Adding support for extension codes.

Author: klakegg

src/main/java/no/java/submit/controller/CodeController.java

@@ -0,0 +1,111 @@
+package no.java.submit.controller;
+
+import io.quarkus.qute.Template;
+import io.quarkus.qute.TemplateInstance;
+import io.quarkus.security.Authenticated;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.smallrye.common.annotation.Blocking;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
+import jakarta.ws.rs.*;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.NewCookie;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.UriBuilder;
+import no.java.submit.util.CodeHelper;
+import no.java.submit.util.ExtensionService;
+import no.java.submit.util.UserHelper;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+import java.time.LocalDate;
+import java.time.format.DateTimeParseException;
+import java.util.List;
+
+@Path("code")
+@Blocking
+@Produces(MediaType.TEXT_HTML)
+@Authenticated
+public class CodeController {
+
+    @ConfigProperty(name = "app.cookie.secure", defaultValue = "true")
+    boolean cookieSecure;
+
+    @Inject
+    Template code;
+
+    @Inject
+    CodeHelper codeHelper;
+
+    @Inject
+    ExtensionService extensionService;
+
+    @Inject
+    @Named("app.admins")
+    List<String> appAdmins;
+
+    @GET
+    public TemplateInstance view(@Context SecurityIdentity identity) {
+        return page(identity, null, null, null);
+    }
+
+    @POST
+    @Path("use")
+    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    public Response use(@FormParam("code") String submitted, @Context SecurityIdentity identity) {
+        var email = UserHelper.getEmail(identity);
+        var valid = codeHelper.validate(submitted, email)
+                .filter(date -> !date.isBefore(LocalDate.now()));
+
+        if (valid.isEmpty()) {
+            return Response.ok(page(identity, "The code is not valid for your account.", null, null).render()).build();
+        }
+
+        var cookie = new NewCookie.Builder(ExtensionService.COOKIE_NAME)
+                .value(submitted)
+                .path("/")
+                .httpOnly(true)
+                .secure(cookieSecure)
+                .sameSite(NewCookie.SameSite.STRICT)
+                .build();
+
+        return Response.seeOther(UriBuilder.fromUri("/").build())
+                .cookie(cookie)
+                .build();
+    }
+
+    @POST
+    @Path("generate")
+    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    public TemplateInstance generate(@FormParam("date") String dateStr, @FormParam("email") String rawEmail, @Context SecurityIdentity identity) {
+        if (!appAdmins.contains(UserHelper.getEmail(identity)))
+            throw new NotAuthorizedException("Not admin");
+
+        LocalDate date;
+        try {
+            date = LocalDate.parse(dateStr);
+        } catch (DateTimeParseException | NullPointerException e) {
+            return page(identity, "Invalid date (use YYYY-MM-DD).", null, null);
+        }
+
+        var email = rawEmail == null ? "" : rawEmail.trim();
+        if (email.isBlank()) {
+            return page(identity, "Email is required.", null, null);
+        }
+
+        var generated = new Generated(codeHelper.generate(date, email), date, email);
+        return page(identity, null, null, generated);
+    }
+
+    private TemplateInstance page(SecurityIdentity identity, String error, String success, Generated generated) {
+        return code
+                .data("valid", extensionService.validFor(identity).orElse(null))
+                .data("error", error)
+                .data("success", success)
+                .data("generated", generated)
+                .data("isAdmin", appAdmins.contains(UserHelper.getEmail(identity)));
+    }
+
+    public record Generated(String code, LocalDate date, String email) {
+    }
+}

src/main/java/no/java/submit/controller/TalkController.java

@@ -19,6 +19,7 @@
 import no.java.submit.service.ConferenceService;
 import no.java.submit.service.TalksService;
 import no.java.submit.service.TimelineService;
+import no.java.submit.util.ExtensionService;
 import no.java.submit.util.SessionHelper;
 import no.java.submit.util.SessionSecretHelper;
 import no.java.submit.util.UserHelper;
@@ -51,6 +52,9 @@ public class TalkController {
     @Inject
     SessionSecretHelper sessionSecrets;
 
+    @Inject
+    ExtensionService extensionService;
+
     @Inject
     Template talk;
 
@@ -133,7 +137,7 @@ public RestResponse<?> redirectWithSecret(@PathParam("sessionId") String session
     @Path("new")
     @Authenticated
     public TemplateInstance newSession(@Context SecurityIdentity securityIdentity) {
-        if (timelineService.isClosed(UserHelper.hasExtension(securityIdentity)))
+        if (timelineService.isClosed(extensionService.has(securityIdentity)))
             return error
                     .data("title", "Too late")
                     .data("message", "It is past deadline for submission of new talks.");
@@ -157,7 +161,7 @@ public TemplateInstance newSession(@Context SecurityIdentity securityIdentity) {
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     @Authenticated
     public Object newSessionPost(SessionForm form, @Context SecurityIdentity securityIdentity) {
-        if (timelineService.isClosed(UserHelper.hasExtension(securityIdentity)))
+        if (timelineService.isClosed(extensionService.has(securityIdentity)))
             return error
                     .data("title", "Too late")
                     .data("message", "It is past deadline for submission of new talks.");
@@ -192,18 +196,18 @@ public Object newSessionPost(SessionForm form, @Context SecurityIdentity securit
     public TemplateInstance editSession(@PathParam("sessionId") String sessionId, @Context SecurityIdentity securityIdentity) {
         var email = UserHelper.getEmail(securityIdentity);
 
