From 3e287d859c8b470c0b80f0256864c92a4ba5b431 Mon Sep 17 00:00:00 2001 From: waltkb <68587968+waltkb@users.noreply.github.com> Date: Tue, 28 Nov 2023 10:03:31 +0100 Subject: [PATCH] Update exceptions and generate encryption/sign key --- src/main/kotlin/id/walt/web/Exceptions.kt | 3 ++- .../id/walt/web/controllers/AuthController.kt | 17 ++++++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/src/main/kotlin/id/walt/web/Exceptions.kt b/src/main/kotlin/id/walt/web/Exceptions.kt index 2537731..301b2f1 100644 --- a/src/main/kotlin/id/walt/web/Exceptions.kt +++ b/src/main/kotlin/id/walt/web/Exceptions.kt @@ -7,9 +7,10 @@ import kotlinx.serialization.SerialName sealed class WebException(val status: HttpStatusCode, message: String) : Exception(message) class UnauthorizedException(message: String) : WebException(HttpStatusCode.Unauthorized, message) +class ForbiddenException(message: String) : WebException(HttpStatusCode.Forbidden, message) @SerialName("InsufficientPermissions") class InsufficientPermissionsException( minimumRequired: AccountWalletPermissions, current: AccountWalletPermissions, -) : WebException(HttpStatusCode.Unauthorized, "You do not have enough permissions to access this action. Minimum required permissions: $minimumRequired, your current permissions: $current") +) : WebException(HttpStatusCode.Forbidden, "You do not have enough permissions to access this action. Minimum required permissions: $minimumRequired, your current permissions: $current") diff --git a/src/main/kotlin/id/walt/web/controllers/AuthController.kt b/src/main/kotlin/id/walt/web/controllers/AuthController.kt index 06f18e9..f748078 100644 --- a/src/main/kotlin/id/walt/web/controllers/AuthController.kt +++ b/src/main/kotlin/id/walt/web/controllers/AuthController.kt @@ -6,6 +6,7 @@ import id.walt.db.models.AccountWalletPermissions import id.walt.service.WalletServiceManager import id.walt.service.account.AccountsService import id.walt.utils.RandomUtils +import id.walt.web.ForbiddenException import id.walt.web.InsufficientPermissionsException import id.walt.web.UnauthorizedException import id.walt.web.WebBaseRoutes.webWalletRoute @@ -26,6 +27,7 @@ import io.ktor.util.pipeline.* import kotlinx.serialization.json.JsonObject import kotlinx.serialization.json.JsonPrimitive import kotlinx.serialization.json.buildJsonObject +import kotlinx.uuid.SecureRandom import kotlinx.uuid.UUID import kotlinx.uuid.toJavaUUID import org.jetbrains.exposed.sql.and @@ -47,12 +49,17 @@ fun generateToken() = RandomUtils.randomBase64UrlString(256) data class LoginTokenSession(val token: String) : Principal +object AuthKeys { + private val secureRandom = SecureRandom + + // TODO make statically configurable for HA deployments + val encryptionKey = secureRandom.nextBytes(16) + val signKey = secureRandom.nextBytes(16) +} + fun Application.configureSecurity() { install(Sessions) { - val encryptionKey = "uv4phoozeefoom7l".toByteArray() - val signKey = "faungeenah5aewiL".toByteArray() - cookie("login") { //cookie.encoding = CookieEncoding.BASE64_ENCODING @@ -61,7 +68,7 @@ fun Application.configureSecurity() { // TODO cookie.secure = true cookie.maxAge = 1.days cookie.extensions["SameSite"] = "Strict" - transform(SessionTransportTransformerEncrypt(encryptionKey, signKey)) + transform(SessionTransportTransformerEncrypt(AuthKeys.encryptionKey, AuthKeys.signKey)) } } @@ -247,7 +254,7 @@ fun PipelineContext.ensurePermissionsForWallet(required: val permissions = transaction { (AccountWalletMappings.select { (AccountWalletMappings.account eq userId) and (AccountWalletMappings.wallet eq walletId) } .firstOrNull() - ?: throw UnauthorizedException("This account does not have access to the specified wallet.") + ?: throw ForbiddenException("This account does not have access to the specified wallet.") )[AccountWalletMappings.permissions] }