Merge pull request #7 from helioauth/feature/rpid-from-application

vstanchev · web-flow · commit 26431b8233bb · 2025-04-28T19:03:44.000+03:00
Read relying party config from application (re-trigger)
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 HELP.md
+TODO.md
 target/
 !.mvn/wrapper/maven-wrapper.jar
 !**/src/main/**/target/
@@ -31,3 +32,4 @@ build/
 
 ### VS Code ###
 .vscode/
+.aider*
diff --git a/docs/openapi/components/schemas/AddApplicationRequest.yaml b/docs/openapi/components/schemas/AddApplicationRequest.yaml
@@ -1,6 +1,9 @@
 type: object
-description: Request to add a new client application. Contains the name of the application.
+description: Request to add a new client application
 properties:
   name:
     type: string
     description: Name of the new application.
+  relyingPartyHostname:
+    type: string
+    description: Hostname of the application, e.g. example.com
diff --git a/docs/openapi/components/schemas/Application.yaml b/docs/openapi/components/schemas/Application.yaml
@@ -16,3 +16,6 @@ properties:
     type: string
     format: date-time
     description: Timestamp when the application was last updated.
+  relyingPartyHostname:
+    type: string
+    description: Hostname of the relying party.
diff --git a/docs/openapi/components/schemas/EditApplicationRequest.yaml b/docs/openapi/components/schemas/EditApplicationRequest.yaml
@@ -0,0 +1,9 @@
+type: object
+description: Represents a request to edit an application.
+properties:
+  name:
+    type: string
+    description: Name of the application.
+  relyingPartyHostname:
+    type: string
+    description: Hostname of the relying party.
diff --git a/docs/openapi/paths/admin_v1_apps_id.yaml b/docs/openapi/paths/admin_v1_apps_id.yaml
@@ -41,7 +41,7 @@ put:
     content:
       application/json:
         schema:
-          type: string
+          $ref: ../components/schemas/EditApplicationRequest.yaml
     required: true
   responses:
     '200':
diff --git a/src/main/java/com/helioauth/passkeys/api/auth/ApplicationApiKeyAuthenticationProvider.java b/src/main/java/com/helioauth/passkeys/api/auth/ApplicationApiKeyAuthenticationProvider.java
@@ -47,8 +47,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
             .orElseThrow(() -> new BadCredentialsException("Invalid api key"));
 
         PreAuthenticatedAuthenticationToken authenticatedToken = new PreAuthenticatedAuthenticationToken(
-            clientApp.getId(),
             clientApp,
+            clientApp.getApiKey(),
             List.of(new SimpleGrantedAuthority("ROLE_APPLICATION"))
         );
         authenticatedToken.setDetails(clientApp);
diff --git a/src/main/java/com/helioauth/passkeys/api/auth/ApplicationIdAuthenticationProvider.java b/src/main/java/com/helioauth/passkeys/api/auth/ApplicationIdAuthenticationProvider.java
@@ -50,8 +50,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
                 .orElseThrow(() -> new BadCredentialsException("Invalid application ID"));
             
             PreAuthenticatedAuthenticationToken authenticatedToken = new PreAuthenticatedAuthenticationToken(
-                clientApp.getId(),
                 clientApp,
+                clientApp.getId(),
                 List.of(new SimpleGrantedAuthority("ROLE_FRONTEND_APPLICATION"))
             );
             authenticatedToken.setDetails(clientApp);
diff --git a/src/main/java/com/helioauth/passkeys/api/config/WebSecurityConfig.java b/src/main/java/com/helioauth/passkeys/api/config/WebSecurityConfig.java
@@ -39,6 +39,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import java.util.List;
 