-        return editSession(sessionId, email, null);
+        return editSession(sessionId, email, null, extensionService.has(securityIdentity));
     }
 
     @GET
     @Path("{sessionId}/{secret}/edit")
     public TemplateInstance editSession(@PathParam("sessionId") String sessionId, @PathParam("secret") String secret) {
         sessionSecrets.validate(sessionId, secret);
 
-        return editSession(sessionId, "", secret);
+        return editSession(sessionId, "", secret, false);
     }
 
-    public TemplateInstance editSession(String sessionId, String email, String secret) {
+    public TemplateInstance editSession(String sessionId, String email, String secret, boolean hasExtension) {
         try {
             var session = talksService.getSession(email, sessionId);
 
@@ -213,7 +217,7 @@ public TemplateInstance editSession(String sessionId, String email, String secre
             if (!conferenceService.current().id.equals(session.conferenceId))
                 throw new NotFoundException();
 
-            return (timelineService.isClosed(appAdmins.contains(email)) ? sessionFormClosed : sessionForm)
+            return (timelineService.isClosed(appAdmins.contains(email) || hasExtension) ? sessionFormClosed : sessionForm)
                     .data("form", SessionForm.parse(session))
                     .data("val", Collections.emptyMap())
                     .data("sessionId", sessionId)
@@ -230,7 +234,7 @@ public TemplateInstance editSession(String sessionId, String email, String secre
     public Object editSessionPost(@PathParam("sessionId") String sessionId, SessionForm form, @Context SecurityIdentity securityIdentity) {
         var email = UserHelper.getEmail(securityIdentity);
 
-        return editSessionPost(sessionId, form, email, null);
+        return editSessionPost(sessionId, form, email, null, extensionService.has(securityIdentity));
     }
 
     @POST
@@ -239,14 +243,14 @@ public Object editSessionPost(@PathParam("sessionId") String sessionId, SessionF
     public Object editSessionPost(@PathParam("sessionId") String sessionId, @PathParam("secret") String secret, SessionForm form) {
         sessionSecrets.validate(sessionId, secret);
 
-        return editSessionPost(sessionId, form, "", secret);
+        return editSessionPost(sessionId, form, "", secret, false);
     }
 
-    public Object editSessionPost(String sessionId, SessionForm form, String email, String secret) {
+    public Object editSessionPost(String sessionId, SessionForm form, String email, String secret, boolean hasExtension) {
         // Validate form and present form if there are any errors
         var validation = validator.validate(form);
         if (!validation.isEmpty()) {
-            return (timelineService.isClosed(appAdmins.contains(email)) ? sessionFormClosed : sessionForm)
+            return (timelineService.isClosed(appAdmins.contains(email) || hasExtension) ? sessionFormClosed : sessionForm)
                     .data("form", form)
                     .data("val", validation.stream().collect(Collectors.groupingBy(c -> c.getPropertyPath().toString())))
                     .data("sessionId", sessionId)
@@ -262,7 +266,7 @@ public Object editSessionPost(String sessionId, SessionForm form, String email,
         // Prepare form for sending
         var newSession = form.asSession();
 
-        if (timelineService.isClosed(appAdmins.contains(email))) {
+        if (timelineService.isClosed(appAdmins.contains(email) || hasExtension)) {
             SessionHelper.partialUpdate(session, newSession);
         } else {
             // Update session with new data

src/main/java/no/java/submit/template/UserExtension.java

@@ -5,6 +5,8 @@
 import io.quarkus.qute.TemplateExtension;
 import io.quarkus.security.identity.CurrentIdentityAssociation;
 import io.quarkus.security.identity.SecurityIdentity;
+import no.java.submit.util.ExtensionService;
+import org.eclipse.microprofile.config.ConfigProvider;
 
 // Makes user information available to templates as "user:[method]"
 @TemplateExtension(namespace = "user")
@@ -23,7 +25,19 @@ public static String email() {
     }
 
     public static boolean extension() {
-        // return ((SecurityFilter.MyPrincipal) get().getPrincipal()).hasExtension();
+        return Arc.container().instance(ExtensionService.class).get().has(get());
+    }
+
+    public static boolean isAdmin() {
+        var identity = get();
+        if (identity.isAnonymous())
+            return false;
+
+        var admins = ConfigProvider.getConfig().getOptionalValue("app.admins", String.class).orElse("");
+        var currentEmail = email();
+        for (var admin : admins.split(","))
+            if (admin.trim().equals(currentEmail))
+                return true;
         return false;
     }
 }

