upgrade libs

jonathanlermitage · Nov 5, 2023 · 68091c6 · 68091c6
1 parent 86a8eaf
commit 68091c6
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 33 deletions.
diff --git a/pom.xml b/pom.xml
@@ -40,33 +40,33 @@
 
         <!-- Override spring-boot-dependencies versions: -->
         <!-- - version provided by spring-boot-dependencies may be a bit old. -->
-        <rest-assured.version>5.3.1</rest-assured.version> <!-- https://github.com/rest-assured/rest-assured/blob/master/changelog.txt -->
+        <rest-assured.version>5.3.2</rest-assured.version> <!-- https://github.com/rest-assured/rest-assured/blob/master/changelog.txt -->
         <!-- - to let versions-maven-plugin handle version. Don't forget to update spring-boot-starter-parent manually! -->
-        <spring-boot.version>3.1.1</spring-boot.version>
+        <spring-boot.version>3.1.5</spring-boot.version>
 
-        <archunit.version>1.0.1</archunit.version> <!-- https://github.com/TNG/ArchUnit/releases -->
-        <datafaker.version>2.0.1</datafaker.version> <!-- https://github.com/datafaker-net/datafaker/tags -->
-        <equalsverifier.version>3.15</equalsverifier.version> <!-- https://github.com/jqno/equalsverifier/blob/main/CHANGELOG.md -->
+        <archunit.version>1.1.0</archunit.version> <!-- https://github.com/TNG/ArchUnit/releases -->
+        <datafaker.version>2.0.2</datafaker.version> <!-- https://github.com/datafaker-net/datafaker/tags -->
+        <equalsverifier.version>3.15.3</equalsverifier.version> <!-- https://github.com/jqno/equalsverifier/blob/main/CHANGELOG.md -->
         <greenmail.version>2.0.0</greenmail.version> <!-- https://github.com/greenmail-mail-test/greenmail/releases -->
-        <guava.version>32.1.1-jre</guava.version> <!-- https://github.com/google/guava/releases -->
+        <guava.version>32.1.3-jre</guava.version> <!-- https://github.com/google/guava/releases -->
         <javax.activation-activation.version>1.1.1</javax.activation-activation.version>
         <jetbrains-annotations.version>24.0.1</jetbrains-annotations.version> <!-- https://github.com/JetBrains/java-annotations/blob/master/CHANGELOG.md -->
-        <jjwt.version>0.11.5</jjwt.version> <!-- https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md -->
-        <json-unit.version>3.0.0</json-unit.version> <!-- https://github.com/lukas-krecan/JsonUnit#release-notes -->
+        <jjwt.version>0.12.3</jjwt.version> <!-- https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md -->
+        <json-unit.version>3.2.2</json-unit.version> <!-- https://github.com/lukas-krecan/JsonUnit#release-notes -->
         <lombok-mapstruct-binding.version>0.2.0</lombok-mapstruct-binding.version>
         <mapstruct.version>1.5.5.Final</mapstruct.version> <!-- https://github.com/mapstruct/mapstruct/releases -->
-        <springdoc.version>2.1.0</springdoc.version> <!-- https://springdoc.org/v2/ -->
+        <springdoc.version>2.2.0</springdoc.version> <!-- https://springdoc.org/v2/ -->
 
         <apt-maven-plugin.version>1.1.3</apt-maven-plugin.version>
         <findbugs-jsr305.version>3.0.2</findbugs-jsr305.version>
         <findsecbugs-plugin.version>1.12.0</findsecbugs-plugin.version>
-        <git-commit-id-maven-plugin.version>6.0.0</git-commit-id-maven-plugin.version>
-        <jacoco-maven-plugin.version>0.8.10</jacoco-maven-plugin.version> <!-- https://www.jacoco.org/jacoco/trunk/doc/changes.html -->
-        <jib-maven-plugin.version>3.3.2</jib-maven-plugin.version> <!-- https://github.com/GoogleContainerTools/jib/blob/master/jib-maven-plugin/CHANGELOG.md -->
+        <git-commit-id-maven-plugin.version>7.0.0</git-commit-id-maven-plugin.version>
+        <jacoco-maven-plugin.version>0.8.11</jacoco-maven-plugin.version> <!-- https://www.jacoco.org/jacoco/trunk/doc/changes.html -->
+        <jib-maven-plugin.version>3.4.0</jib-maven-plugin.version> <!-- https://github.com/GoogleContainerTools/jib/blob/master/jib-maven-plugin/CHANGELOG.md -->
         <oga-maven-plugin.version>1.8.1</oga-maven-plugin.version>
-        <owasp-dependency-check-plugin.version>8.3.1</owasp-dependency-check-plugin.version>
-        <spotbugs-maven-plugin.version>4.7.3.5</spotbugs-maven-plugin.version>
-        <versions-maven-plugin.version>2.16.0</versions-maven-plugin.version> <!-- https://github.com/mojohaus/versions-maven-plugin/releases -->
+        <owasp-dependency-check-plugin.version>8.4.2</owasp-dependency-check-plugin.version>
+        <spotbugs-maven-plugin.version>4.7.3.6</spotbugs-maven-plugin.version>
+        <versions-maven-plugin.version>2.16.1</versions-maven-plugin.version> <!-- https://github.com/mojohaus/versions-maven-plugin/releases -->
     </properties>
 
