make sure that token validation is being done

davidblasby · Mar 26, 2024 · 4fe7ce6 · 4fe7ce6
1 parent 8571521
commit 4fe7ce6
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/core/src/main/java/org/fao/geonet/kernel/security/jwtheaders/JwtHeadersTrivialUser.java b/core/src/main/java/org/fao/geonet/kernel/security/jwtheaders/JwtHeadersTrivialUser.java
@@ -28,10 +28,12 @@
 import org.fao.geonet.utils.Log;
 import org.geoserver.security.jwtheaders.JwtConfiguration;
 import org.geoserver.security.jwtheaders.roles.JwtHeadersRolesExtractor;
+import org.geoserver.security.jwtheaders.token.TokenValidator;
 import org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractor;
 import org.springframework.util.StringUtils;
 
 import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@@ -62,7 +64,7 @@ public JwtHeadersTrivialUser(String userName) {
         profileGroups = new HashMap<>();
     }
 
-    public static JwtHeadersTrivialUser create(JwtConfiguration config, HttpServletRequest request) {
+    public static JwtHeadersTrivialUser create(JwtConfiguration config, HttpServletRequest request) throws IOException {
         if (request == null || config == null || config.getUserNameHeaderAttributeName() == null) {
             Log.debug(Geonet.SECURITY, "JwtHeadersUser.create called with null args!");
             return null; // nothing to do
@@ -81,6 +83,14 @@ public static JwtHeadersTrivialUser create(JwtConfiguration config, HttpServletR
             return null; // no username
         }
 
+        var tokenValidator = new TokenValidator(config);
+        try {
+            tokenValidator.validate(userNameHeader);
+        }
+        catch (Exception e) {
+            throw new IOException("JWT Token is invalid",e);
+        }
+
         //get roles from the headers (pay attention to config)
         var result = new JwtHeadersTrivialUser(userName);
         handleRoles(result, config, request);

diff --git a/core/src/test/java/org/fao/geonet/kernel/security/jwtheaders/JwtHeadersTrivialUserTest.java b/core/src/test/java/org/fao/geonet/kernel/security/jwtheaders/JwtHeadersTrivialUserTest.java
@@ -202,7 +202,7 @@ public void testHandleRolesJWT() {
      * this is dependent on the above methods, so this is just a quick test
      */
     @Test
-    public void testCreate() {
+    public void testCreate() throws Exception {
         var config = JwtHeadersIntegrationTest.getBasicConfigJWT();
         var request = new MockHttpServletRequest();
         request.addHeader("TOKEN", JwtHeadersIntegrationTest.JWT);