Revert "Fix auth validation (#250)" (#253)

This reverts commit 27243e4.
OWASP · May 20, 2024 · 49adaa1 · 49adaa1
1 parent 27243e4
commit 49adaa1
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 18 deletions.
diff --git a/services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java b/services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java
@@ -76,9 +76,6 @@ protected void doFilterInternal(
           response.sendError(
               HttpServletResponse.SC_UNAUTHORIZED, UserMessage.ACCOUNT_LOCKED_MESSAGE);
         }
-      } else {
-        tokenLogger.error(UserMessage.INVALID_CREDENTIALS);
-        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, UserMessage.INVALID_CREDENTIALS);
       }
     } catch (Exception e) {
       tokenLogger.error("Can NOT set user authentication -> Message:%d", e);
@@ -125,13 +122,10 @@ public String getUserFromToken(HttpServletRequest request) throws ParseException
     String username = null;
     if (token != null) {
       if (apiType == ApiType.APIKEY) {
-        logger.debug("Token is api token");
         username = tokenProvider.getUserNameFromApiToken(token);
       } else {
-        logger.debug("Token is jwt token");
-        if (tokenProvider.validateJwtToken(token)) {
-          username = tokenProvider.getUserNameFromJwtToken(token);
-        }
+        tokenProvider.validateJwtToken(token);
+        username = tokenProvider.getUserNameFromJwtToken(token);
       }
       // checking username from token
       if (username != null) return username;

diff --git a/services/identity/src/main/java/com/crapi/config/JwtProvider.java b/services/identity/src/main/java/com/crapi/config/JwtProvider.java
@@ -175,26 +175,25 @@ public boolean validateJwtToken(String authToken) {
       SignedJWT signedJWT = SignedJWT.parse(authToken);
       JWSHeader header = signedJWT.getHeader();
       Algorithm alg = header.getAlgorithm();
-      boolean valid = false;
+
       // JWT Algorithm confusion vulnerability
-      logger.debug("Algorithm: " + alg.getName());
-      JWSVerifier verifier;
+      logger.info("Algorithm: " + alg.getName());
       if (Objects.equals(alg.getName(), "HS256")) {
         String secret = getJwtSecret(header);
-        logger.debug("JWT Secret: " + secret);
-        verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8));
+        logger.info("JWT Secret: " + secret);
+        JWSVerifier verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8));
+        return signedJWT.verify(verifier);
       } else {
         RSAKey verificationKey = getKeyFromJkuHeader(header);
+        JWSVerifier verifier;
         if (verificationKey == null) {
-          logger.debug("Key from JWKS: " + this.publicRSAKey.toJSONString());
           verifier = new RSASSAVerifier(this.publicRSAKey);
         } else {
-          logger.debug("Key from JKU: " + verificationKey.toJSONString());
+          logger.info("Key from JKU: " + verificationKey.toJSONString());
           verifier = new RSASSAVerifier(verificationKey);
         }
-        valid = signedJWT.verify(verifier);
-        logger.info("JWT valid?: " + valid);
-        return valid;
+
+        return signedJWT.verify(verifier);
       }
 
     } catch (ParseException e) {