+
 /**
  * @author Viktor Stanchev
  */
diff --git a/src/main/java/com/helioauth/passkeys/api/controller/ClientApplicationController.java b/src/main/java/com/helioauth/passkeys/api/controller/ClientApplicationController.java
@@ -20,7 +20,10 @@
 import com.helioauth.passkeys.api.generated.models.AddApplicationRequest;
 import com.helioauth.passkeys.api.generated.models.Application;
 import com.helioauth.passkeys.api.generated.models.ApplicationApiKey;
+import com.helioauth.passkeys.api.generated.models.EditApplicationRequest;
 import com.helioauth.passkeys.api.service.ClientApplicationService;
+
+import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import lombok.val;
 import org.springframework.http.ResponseEntity;
@@ -39,9 +42,9 @@
 @RequiredArgsConstructor
 public class ClientApplicationController implements ApplicationsApi {
 
-    private final ClientApplicationService clientApplicationService;
+ private final ClientApplicationService clientApplicationService;
 
-    public ResponseEntity<List<Application>> listAll() {
+ public ResponseEntity<List<Application>> listAll() {
         return ResponseEntity.ok(clientApplicationService.listAll());
     }
 
@@ -58,14 +61,14 @@ public ResponseEntity<ApplicationApiKey> getApiKey(@PathVariable UUID id) {
     }
 
     public ResponseEntity<Application> add(@RequestBody AddApplicationRequest request) {
-        Application created = clientApplicationService.add(request.getName());
+        Application created = clientApplicationService.add(request);
 
         return ResponseEntity.created(URI.create("/admin/v1/apps/" + created.getId()))
             .body(created);
     }
 
-    public ResponseEntity<Application> edit(@PathVariable UUID id, @RequestBody String name) {
-        val updated = clientApplicationService.edit(id, name);
+    public ResponseEntity<Application> edit(@PathVariable UUID id, @RequestBody @Valid EditApplicationRequest request) {
+        val updated = clientApplicationService.edit(id, request);
 
         return updated
             .map(ResponseEntity::ok)
diff --git a/src/main/java/com/helioauth/passkeys/api/controller/CredentialsController.java b/src/main/java/com/helioauth/passkeys/api/controller/CredentialsController.java
@@ -17,6 +17,7 @@
 package com.helioauth.passkeys.api.controller;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
+import com.helioauth.passkeys.api.domain.ClientApplication;
 import com.helioauth.passkeys.api.generated.api.SignInApi;
 import com.helioauth.passkeys.api.generated.api.SignUpApi;
 import com.helioauth.passkeys.api.generated.models.SignInFinishRequest;
@@ -29,11 +30,14 @@
 import com.helioauth.passkeys.api.generated.models.SignUpStartResponse;
 import com.helioauth.passkeys.api.service.UserSignInService;
 import com.helioauth.passkeys.api.service.UserSignupService;
+import com.helioauth.passkeys.api.service.dto.UserSignupStartRequest;
 import com.helioauth.passkeys.api.service.exception.SignInFailedException;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -46,16 +50,35 @@
  */
 @Slf4j
 @RestController
-@CrossOrigin(origins = "*")
 @RequiredArgsConstructor
+@CrossOrigin(origins = "*")
 public class CredentialsController implements SignUpApi, SignInApi {
 
     private final UserSignInService userSignInService;
     private final UserSignupService userSignupService;
 
     public ResponseEntity<SignUpStartResponse> postSignupStart(@RequestBody @Valid SignUpStartRequest request) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication == null || !(authentication.getPrincipal() instanceof ClientApplication clientApp)) {
+            log.error("Signup start request received without valid ClientApplication authentication.");
+            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Client application not authenticated");
+        }
+
+        String rpId = clientApp.getRelyingPartyHostname();
+        String rpName = clientApp.getRelyingPartyName();
+
+        if (rpId == null || rpId.isBlank()) {
+             log.error("Authenticated ClientApplication (ID: {}) is missing a valid relyingPartyHostname.", clientApp.getId());
+             throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Client application configuration error: Missing RP hostname");
+        }
+
         return ResponseEntity.ok(
-            userSignupService.startRegistration(request.getName())
+            userSignupService.startRegistration(UserSignupStartRequest.builder()
+                .name(request.getName())
+                .rpId(rpId)
+                .rpName(rpName)
+                .build()
+            )
         );
     }
 
