Update exceptions and generate encryption/sign key

walt-id · Nov 28, 2023 · 3e287d8 · 3e287d8
1 parent c612464
commit 3e287d8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 6 deletions.
diff --git a/src/main/kotlin/id/walt/web/Exceptions.kt b/src/main/kotlin/id/walt/web/Exceptions.kt
@@ -7,9 +7,10 @@ import kotlinx.serialization.SerialName
 sealed class WebException(val status: HttpStatusCode, message: String) : Exception(message)
 
 class UnauthorizedException(message: String) : WebException(HttpStatusCode.Unauthorized, message)
+class ForbiddenException(message: String) : WebException(HttpStatusCode.Forbidden, message)
 
 @SerialName("InsufficientPermissions")
 class InsufficientPermissionsException(
     minimumRequired: AccountWalletPermissions,
     current: AccountWalletPermissions,
-) : WebException(HttpStatusCode.Unauthorized, "You do not have enough permissions to access this action. Minimum required permissions: $minimumRequired, your current permissions: $current")
+) : WebException(HttpStatusCode.Forbidden, "You do not have enough permissions to access this action. Minimum required permissions: $minimumRequired, your current permissions: $current")
diff --git a/src/main/kotlin/id/walt/web/controllers/AuthController.kt b/src/main/kotlin/id/walt/web/controllers/AuthController.kt
@@ -6,6 +6,7 @@ import id.walt.db.models.AccountWalletPermissions
 import id.walt.service.WalletServiceManager
 import id.walt.service.account.AccountsService
 import id.walt.utils.RandomUtils
+import id.walt.web.ForbiddenException
 import id.walt.web.InsufficientPermissionsException
 import id.walt.web.UnauthorizedException
 import id.walt.web.WebBaseRoutes.webWalletRoute
@@ -26,6 +27,7 @@ import io.ktor.util.pipeline.*
 import kotlinx.serialization.json.JsonObject
 import kotlinx.serialization.json.JsonPrimitive
 import kotlinx.serialization.json.buildJsonObject
+import kotlinx.uuid.SecureRandom
 import kotlinx.uuid.UUID
 import kotlinx.uuid.toJavaUUID
 import org.jetbrains.exposed.sql.and
@@ -47,12 +49,17 @@ fun generateToken() = RandomUtils.randomBase64UrlString(256)
 
 data class LoginTokenSession(val token: String) : Principal
 
+object AuthKeys {
+    private val secureRandom = SecureRandom
+
+    // TODO make statically configurable for HA deployments
+    val encryptionKey = secureRandom.nextBytes(16)
+    val signKey = secureRandom.nextBytes(16)
+}
+
 fun Application.configureSecurity() {
 
     install(Sessions) {
-        val encryptionKey = "uv4phoozeefoom7l".toByteArray()
-        val signKey = "faungeenah5aewiL".toByteArray()
-
         cookie<LoginTokenSession>("login") {
             //cookie.encoding = CookieEncoding.BASE64_ENCODING
 
@@ -61,7 +68,7 @@ fun Application.configureSecurity() {
             // TODO cookie.secure = true
             cookie.maxAge = 1.days
             cookie.extensions["SameSite"] = "Strict"
-            transform(SessionTransportTransformerEncrypt(encryptionKey, signKey))
+            transform(SessionTransportTransformerEncrypt(AuthKeys.encryptionKey, AuthKeys.signKey))
         }
     }
 
@@ -247,7 +254,7 @@ fun PipelineContext<Unit, ApplicationCall>.ensurePermissionsForWallet(required:
     val permissions = transaction {
         (AccountWalletMappings.select { (AccountWalletMappings.account eq userId) and (AccountWalletMappings.wallet eq walletId) }
             .firstOrNull()
-            ?: throw UnauthorizedException("This account does not have access to the specified wallet.")
+            ?: throw ForbiddenException("This account does not have access to the specified wallet.")
                 )[AccountWalletMappings.permissions]
     }