     <dependencyManagement>

diff --git a/src/main/java/manon/service/app/JwtTokenService.java b/src/main/java/manon/service/app/JwtTokenService.java
@@ -13,6 +13,8 @@ public interface JwtTokenService {
 
     String getUsernameFromToken(String token);
 
+    long getAuthTokenIdFromToken(String token);
+
     <T> T getClaimFromToken(String token, @NotNull Function<Claims, T> claimsResolver);
 
     String generateToken(String username);

diff --git a/src/main/java/manon/service/app/impl/JwtTokenServiceImpl.java b/src/main/java/manon/service/app/impl/JwtTokenServiceImpl.java
@@ -18,7 +18,7 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Service;
 
-import java.security.Key;
+import javax.crypto.SecretKey;
 import java.time.ZonedDateTime;
 import java.util.Collections;
 import java.util.Date;
@@ -32,15 +32,15 @@ public class JwtTokenServiceImpl implements JwtTokenService {
 
     private final Cfg cfg;
     private final String jwtIssuer;
-    private final Key jwtSigningKey;
+    private final SecretKey jwtSigningKey;
     private final JwtParser jwtParser;
     private final AuthTokenService authTokenService;
 
     public JwtTokenServiceImpl(@NotNull Cfg cfg, AuthTokenService authTokenService) {
         this.cfg = cfg;
         this.jwtIssuer = cfg.getSecurityJwtIssuer();
         this.jwtSigningKey = Keys.hmacShaKeyFor(Decoders.BASE64.decode(cfg.getSecurityJwtSigningKeyB64()));
-        this.jwtParser = Jwts.parserBuilder().setSigningKey(jwtSigningKey).build();
+        this.jwtParser = Jwts.parser().verifyWith(jwtSigningKey).build();
         this.authTokenService = authTokenService;
     }
 
@@ -49,7 +49,8 @@ public String getUsernameFromToken(String token) {
         return getClaimFromToken(token, Claims::getSubject);
     }
 
-    private long getAuthTokenIdFromToken(String token) {
+    @Override
+    public long getAuthTokenIdFromToken(String token) {
         return getClaimFromToken(token, claims -> Long.parseLong(claims.get(FIELD_TOKEN_ID).toString()));
     }
 
@@ -60,40 +61,46 @@ public <T> T getClaimFromToken(String token, @NotNull Function<Claims, T> claims
 
     private Claims getAllClaimsFromToken(String token) {
         return jwtParser
-            .parseClaimsJws(token)
-            .getBody();
+            .parseSignedClaims(token)
+            .getPayload();
     }
 
     @Override
     public String generateToken(String username) {
         ZonedDateTime expirationDate = Tools.now().plus(cfg.getSecurityJwtTokenTtl()).atZone(Tools.ZONE_ID);
         return Jwts.builder()
-            .setClaims(Jwts.claims().setSubject(username))
-            .addClaims(Collections.singletonMap(FIELD_TOKEN_ID, authTokenService.create(username, expirationDate.toLocalDateTime()).getId()))
-            .setIssuer(jwtIssuer)
-            .setIssuedAt(Tools.nowAsDate())
-            .setExpiration(Date.from(expirationDate.toInstant()))
+            .claims().subject(username).and()
+            .claims(Collections.singletonMap(FIELD_TOKEN_ID, authTokenService.create(username, expirationDate.toLocalDateTime()).getId()))
+            .issuer(jwtIssuer)
+            .issuedAt(Tools.nowAsDate())
+            .expiration(Date.from(expirationDate.toInstant()))
             .signWith(jwtSigningKey)
             .compact();
     }
 
     @Override
     public boolean validateToken(String token, @NotNull UserDetails userDetails) {
-        String username = userDetails.getUsername();
+        String usernameFromAuth = userDetails.getUsername();
         try {
-            jwtParser.parseClaimsJws(token);
+            jwtParser.parseSignedClaims(token);
             if (!authTokenService.exists(getAuthTokenIdFromToken(token))) {
+                log.info("JWT token does not exist in db for user {}", usernameFromAuth);
+                return false;
+            }
+            String usernameFromToken = getUsernameFromToken(token);
+            if (!getUsernameFromToken(token).equals(usernameFromAuth)) {
+                log.warn("username '{}' from authentication and username '{}' from JWT token does not match", usernameFromAuth, usernameFromToken);
                 return false;
             }
-            return getUsernameFromToken(token).equals(username);
+            return getUsernameFromToken(token).equals(usernameFromAuth);
         } catch (SignatureException | MalformedJwtException e) {
-            log.info("invalid JWT signature for user {}: {}" + username, e.getMessage());
+            log.info("invalid JWT signature for user '{}': {}", usernameFromAuth, e.getMessage());
         } catch (ExpiredJwtException e) {
-            log.info("expired JWT token for user {}: {}" + username, e.getMessage());
+            log.info("expired JWT token for user '{}': {}", usernameFromAuth, e.getMessage());
         } catch (UnsupportedJwtException e) {
-            log.info("unsupported JWT token for user {}: {}" + username, e.getMessage());
+            log.info("unsupported JWT token for user '{}': {}", usernameFromAuth, e.getMessage());
         } catch (IllegalArgumentException e) {
-            log.info("JWT token compact of handler are invalid for user {}: {}" + username, e.getMessage());
+            log.info("JWT token compact of handler are invalid for user '{}': {}", usernameFromAuth, e.getMessage());
         }
         return false;
     }