@@ -88,4 +111,4 @@ public ResponseEntity<SignInFinishResponse> finishSignInCredential(@RequestBody
             throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Sign in failed");
         }
     }
-}
+}
diff --git a/src/main/java/com/helioauth/passkeys/api/domain/ClientApplication.java b/src/main/java/com/helioauth/passkeys/api/domain/ClientApplication.java
@@ -63,6 +63,12 @@ public class ClientApplication {
     @Column(name = "api_key", nullable = false)
     private String apiKey;
 
+    @Column(name = "relying_party_name", nullable = true)
+    private String relyingPartyName;
+
+    @Column(name = "relying_party_hostname", nullable = true)
+    private String relyingPartyHostname;
+
     @CreatedDate
     @Temporal(TemporalType.TIMESTAMP)
     @Column(name = "created_at", nullable = false)
diff --git a/src/main/java/com/helioauth/passkeys/api/domain/User.java b/src/main/java/com/helioauth/passkeys/api/domain/User.java
@@ -21,6 +21,8 @@
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
+import org.springframework.data.annotation.CreatedDate;
+import org.springframework.data.annotation.LastModifiedDate;
 
 import jakarta.persistence.CascadeType;
 import jakarta.persistence.Column;
@@ -32,6 +34,9 @@
 import jakarta.persistence.ManyToOne;
 import jakarta.persistence.OneToMany;
 import jakarta.persistence.Table;
+import jakarta.persistence.Temporal;
+import jakarta.persistence.TemporalType;
+import java.time.Instant;
 import java.util.List;
 import java.util.UUID;
 
@@ -57,10 +62,20 @@ public class User {
     @Column
     private String displayName;
 
+    @CreatedDate
+    @Temporal(TemporalType.TIMESTAMP)
+    @Column(name = "created_at")
+    private Instant createdAt;
+
+    @LastModifiedDate
+    @Temporal(TemporalType.TIMESTAMP)
+    @Column(name = "updated_at")
+    private Instant updatedAt;
+
     @OneToMany(mappedBy = "user", cascade = CascadeType.ALL, orphanRemoval = true)
     private List<UserCredential> userCredentials;
 
     @ManyToOne(targetEntity = ClientApplication.class, fetch = jakarta.persistence.FetchType.LAZY)
-    @JoinColumn(name = "application_id", nullable = true)
+    @JoinColumn(name = "application_id")
     private ClientApplication clientApplication;
 }
diff --git a/src/main/java/com/helioauth/passkeys/api/mapper/ClientApplicationMapper.java b/src/main/java/com/helioauth/passkeys/api/mapper/ClientApplicationMapper.java
@@ -19,8 +19,10 @@
 import com.helioauth.passkeys.api.domain.ClientApplication;
 import com.helioauth.passkeys.api.generated.models.Application;
 import com.helioauth.passkeys.api.generated.models.ApplicationApiKey;
+import com.helioauth.passkeys.api.generated.models.EditApplicationRequest;
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
+import org.mapstruct.MappingTarget;
 
 import java.util.List;
 
@@ -33,4 +35,6 @@ public interface ClientApplicationMapper {
     List<Application> toResponse(List<ClientApplication> clientApplication);
 
     ApplicationApiKey toApiKeyResponse(ClientApplication clientApplication);
+
+    void updateClientApplication(@MappingTarget ClientApplication clientApplication, EditApplicationRequest request);
 }
diff --git a/src/main/java/com/helioauth/passkeys/api/service/ClientApplicationService.java b/src/main/java/com/helioauth/passkeys/api/service/ClientApplicationService.java
@@ -18,8 +18,10 @@
 
 import com.helioauth.passkeys.api.domain.ClientApplication;
 import com.helioauth.passkeys.api.domain.ClientApplicationRepository;
+import com.helioauth.passkeys.api.generated.models.AddApplicationRequest;
 import com.helioauth.passkeys.api.generated.models.Application;
 import com.helioauth.passkeys.api.generated.models.ApplicationApiKey;
+import com.helioauth.passkeys.api.generated.models.EditApplicationRequest;
 import com.helioauth.passkeys.api.mapper.ClientApplicationMapper;
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Service;
@@ -59,22 +61,25 @@ public List<Application> listAll() {
         );
     }
 
