Add jwt_fetch_api_key support

Fixes #308

Co-authored-by: maximilian <maxmilian@audriga.com>

Author: jamesnetherton

pom.xml

@@ -19,6 +19,7 @@
         <!-- Project dependency versions -->
         <httpcomponents.version>5.6</httpcomponents.version>
         <jackson.version>2.21.1</jackson.version>
+        <nimbus.jose.jwt.version>10.8</nimbus.jose.jwt.version>
 
         <!-- Project test dependency versions -->
         <awaitility.version>4.3.0</awaitility.version>
@@ -96,6 +97,11 @@
             <artifactId>httpclient5</artifactId>
             <version>${httpcomponents.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>${nimbus.jose.jwt.version}</version>
+        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>

src/main/java/com/github/jamesnetherton/zulip/client/api/server/ServerService.java

@@ -17,6 +17,7 @@
 import com.github.jamesnetherton.zulip.client.api.server.request.GetLinkifiersApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.GetProfileFieldsApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.GetServerSettingsApiRequest;
+import com.github.jamesnetherton.zulip.client.api.server.request.JwtFetchApiKeyApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.RegisterE2EMobilePushDevice;
 import com.github.jamesnetherton.zulip.client.api.server.request.RemoveApnsDeviceTokenApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.RemoveCodePlaygroundApiRequest;
@@ -219,6 +220,18 @@ public GetApiKeyApiRequest getApiKey(String username, String password) {
         return new GetApiKeyApiRequest(this.client, username, password);
     }
 
+    /**
+     * Fetches a Zulip API key using a JWT token.
+     *
+     * @see          <a href="https://zulip.com/api/jwt-fetch-api-key">https://zulip.com/api/jwt-fetch-api-key</a>
+     *
+     * @param  token The JWT token
+     * @return       The {@link JwtFetchApiKeyApiRequest} builder object
+     */
+    public JwtFetchApiKeyApiRequest jwtFetchApiKey(String token) {
+        return new JwtFetchApiKeyApiRequest(this.client, token);
+    }
+
     /**
      * Adds a code playground.
      *

src/main/java/com/github/jamesnetherton/zulip/client/api/server/request/JwtFetchApiKeyApiRequest.java

@@ -0,0 +1,55 @@
+package com.github.jamesnetherton.zulip.client.api.server.request;
+
+import static com.github.jamesnetherton.zulip.client.api.server.request.ServerRequestConstants.JWT_FETCH_API_KEY;
+
+import com.github.jamesnetherton.zulip.client.api.core.ExecutableApiRequest;
+import com.github.jamesnetherton.zulip.client.api.core.ZulipApiRequest;
+import com.github.jamesnetherton.zulip.client.api.server.response.JwtFetchApiKeyResponse;
+import com.github.jamesnetherton.zulip.client.exception.ZulipClientException;
+import com.github.jamesnetherton.zulip.client.http.ZulipHttpClient;
+
+/**
+ * Zulip API request builder for fetching an API key using a JWT token.
+ *
+ * @see <a href=
+ *      "https://zulip.com/api/jwt-fetch-api-key#usage-examples">https://zulip.com/api/jwt-fetch-api-key#usage-examples</a>
+ */
+public class JwtFetchApiKeyApiRequest extends ZulipApiRequest implements ExecutableApiRequest<JwtFetchApiKeyResponse> {
+
+    public static final String TOKEN = "token";
+    public static final String INCLUDE_PROFILE = "include_profile";
+
+    /**
+     * Constructs a {@link JwtFetchApiKeyApiRequest}.
+     *
+     * @param client The Zulip HTTP client
+     * @param token  The JWT token
+     */
+    public JwtFetchApiKeyApiRequest(ZulipHttpClient client, String token) {
+        super(client);
+        putParam(TOKEN, token);
+    }
+
+    /**
+     * Sets whether to include the user profile data in the response.
+     *
+     * @param  includeProfile {@code true} to include the user profile data in the response.
+     *                        {@code false} to not include the user profile data in the response
+     * @return                This {@link JwtFetchApiKeyApiRequest} instance
+     */
+    public JwtFetchApiKeyApiRequest withIncludeProfile(boolean includeProfile) {
+        putParam(INCLUDE_PROFILE, includeProfile);
+        return this;
+    }
+
+    /**
+     * Executes the Zulip API request for fetching an API key using a JWT token.
+     *
+     * @return                      {@link JwtFetchApiKeyResponse} containing the API key, email and optionally user data
+     * @throws ZulipClientException if the request was not successful
+     */
+    @Override
+    public JwtFetchApiKeyResponse execute() throws ZulipClientException {
+        return client().post(JWT_FETCH_API_KEY, getParams(), JwtFetchApiKeyResponse.class);
+    }
+}

src/main/java/com/github/jamesnetherton/zulip/client/api/server/request/ServerRequestConstants.java