src/main/java/no/java/submit/util/CodeHelper.java

@@ -0,0 +1,46 @@
+package no.java.submit.util;
+
+import com.google.common.hash.Hashing;
+import com.google.common.io.BaseEncoding;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
+
+import java.time.LocalDate;
+import java.time.format.DateTimeParseException;
+import java.util.Optional;
+
+@ApplicationScoped
+public class CodeHelper {
+
+    @Inject
+    @Named("app.secret")
+    String appSecret;
+
+    public String generate(LocalDate date, String email) {
+        return String.format("%s.%s", date, signature(date, email));
+    }
+
+    public Optional<LocalDate> validate(String code, String email) {
+        if (code == null || email == null || email.isBlank())
+            return Optional.empty();
+
+        var parts = code.split("\\.", 2);
+        if (parts.length != 2)
+            return Optional.empty();
+
+        LocalDate date;
+        try {
+            date = LocalDate.parse(parts[0]);
+        } catch (DateTimeParseException e) {
+            return Optional.empty();
+        }
+
+        return signature(date, email).equals(parts[1]) ? Optional.of(date) : Optional.empty();
+    }
+
+    private String signature(LocalDate date, String email) {
+        var str = String.format("extension:%s:%s:%s", date, email, appSecret);
+        return BaseEncoding.base32().omitPadding().encode(Hashing.sha256().hashBytes(str.getBytes()).asBytes()).toLowerCase();
+    }
+}

src/main/java/no/java/submit/util/ExtensionService.java

@@ -0,0 +1,37 @@
+package no.java.submit.util;
+
+import io.quarkus.security.identity.SecurityIdentity;
+import io.vertx.ext.web.RoutingContext;
+import jakarta.enterprise.context.RequestScoped;
+import jakarta.inject.Inject;
+
+import java.time.LocalDate;
+import java.util.Optional;
+
+@RequestScoped
+public class ExtensionService {
+
+    public static final String COOKIE_NAME = "extension";
+
+    @Inject
+    CodeHelper codeHelper;
+
+    @Inject
+    RoutingContext routingContext;
+
+    public Optional<LocalDate> validFor(SecurityIdentity identity) {
+        if (identity == null || identity.isAnonymous())
+            return Optional.empty();
+
+        var cookie = routingContext.request().getCookie(COOKIE_NAME);
+        if (cookie == null)
+            return Optional.empty();
+
+        return codeHelper.validate(cookie.getValue(), UserHelper.getEmail(identity))
+                .filter(date -> !date.isBefore(LocalDate.now()));
+    }
+
+    public boolean has(SecurityIdentity identity) {
+        return validFor(identity).isPresent();
+    }
+}

src/main/java/no/java/submit/util/UserHelper.java

@@ -12,11 +12,4 @@ static OidcJwtCallerPrincipal getPrincipal(SecurityIdentity securityIdentity) {
     static String getEmail(SecurityIdentity securityIdentity) {
         return getPrincipal(securityIdentity).getClaim("email");
     }
-
-    static boolean hasExtension(SecurityIdentity securityIdentity) {
-        // TODO
-        return false;
-        /* return getPrincipal(securityIdentity).getGroups().stream()
-                .anyMatch(group -> group.equals("extension")); */
-    }
 }

src/main/resources/templates/code.html

@@ -0,0 +1,54 @@
+{#include partial/base}
+<h1>Extension code</h1>
+
+{#if error != null}
+<div class="message error">{error}</div>
+{/if}
+
+{#if valid != null}
+<div class="message">Your extension is active and valid through <strong>{valid}</strong>.</div>
+{/if}
+
+<form method="post" action="/code/use" class="talk">
+    <h2>Use a code</h2>
+    <p>Paste the extension code you received to regain access to submit or edit a talk after the deadline. The code is tied to your account.</p>
+
+    <div class="field required">
+        <label for="form-code">Code</label>
+        <input type="text" name="code" id="form-code" required="required" autocomplete="off"/>
+    </div>
+
+    <div class="submit">
+        <button type="submit">Activate</button>
+    </div>
+</form>
+
+{#if isAdmin}
+<form method="post" action="/code/generate" class="talk">
+    <h2>Generate a code (admin)</h2>
+    <p>Produce an extension code for a specific speaker. The code grants access through and including the chosen date.</p>
+
+    <div class="split">
+        <div class="field required">
+            <label for="form-date">Valid through</label>
+            <input type="date" name="date" id="form-date" value="{generated?.date ?: ''}" required="required"/>
+        </div>
+        <div class="field required">
+            <label for="form-email">Speaker email</label>
+            <input type="email" name="email" id="form-email" value="{generated?.email ?: ''}" required="required"/>
+        </div>
+    </div>
+
+    <div class="submit">
+        <button type="submit">Generate</button>
+    </div>
+</form>
+
+{#if generated != null}
+<div class="message">
+    <p>Code for <strong>{generated.email}</strong>, valid through <strong>{generated.date}</strong>:</p>
+    <pre>{generated.code}</pre>
+</div>
+{/if}
+{/if}
+{/include}