJWT
+import io.javalin.http.Context
+import io.javalin.http.UnauthorizedResponse
+import jakarta.servlet.http.Cookie
+import mu.KotlinLogging
+import no.nais.cloud.testnais.sandbox.bachelorurlforkorter.Rolle
+import java.net.URLDecoder
+import java.net.URLEncoder
+import java.nio.charset.StandardCharsets
+import java.util.Date
+
+data class LoginRequest @JsonCreator constructor(
+    @JsonProperty("username") val username: String,
+    @JsonProperty("password") val password: String
+)
+
+private val logger = KotlinLogging.logger {}
+
+object Auth {
+
+    private const val SECRET_KEY = "U29tZXN1cGVyc2VjdXJlcGFzc3BocmFzZQ==\n"
+    private const val TOKEN_EXPIRATION_TIME = 1000 * 60 * 60
+
+    fun loggInn(ctx: Context) {
+        val loginRequest = ctx.bodyAsClass(LoginRequest::class.java)
+        val user = UserRepository.findByUsername(loginRequest.username)
+            ?: throw UnauthorizedResponse("Invalid credentials")
+
+        if (!verifyPassword(loginRequest.password, user.hashedPassword)) {
+            throw UnauthorizedResponse("Invalid credentials")
+        }
+
+        val token = createJwtToken(user)
+
+        val encodedToken = URLEncoder.encode(token, StandardCharsets.UTF_8.toString())
+
+        ctx.header("Set-Cookie",
+            "session_token=$encodedToken; Path=/; Max-Age=${TOKEN_EXPIRATION_TIME / 3600}; Secure; HttpOnly; SameSite=Strict"
+        )
+
+        logger.info("Innlogging suksessfull for: {}", loginRequest.username)
+
+        ctx.status(204)
+    }
+
+    fun hentInnloggetBruker(ctx: Context): Context {
+        val token = ctx.cookie("session_token") ?: return ctx.status(401)
+
+        val decodedToken = URLDecoder.decode(token, StandardCharsets.UTF_8.toString())
+        val signedJWT = SignedJWT.parse(decodedToken)
+
+        val expiration = signedJWT.jwtClaimsSet.expirationTime
+        if (expiration.before(Date())) {
+            return ctx.status(401)
+        }
+
+        val username = signedJWT.jwtClaimsSet.subject
+        return ctx.status(200).json(mapOf("username" to username))
+    }
+
+
+    fun loggUt(ctx: Context) {
+        ctx.removeCookie("session_token")
+        ctx.status(204)
+    }
+
+
+    fun createJwtToken(user: User): String {
+        val signer = MACSigner(SECRET_KEY.toByteArray()) // HMAC signer
+
+        val jwtClaims = JWTClaimsSet.Builder()
+            .subject(user.username)
+            .claim("role", user.role.name)
+            .issueTime(Date())
+            .expirationTime(Date(System.currentTimeMillis() + TOKEN_EXPIRATION_TIME))
+            .issuer("n.av")
+            .build()
+
+        val signedJWT = SignedJWT(JWSHeader(JWSAlgorithm.HS256), jwtClaims)
+        signedJWT.sign(signer)
+
+        return signedJWT.serialize()
+    }
+
+    fun validateJwtToken(ctx: Context): Pair<String, Rolle>? {
+        val token = ctx.cookie("session_token")?.let {
+            URLDecoder.decode(it, StandardCharsets.UTF_8.toString())
+        } ?: return null
+
+        return try {
+            val signedJWT = SignedJWT.parse(token)
+            val verifier: JWSVerifier = MACVerifier(SECRET_KEY.toByteArray())
+
+            if (!signedJWT.verify(verifier)) {
+                return null // Invalid signature
+            }
+
+            val expiration = signedJWT.jwtClaimsSet.expirationTime
+            if (expiration.before(Date())) {
+                return null // Token expired
+            }
+
+            val username = signedJWT.jwtClaimsSet.subject
+            val roleName = signedJWT.jwtClaimsSet.getStringClaim("role")
+            val role = Rolle.valueOf(roleName)
+
+            Pair(username, role)
+        } catch (e: Exception) {
+            logger.warn("Feil ved validering av session token: {}", e.message)
+            null // Invalid token
+        }
+    }
+
+}

backend/src/main/kotlin/no/nais/cloud/testnais/sandbox/bachelorurlforkorter/auth/PasswordUtils.kt

@@ -0,0 +1,12 @@
+package no.nais.cloud.testnais.sandbox.bachelorurlforkorter.auth
+
+import at.favre.lib.crypto.bcrypt.BCrypt
+
+fun hashPassword(password: String): String {
+    return BCrypt.withDefaults().hashToString(12, password.toCharArray()) // 12 rounds for security
+}
+
+fun verifyPassword(inputPassword: String, storedHashedPassword: String?): Boolean {
+    if (storedHashedPassword == null) return false
+    return BCrypt.verifyer().verify(inputPassword.toCharArray(), storedHashedPassword).verified
+}

backend/src/main/kotlin/no/nais/cloud/testnais/sandbox/bachelorurlforkorter/auth/UserRepository.kt