@@ -6,6 +6,7 @@ final class ServerRequestConstants {
     public static final String EXPORT_REALM = "export/realm";
     public static final String EXPORT_REALM_CONSENTS = "export/realm/consents";
     public static final String FETCH_API_KEY = "fetch_api_key";
+    public static final String JWT_FETCH_API_KEY = "jwt/fetch_api_key";
     public static final String MOBILE_PUSH = "mobile_push";
     public static final String MOBILE_PUSH_REGISTER = MOBILE_PUSH + "/register";
     public static final String MOBILE_PUSH_TEST = MOBILE_PUSH + "/test_notification";

src/main/java/com/github/jamesnetherton/zulip/client/api/server/response/JwtFetchApiKeyResponse.java

@@ -0,0 +1,33 @@
+package com.github.jamesnetherton.zulip.client.api.server.response;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.github.jamesnetherton.zulip.client.api.core.ZulipApiResponse;
+import com.github.jamesnetherton.zulip.client.api.user.response.UserApiResponse;
+
+/**
+ * Zulip API response class for fetching an API key via JWT.
+ *
+ * @see <a href="https://zulip.com/api/jwt-fetch-api-key#response">https://zulip.com/api/jwt-fetch-api-key#response</a>
+ */
+public class JwtFetchApiKeyResponse extends ZulipApiResponse {
+    @JsonProperty("api_key")
+    private String apiKey;
+
+    @JsonProperty
+    private String email;
+
+    @JsonProperty
+    private UserApiResponse user;
+
+    public String getApiKey() {
+        return apiKey;
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    public UserApiResponse getUser() {
+        return user;
+    }
+}

src/main/java/com/github/jamesnetherton/zulip/client/util/JwtUtils.java

@@ -0,0 +1,63 @@
+package com.github.jamesnetherton.zulip.client.util;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JOSEObjectType;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.MACSigner;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.util.Base64;
+
+/**
+ * A utility class to create a JWT for an email and create a secret key.
+ */
+public class JwtUtils {
+
+    private JwtUtils() {
+    }
+
+    /**
+     * Creates a random JWT secret.
+     */
+    public static String createRandomJwtSecret() {
+        byte[] secret = new byte[32];
+        new SecureRandom().nextBytes(secret);
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(secret);
+    }
+
+    /**
+     * Creates a signed JWT for the given email.
+     */
+    public static String createJwtForEmail(String email, String secret) {
+        if (email == null || email.isBlank()) {
+            throw new IllegalArgumentException("email cannot be null or blank");
+        }
+
+        if (secret == null || secret.isBlank()) {
+            throw new IllegalArgumentException("secret cannot be null or blank");
+        }
+
+        try {
+            JWSSigner signer = new MACSigner(secret.getBytes(StandardCharsets.UTF_8));
+
+            JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                    .claim("email", email)
+                    .build();
+
+            SignedJWT signedJWT = new SignedJWT(
+                    new JWSHeader.Builder(JWSAlgorithm.HS256)
+                            .type(JOSEObjectType.JWT)
+                            .build(),
+                    claimsSet);
+
+            signedJWT.sign(signer);
+            return signedJWT.serialize();
+        } catch (JOSEException e) {
+            throw new IllegalStateException("Failed to create JWT", e);
+        }
+    }
+}

src/test/java/com/github/jamesnetherton/zulip/client/api/server/ZulipServerApiTest.java

@@ -19,6 +19,7 @@
 import com.github.jamesnetherton.zulip.client.api.server.request.CreateDataExportApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.CreateProfileFieldApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.GetApiKeyApiRequest;
+import com.github.jamesnetherton.zulip.client.api.server.request.JwtFetchApiKeyApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.RegisterE2EMobilePushDevice;
 import com.github.jamesnetherton.zulip.client.api.server.request.RemoveApnsDeviceTokenApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.RemoveFcmRegistrationTokenApiRequest;
@@ -27,6 +28,7 @@
 import com.github.jamesnetherton.zulip.client.api.server.request.SendMobilePushTestNotification;
 import com.github.jamesnetherton.zulip.client.api.server.request.TestWelcomeBotCustomMessageApiRequest;
 import com.github.jamesnetherton.zulip.client.api.server.request.UpdateRealmNewUserDefaultSettingsApiRequest;
+import com.github.jamesnetherton.zulip.client.api.server.response.JwtFetchApiKeyResponse;
 import com.github.jamesnetherton.zulip.client.api.user.ColorScheme;
 import com.github.jamesnetherton.zulip.client.api.user.DemoteInactiveStreamOption;
 import com.github.jamesnetherton.zulip.client.api.user.DesktopIconCountDisplay;
@@ -36,6 +38,7 @@
 import com.github.jamesnetherton.zulip.client.api.user.WebAnimateImageOption;
 import com.github.jamesnetherton.zulip.client.api.user.WebChannelView;
 import com.github.jamesnetherton.zulip.client.api.user.WebHomeView;
+import com.github.jamesnetherton.zulip.client.api.user.response.UserApiResponse;
 import com.github.tomakehurst.wiremock.matching.StringValuePattern;
 import java.io.File;
 import java.util.Collections;
@@ -353,6 +356,59 @@ public void getProductionApiKey() throws Exception {
         assertEquals("abc123zxy", key);
     }
 
