diff --git a/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/filter/CustomCookieFilter.java b/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/filter/CustomCookieFilter.java index 362eeea7..a35545b0 100644 --- a/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/filter/CustomCookieFilter.java +++ b/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/filter/CustomCookieFilter.java @@ -5,6 +5,7 @@ import com.eurodyn.qlack.util.csrf.service.TokenService; import com.eurodyn.qlack.util.jwt.config.AppPropertiesUtilJwt; import io.jsonwebtoken.Claims; +import io.jsonwebtoken.JwtException; import io.jsonwebtoken.Jwts; import jakarta.servlet.FilterChain; import jakarta.servlet.ServletException; @@ -64,7 +65,9 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse String clientToken = extractTokenFromCookie(request); boolean invalidToken = invalidToken(clientToken); Date jwtTokenTime = extractTimeFromJwtToken(request, tokenTime); - if (jwtTokenTime.before(new Date(Instant.now().toEpochMilli())) || invalidToken) { + if (Objects.isNull(jwtTokenTime) + || jwtTokenTime.before(new Date(Instant.now().toEpochMilli())) + || invalidToken) { tokenService.removeToken(clientToken); response.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid token"); return; @@ -75,6 +78,11 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse boolean createNewToken = false; synchronized (this) { Date tokenExpirationTime = getTokens.get(clientToken); + if (Objects.isNull(tokenExpirationTime)) { + tokenService.removeToken(clientToken); + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid token"); + return; + } long tokenTimeDiffSeconds = (tokenExpirationTime.getTime() - Date.from(Instant.now()).getTime()) / 1000; tokenService.updateToken(clientToken, @@ -115,13 +123,19 @@ private void putNewTokenToCookie(HttpServletResponse response, Date tokenTime) { private Date extractTimeFromJwtToken(HttpServletRequest request, Date tokenTime) { String userAuthorizationHeaderJwt = request.getHeader(AUTHORIZATION); //get remaining time off jwt token - if (Objects.nonNull(userAuthorizationHeaderJwt)) { + if (Objects.nonNull(userAuthorizationHeaderJwt) + && userAuthorizationHeaderJwt.startsWith("Bearer ") + && userAuthorizationHeaderJwt.length() > 7) { String jwt = userAuthorizationHeaderJwt.substring(7); byte[] apiKeySecretBytes2 = appProperties.getJwtSecret().getBytes(); - Claims claims = Jwts.parser() - .setSigningKey(apiKeySecretBytes2) - .parseClaimsJws(jwt).getBody(); - tokenTime = claims.getExpiration(); + try { + Claims claims = Jwts.parser() + .setSigningKey(apiKeySecretBytes2) + .parseClaimsJws(jwt).getBody(); + tokenTime = claims.getExpiration(); + } catch (JwtException | IllegalArgumentException ex) { + return null; + } } return tokenTime; } diff --git a/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/service/TokenService.java b/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/service/TokenService.java index 6af14e7c..2c971d34 100644 --- a/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/service/TokenService.java +++ b/QLACK-Util/qlack-util-csrf/src/main/java/com/eurodyn/qlack/util/csrf/service/TokenService.java @@ -4,25 +4,25 @@ import org.springframework.cache.annotation.Cacheable; import org.springframework.scheduling.annotation.Scheduled; import org.springframework.stereotype.Component; -import org.springframework.util.CollectionUtils; + import java.time.Instant; import java.util.Collections; import java.util.Date; import java.util.HashMap; -import java.util.List; import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; @Component public class TokenService { // Maintain a map to store tokens - private final Map tokenMap = new HashMap<>(); + private final Map tokenMap = new ConcurrentHashMap<>(); /** * This method will retrieve the entire map of tokens without altering it */ @Cacheable(value = "tokenCache", key = "'allTokens'") public Map getCachedTokens() { - return Collections.unmodifiableMap(tokenMap); + return Collections.unmodifiableMap(new HashMap<>(tokenMap)); } /** @@ -48,16 +48,8 @@ public Map removeToken(String key) { */ @Scheduled(cron = "${qlack.util.csrf.cookie-cache-clean-timer}") public void cleanTokens() { - Map getAllTokens = getCachedTokens(); - if (!CollectionUtils.isEmpty(getAllTokens)) { - Date now = new Date(Instant.now().toEpochMilli()); - List removeKeyList = getAllTokens.entrySet().stream() - .filter(entry -> entry.getValue().before(now)) - .map(Map.Entry::getKey).toList(); - if (!CollectionUtils.isEmpty(removeKeyList)) { - removeKeyList.forEach(this::removeToken); - } - } + Date now = new Date(Instant.now().toEpochMilli()); + tokenMap.entrySet().removeIf(entry -> entry.getValue().before(now)); } } diff --git a/pom.xml b/pom.xml index 02b26002..d152ed55 100644 --- a/pom.xml +++ b/pom.xml @@ -80,7 +80,7 @@ 1.18.36 1.6.3 0.6 - 3.5.14 + 3.5.15 1.3.18 5.1.0