Merge pull request #80 from authlete/feat/x-fapi-interaction-id

feat: FapiInteractionIdResponseFilter

Author: TakahikoKawasaki

src/main/java/com/authlete/jaxrs/server/decorator/DecoratorPriorities.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2026 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package com.authlete.jaxrs.server.decorator;
+
+
+/**
+ * Filter and interceptor priorities that are used as a parameter of
+ * the {@link jakarta.annotation.Priority Priority} annotation.
+ *
+ * @see jakarta.annotation.Priority
+ * @see jakarta.ws.rs.Priorities
+ */
+public class DecoratorPriorities
+{
+    /*
+     * Priorities for ContainerResponseFilter implementations.
+     *
+     * <p>
+     * The smaller the priority, the later the filter is executed.
+     * </p>
+     */
+    public static final int FAPI_INTERACTION_ID_RESPONSE_FILTER = 40200;
+}

src/main/java/com/authlete/jaxrs/server/decorator/FapiInteractionIdResponseFilter.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2026 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package com.authlete.jaxrs.server.decorator;
+
+
+import java.io.IOException;
+import java.util.UUID;
+import javax.annotation.Priority;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerResponseContext;
+import javax.ws.rs.container.ContainerResponseFilter;
+import javax.ws.rs.ext.Provider;
+import com.authlete.jaxrs.server.http.CustomHttpHeaders;
+import com.authlete.jaxrs.server.http.RequestUtility;
+
+
+/**
+ * A filter to add the {@code x-fapi-interaction-id} HTTP header to the HTTP
+ * response.
+ *
+ * <p>
+ * When the HTTP request contains the {@code x-fapi-interaction-id} HTTP header,
+ * the same value is used. Otherwise, a random UUID is generated and used as the
+ * value of the {@code x-fapi-interaction-id} HTTP header of the HTTP response.
+ * </p>
+ *
+ * @see <a href="https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Implementation_Advice.md">
+ *      FAPI 2.0 Implementation Advice</a>
+ */
+@Provider
+@Priority(DecoratorPriorities.FAPI_INTERACTION_ID_RESPONSE_FILTER)
+public class FapiInteractionIdResponseFilter implements ContainerResponseFilter
+{
+    @Override
+    public void filter(
+            ContainerRequestContext requestContext,
+            ContainerResponseContext responseContext) throws IOException
+    {
+        // The value of the x-fapi-interaction-id HTTP header in the HTTP request.
+        String interactionId = RequestUtility.extractFapiInteractionId(requestContext);
+
+        // If the request does not contain the x-fapi-interaction-id HTTP header.
+        if (interactionId == null)
+        {
+            // Generate a random x-fapi-interaction-id.
+            interactionId = generateInteractionId();
+        }
+
+        // Add the x-fapi-interaction-id HTTP header to the HTTP response.
+        //
+        // Note that even if the value of the x-fapi-interaction-id HTTP header
+        // in the HTTP request is malformed, the malformed value is used as is.
+        responseContext.getHeaders().add(
+                CustomHttpHeaders.X_FAPI_INTERACTION_ID, interactionId);
+    }
+
+
+    private static final String generateInteractionId()
+    {
+        return UUID.randomUUID().toString();
+    }
+}

src/main/java/com/authlete/jaxrs/server/http/CustomHttpHeaders.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2026 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package com.authlete.jaxrs.server.http;
+
+
+/**
+ * Custom HTTP headers.
+ */
+public class CustomHttpHeaders
+{
+    /**
+     * The FAPI Interaction ID ({@code x-fapi-interaction-id})
+     *
+     * @see <a href="https://openid.net/specs/openid-financial-api-part-1-1_0.html">
+     *      FAPI 1.0 Baseline</a>
+     *
+     * @see <a href="https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Implementation_Advice.md">
+     *      FAPI 2.0 Implementation Advice</a>
+     */
+    public static final String X_FAPI_INTERACTION_ID = "x-fapi-interaction-id";
+}

src/main/java/com/authlete/jaxrs/server/http/RequestUtility.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2026 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package com.authlete.jaxrs.server.http;
+
+
+import javax.ws.rs.container.ContainerRequestContext;
+
+
+public class RequestUtility
+{
+    /**
+     * Extract the value of the {@code x-fapi-interaction-id} header from the
+     * given {@link ContainerRequestContext} instance.
+     */
+    public static String extractFapiInteractionId(ContainerRequestContext ctx)
+    {
+        return ctx.getHeaderString(CustomHttpHeaders.X_FAPI_INTERACTION_ID);
+    }
+}

src/main/webapp/WEB-INF/web.xml

@@ -69,7 +69,8 @@
         com.authlete.jaxrs.server.api.obb.ConsentsEndpoint,
         com.authlete.jaxrs.server.api.obb.ResourcesEndpoint,
         org.glassfish.jersey.moxy.json.MoxyJsonFeature,
-        org.glassfish.jersey.server.mvc.jsp.JspMvcFeature
+        org.glassfish.jersey.server.mvc.jsp.JspMvcFeature,
+        com.authlete.jaxrs.server.decorator.FapiInteractionIdResponseFilter,
       </param-value>
     </init-param>