-    public Application add(String name) {
-
+    public Application add(AddApplicationRequest request) {
         return clientApplicationMapper.toResponse(
             repository.save(
-                new ClientApplication(name, generateApiKey())
+                ClientApplication.builder()
+                .name(request.getName())
+                .apiKey(generateApiKey())
+                .relyingPartyHostname(request.getRelyingPartyHostname())
+                .build()
             )
         );
     }
 
     @Transactional
-    public Optional<Application> edit(UUID id, String name) {
+    public Optional<Application> edit(UUID id, EditApplicationRequest request) {
         return repository.findById(id)
-                .map(existing -> {
-                    existing.setName(name);
-                    return clientApplicationMapper.toResponse(repository.save(existing));
-                });
+            .map(existing -> {
+                clientApplicationMapper.updateClientApplication(existing, request);
+                return clientApplicationMapper.toResponse(repository.save(existing));
+            });
     }
 
     @Transactional
diff --git a/src/main/java/com/helioauth/passkeys/api/service/UserCredentialManager.java b/src/main/java/com/helioauth/passkeys/api/service/UserCredentialManager.java
@@ -28,6 +28,7 @@
 import com.helioauth.passkeys.api.mapper.RegistrationResponseMapper;
 import com.helioauth.passkeys.api.mapper.UserCredentialMapper;
 import com.helioauth.passkeys.api.service.dto.CredentialRegistrationResult;
+import com.helioauth.passkeys.api.service.dto.RegistrationStartRequest;
 import com.helioauth.passkeys.api.service.exception.CreateCredentialFailedException;
 import com.helioauth.passkeys.api.service.exception.SignUpFailedException;
 import lombok.RequiredArgsConstructor;
@@ -54,7 +55,9 @@ public class UserCredentialManager {
     public SignUpStartResponse createCredential(String name) {
         try {
             return registrationResponseMapper.toSignUpStartResponse(
-                webAuthnAuthenticator.startRegistration(name)
+                webAuthnAuthenticator.startRegistration(
+                    RegistrationStartRequest.withName(name).build()
+                )
             );
         } catch (JsonProcessingException e) {
             log.error("Creating a new credential failed", e);
@@ -86,5 +89,5 @@ public ListPasskeysResponse getUserCredentials(UUID userUuid) {
         List<UserCredential> userCredentials = userCredentialRepository.findAllByUserId(userUuid);
         return new ListPasskeysResponse(userCredentialMapper.toDto(userCredentials));
     }
-    
+
 }
diff --git a/src/main/java/com/helioauth/passkeys/api/service/UserSignInService.java b/src/main/java/com/helioauth/passkeys/api/service/UserSignInService.java
@@ -22,6 +22,7 @@
 import com.helioauth.passkeys.api.generated.models.SignInStartResponse;
 import com.helioauth.passkeys.api.mapper.RegistrationResponseMapper;
 import com.helioauth.passkeys.api.service.dto.CredentialAssertionResult;
+import com.helioauth.passkeys.api.service.dto.RegistrationStartRequest;
 import com.helioauth.passkeys.api.service.exception.SignInFailedException;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -49,7 +50,9 @@ public class UserSignInService {
     public SignInStartResponse startAssertion(String name) throws JsonProcessingException {
         if (!StringUtils.isBlank(name) && userRepository.findByName(name).isEmpty()) {
             return registrationResponseMapper.toSignInStartResponse(
-                webAuthnAuthenticator.startRegistration(name),
+                webAuthnAuthenticator.startRegistration(
+                    RegistrationStartRequest.withName(name).build()
+                ),
                 false
             );
         }
diff --git a/src/main/java/com/helioauth/passkeys/api/service/UserSignupService.java b/src/main/java/com/helioauth/passkeys/api/service/UserSignupService.java
@@ -26,8 +26,11 @@
 import com.helioauth.passkeys.api.mapper.RegistrationResponseMapper;
 import com.helioauth.passkeys.api.mapper.UserCredentialMapper;
 import com.helioauth.passkeys.api.service.dto.CredentialRegistrationResult;
+import com.helioauth.passkeys.api.service.dto.RegistrationStartRequest;
+import com.helioauth.passkeys.api.service.dto.UserSignupStartRequest;
 import com.helioauth.passkeys.api.service.exception.SignUpFailedException;
 import com.helioauth.passkeys.api.service.exception.UsernameAlreadyRegisteredException;
+import com.yubico.webauthn.data.ByteArray;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
@@ -49,13 +52,30 @@ public class UserSignupService {
     private final UserCredentialMapper userCredentialMapper;
     private final RegistrationResponseMapper registrationResponseMapper;
 