+    @Test
+    public void jwtFetchApiKey() throws Exception {
+        Map<String, StringValuePattern> params = QueryParams.create()
+                .add(JwtFetchApiKeyApiRequest.TOKEN, "test-jwt-token")
+                .get();
+
+        stubZulipResponse(POST, "/jwt/fetch_api_key", params, "jwtFetchApiKey.json");
+
+        JwtFetchApiKeyResponse response = zulip.server()
+                .jwtFetchApiKey("test-jwt-token")
+                .execute();
+
+        assertNotNull(response);
+        assertEquals("test-api-key", response.getApiKey());
+        assertEquals("test@example.com", response.getEmail());
+        assertNull(response.getUser());
+    }
+
+    @Test
+    public void jwtFetchApiKeyWithProfile() throws Exception {
+        Map<String, StringValuePattern> params = QueryParams.create()
+                .add(JwtFetchApiKeyApiRequest.TOKEN, "test-jwt-token")
+                .add(JwtFetchApiKeyApiRequest.INCLUDE_PROFILE, "true")
+                .get();
+
+        stubZulipResponse(POST, "/jwt/fetch_api_key", params, "jwtFetchApiKeyWithProfile.json");
+
+        JwtFetchApiKeyResponse response = zulip.server()
+                .jwtFetchApiKey("test-jwt-token")
+                .withIncludeProfile(true)
+                .execute();
+
+        assertNotNull(response);
+        assertEquals("test-api-key", response.getApiKey());
+        assertEquals("test@example.com", response.getEmail());
+        assertNotNull(response.getUser());
+
+        UserApiResponse user = response.getUser();
+        assertEquals(5L, user.getUserId());
+        assertEquals("test@example.com", user.getDeliveryEmail());
+        assertEquals("test@example.com", user.getEmail());
+        assertEquals("Test123", user.getFullName());
+        assertEquals("2019-10-20T07:50:53.728864+00:00", user.getDateJoined());
+        assertEquals("Europe/London", user.getTimezone());
+        assertEquals("https://secure.gravatar.com/avatar/test?d=identicon&version=1", user.getAvatarUrl());
+        assertEquals(1, user.getAvatarVersion());
+        assertEquals(false, user.isBot());
+        assertEquals(false, user.isGuest());
+        assertEquals(false, user.isOwner());
+        assertEquals(true, user.isAdmin());
+        assertEquals(true, user.isActive());
+    }
+
     @Test
     public void addCodePlayground() throws Exception {
         Map<String, StringValuePattern> params = QueryParams.create()

src/test/resources/com/github/jamesnetherton/zulip/client/api/server/jwtFetchApiKey.json

@@ -0,0 +1,6 @@
+{
+  "result": "success",
+  "msg": "",
+  "api_key": "test-api-key",
+  "email": "test@example.com"
+}

src/test/resources/com/github/jamesnetherton/zulip/client/api/server/jwtFetchApiKeyWithProfile.json

@@ -0,0 +1,26 @@
+{
+  "result": "success",
+  "msg": "",
+  "api_key": "test-api-key",
+  "email": "test@example.com",
+  "user": {
+    "user_id": 5,
+    "delivery_email": "test@example.com",
+    "email": "test@example.com",
+    "full_name": "Test123",
+    "date_joined": "2019-10-20T07:50:53.728864+00:00",
+    "is_active": true,
+    "is_owner": false,
+    "is_admin": true,
+    "is_guest": false,
+    "is_bot": false,
+    "bot_type": null,
+    "bot_owner_id": null,
+    "role": 400,
+    "timezone": "Europe/London",
+    "avatar_url": "https://secure.gravatar.com/avatar/test?d=identicon&version=1",
+    "avatar_version": 1,
+    "is_imported_stub": false,
+    "profile_data": {}
+  }
+}