@@ -0,0 +1,41 @@
+package no.nais.cloud.testnais.sandbox.bachelorurlforkorter.auth
+
+import no.nais.cloud.testnais.sandbox.bachelorurlforkorter.Rolle
+import java.util.concurrent.ConcurrentHashMap
+
+data class User(
+    val id: String,
+    val username: String,
+    val hashedPassword: String?,
+    val externalId: String?,
+    val role: Rolle
+)
+
+
+object UserRepository {
+    private val users = ConcurrentHashMap<String, User>()
+
+    init {
+        val hashedPassword = hashPassword("passord123")
+        users["admin"] = User(
+            id = "1",
+            username = "testadmin",
+            hashedPassword = hashedPassword,
+            externalId = null,
+            role = Rolle.AdminNavInnlogget
+        )
+        users["bruker"] = User(
+            id = "1",
+            username = "testbruker",
+            hashedPassword = hashedPassword,
+            externalId = null,
+            role = Rolle.InternNavInnlogget
+        )
+    }
+
+    fun findByUsername(username: String): User? = users[username]
+
+    fun save(user: User) {
+        users[user.username] = user
+    }
+}

frontend/index.html

@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/svg+xml" href="favicon.png" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>url-forkorter</title>
+    <title>n.av</title>
   </head>
   <body>
     <div id="root"></div>

frontend/src/App.css

@@ -1,9 +1,12 @@
 :root {
-    margin: 0;
-    padding: 0;
-    h1,h2,h3,h4,h5,h6 {
+    * {
         padding: 0;
         margin: 0;
+        box-sizing: border-box;
+    }
+    html,body {
+        width: 100%;
+        max-width: 100%;
     }
     box-sizing: border-box;
     --theme-color: #535bf2;

frontend/src/App.tsx

@@ -1,15 +1,28 @@
-import {BrowserRouter, Route, Routes} from "react-router-dom";
+import {BrowserRouter, Navigate, Route, Routes} from "react-router-dom";
 import LandingPage from "./pages/LandingPage.tsx"
 import "./App.css"
+import Header from "./components/Header/Header.tsx";
+import {useAuth} from "./util/hooks/useAuth.ts";
+import {ReactNode} from "react";
 
 export default function App() {
 
     return (
         <BrowserRouter>
+            <Header/>
             <Routes>
                 <Route path={"/"} element={<LandingPage/>}/>
-                <Route path={"/user/:id"} element={<div></div>}></Route>
+                <Route path={"/user/:id"} element={
+                    <ProtectedRoute>
+                        <div></div>
+                    </ProtectedRoute>
+                }></Route>
             </Routes>
         </BrowserRouter>
     )
+}
+
+function ProtectedRoute({children}: { children: ReactNode }) {
+    const {isLoggedIn} = useAuth();
+    return isLoggedIn ? children : <Navigate to="/"/>;
 }

frontend/src/components/Header/Header.tsx

@@ -0,0 +1,30 @@
+import {DisplayUser, HeaderContainer, LogoText} from "./header.style.ts";
+import Button from "../shared/Button/Button.tsx";
+import Modal from "../shared/Modal/Modal.tsx";
+import {useState} from "react";
+import LoginForm from "../LoginForm/LoginForm.tsx";
+import {useAuth} from "../../util/hooks/useAuth.ts";
+
+export default function Header() {
+    const [showLogin, setShowLogin] = useState(false);
+    const {isLoggedIn, user, logout} = useAuth();
+
+    return (
+        <HeaderContainer>
+            <LogoText>n.av</LogoText>
+            {isLoggedIn ? (
+                <div style={{display: "flex", alignItems: "center"}}>
+                    <DisplayUser>Velkommen, {user}!</DisplayUser>
+                    <Button text="Logg ut" onClick={logout}/>
+                </div>
+            ) : (
+                <>
+                    <Button text="Logg inn" onClick={() => setShowLogin(true)}/>
+                    <Modal showModal={showLogin} setShowModal={setShowLogin}>
+                        <LoginForm onLogin={() => setShowLogin(false)}/>
+                    </Modal>
+                </>
+            )}
+        </HeaderContainer>
+    )
+}

frontend/src/components/Header/header.style.ts

@@ -0,0 +1,19 @@
+import styled from "styled-components";
+
+export const HeaderContainer = styled.header`
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: 10px 20px;
+    width: 100%;
+    background: #f8f9fa;
+`;
+
+export const LogoText = styled.h1`
+    color: var(--theme-color);
+    font-size: 32px;
+`
+
+export const DisplayUser = styled.p`
+    margin: 0 15px;
+`