-    public SignUpStartResponse startRegistration(String name) {
+    public SignUpStartResponse startRegistration(UserSignupStartRequest request) {
+        String name = request.getName();
+        String rpId = request.getRpId();
+        String rpName = request.getRpName();
+
+        if (userRepository.findByName(name).isPresent()) {
+            log.warn("Attempted to start registration for already existing username: {}", name);
+            throw new UsernameAlreadyRegisteredException();
+        }
+
         try {
+            ByteArray userId = WebAuthnAuthenticator.generateRandom();
             return registrationResponseMapper.toSignUpStartResponse(
-                webAuthnAuthenticator.startRegistration(name)
+                webAuthnAuthenticator.startRegistration(
+                    RegistrationStartRequest.builder()
+                        .name(name)
+                        .userId(userId)
+                        .rpHostname(rpId)
+                        .rpName(rpName)
+                        .build()
+                )
             );
         } catch (JsonProcessingException e) {
-            log.error("Register Credential failed", e);
+            log.error("Register Credential failed for user '{}' and rpId '{}' with name '{}'", name, rpId, rpName, e);
             throw new SignUpFailedException();
         }
     }
diff --git a/src/main/java/com/helioauth/passkeys/api/service/WebAuthnAuthenticator.java b/src/main/java/com/helioauth/passkeys/api/service/WebAuthnAuthenticator.java
diff --git a/src/main/java/com/helioauth/passkeys/api/service/dto/RegistrationStartRequest.java b/src/main/java/com/helioauth/passkeys/api/service/dto/RegistrationStartRequest.java
diff --git a/src/main/java/com/helioauth/passkeys/api/service/dto/UserSignupStartRequest.java b/src/main/java/com/helioauth/passkeys/api/service/dto/UserSignupStartRequest.java
diff --git a/src/test/java/com/helioauth/passkeys/api/controller/CredentialsControllerTest.java b/src/test/java/com/helioauth/passkeys/api/controller/CredentialsControllerTest.java
diff --git a/src/test/java/com/helioauth/passkeys/api/service/ClientApplicationServiceTest.java b/src/test/java/com/helioauth/passkeys/api/service/ClientApplicationServiceTest.java
diff --git a/src/test/java/com/helioauth/passkeys/api/service/UserCredentialManagerTest.java b/src/test/java/com/helioauth/passkeys/api/service/UserCredentialManagerTest.java
diff --git a/src/test/java/com/helioauth/passkeys/api/service/UserSignupServiceTest.java b/src/test/java/com/helioauth/passkeys/api/service/UserSignupServiceTest.java
diff --git a/src/test/java/com/helioauth/passkeys/api/service/WebAuthnAuthenticatorTest.java b/src/test/java/com/helioauth/passkeys/api/service/WebAuthnAuthenticatorTest.java
