diff options
9 files changed, 411 insertions, 4 deletions
diff --git a/build.gradle b/build.gradle index 9d350fc27..2a2cdf153 100644 --- a/build.gradle +++ b/build.gradle @@ -172,6 +172,12 @@ dependencies { compile 'com.google.api-client:google-api-client:1.30.6' compile "com.kotcrab.remark:remark:1.2.0" + compile 'io.jsonwebtoken:jjwt-api:0.10.7' + runtime 'io.jsonwebtoken:jjwt-jackson:0.10.7' + runtime 'io.jsonwebtoken:jjwt-impl:0.10.7' + compile 'org.bouncycastle:bcpkix-jdk15on:1.64' + compile 'com.nimbusds:nimbus-jose-jwt:8.3' + testCompile("org.springframework.boot:spring-boot-starter-test") testCompile('net.sourceforge.htmlunit:htmlunit:2.36.0') testCompile('org.springframework.security:spring-security-test') diff --git a/src/main/java/com/github/scribejava/apis/AppleClientAuthentication.java b/src/main/java/com/github/scribejava/apis/AppleClientAuthentication.java new file mode 100644 index 000000000..6bb919a32 --- /dev/null +++ b/src/main/java/com/github/scribejava/apis/AppleClientAuthentication.java @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2008-2019, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +package com.github.scribejava.apis; + +import com.github.scribejava.core.model.OAuthRequest; +import com.github.scribejava.core.oauth2.clientauthentication.ClientAuthentication; + +public class AppleClientAuthentication implements ClientAuthentication { + private final AppleClientSecretGenerator generator; + public AppleClientAuthentication(AppleClientSecretGenerator generator) { + this.generator = generator; + } + @Override + public void addClientAuthentication(OAuthRequest request, String apiKey, String apiSecret) { + request.addBodyParameter("client_id", generator.getApplicationId()); + request.addBodyParameter("client_secret", generator.getClientSecret()); + } +} diff --git a/src/main/java/com/github/scribejava/apis/AppleClientSecretGenerator.java b/src/main/java/com/github/scribejava/apis/AppleClientSecretGenerator.java new file mode 100644 index 000000000..3af6bc7a2 --- /dev/null +++ b/src/main/java/com/github/scribejava/apis/AppleClientSecretGenerator.java @@ -0,0 +1,85 @@ +/* + * Copyright (C) 2008-2019, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +package com.github.scribejava.apis; + +import io.jsonwebtoken.Jwts; +import io.jsonwebtoken.SignatureAlgorithm; +import org.apache.commons.io.FileUtils; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.Key; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.spec.EncodedKeySpec; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.time.*; +import java.util.Base64; +import java.util.Date; + +public class AppleClientSecretGenerator { + private final String subject; + private final String teamId; + private final String keyId; + + private final Key signingKey; + + public AppleClientSecretGenerator(final String subject, final String teamId, final String keyId, final String keyPath) + throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { + this.subject = subject; + this.keyId = keyId; + this.teamId = teamId; + + String pemData = FileUtils.readFileToString(new File(keyPath), StandardCharsets.UTF_8); + String p8encodedData = pemData + .replace( + "-----BEGIN PRIVATE KEY-----\n", "") + .replace("\n", "") + .replace("-----END PRIVATE KEY-----", ""); + KeyFactory kf = KeyFactory.getInstance("EC"); + EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(p8encodedData)); + signingKey = kf.generatePrivate(keySpec); + } + + public String getClientSecret() { + Instant now = Instant.now(); + return Jwts.builder() + .setHeaderParam("kid", keyId) + .setIssuer(teamId) + .setAudience("https://appleid.apple.com") + .setIssuedAt(Date.from(now)) + .setSubject(subject) + .setExpiration(Date.from(ZonedDateTime.ofInstant(now, ZoneId.of("UTC")).plusMonths(1).toInstant())) + .signWith(signingKey, SignatureAlgorithm.ES256) + .compact(); + } + + public String getTeamId() { + return teamId; + } + + public String getKeyId() { + return keyId; + } + + public String getApplicationId() { + return subject; + } +} diff --git a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java new file mode 100644 index 000000000..be14ef16d --- /dev/null +++ b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2008-2019, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +package com.github.scribejava.apis; + +import com.github.scribejava.core.builder.api.DefaultApi20; +import com.github.scribejava.core.oauth2.clientauthentication.ClientAuthentication; + +public class AppleSignInApi extends DefaultApi20 { + + private final AppleClientSecretGenerator clientSecretGenerator; + + public AppleSignInApi(AppleClientSecretGenerator clientSecretGenerator) { + this.clientSecretGenerator = clientSecretGenerator; + } + + @Override + public String getAccessTokenEndpoint() { + return "https://appleid.apple.com/auth/token"; + } + + @Override + protected String getAuthorizationBaseUrl() { + return "https://appleid.apple.com/auth/authorize?response_mode=form_post"; + } + + @Override + public ClientAuthentication getClientAuthentication() { + return new AppleClientAuthentication(clientSecretGenerator); + } +} diff --git a/src/main/java/com/juick/server/configuration/SignInWithAppleConfig.java b/src/main/java/com/juick/server/configuration/SignInWithAppleConfig.java new file mode 100644 index 000000000..f736e673f --- /dev/null +++ b/src/main/java/com/juick/server/configuration/SignInWithAppleConfig.java @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2008-2019, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +package com.juick.server.configuration; + +import com.github.scribejava.apis.AppleClientSecretGenerator; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import java.io.IOException; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; + +@Configuration +public class SignInWithAppleConfig { + @Value("${apple_app_id:com.example.app}") + private String appId; + @Value("${apple_team_id:teamid}") + private String teamId; + @Value("${apple_key_id:keyid}") + private String keyId; + @Value("${apple_key_path:AuthKey.p8}") + private String keyPath; + + @Bean + public AppleClientSecretGenerator clientSecretGenerator() throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { + return new AppleClientSecretGenerator(appId, teamId, keyId, keyPath); + } +} diff --git a/src/main/java/com/juick/server/www/controllers/SocialLogin.java b/src/main/java/com/juick/server/www/controllers/SocialLogin.java index 7d019940e..92f83c4ed 100644 --- a/src/main/java/com/juick/server/www/controllers/SocialLogin.java +++ b/src/main/java/com/juick/server/www/controllers/SocialLogin.java @@ -17,6 +17,8 @@ package com.juick.server.www.controllers; import com.fasterxml.jackson.databind.ObjectMapper; +import com.github.scribejava.apis.AppleClientSecretGenerator; +import com.github.scribejava.apis.AppleSignInApi; import com.github.scribejava.apis.FacebookApi; import com.github.scribejava.apis.TwitterApi; import com.github.scribejava.apis.VkontakteApi; @@ -33,9 +35,22 @@ import com.juick.service.EmailService; import com.juick.service.TelegramService; import com.juick.service.UserService; import com.juick.service.security.annotation.Visitor; +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.jwk.source.JWKSource; +import com.nimbusds.jose.jwk.source.RemoteJWKSet; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.proc.JWSKeySelector; +import com.nimbusds.jose.proc.JWSVerificationKeySelector; +import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jwt.proc.ConfigurableJWTProcessor; +import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; +import com.nimbusds.jwt.proc.DefaultJWTProcessor; +import net.minidev.json.JSONObject; import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.codec.digest.HmacAlgorithms; import org.apache.commons.codec.digest.HmacUtils; +import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.math.NumberUtils; import org.slf4j.Logger; @@ -44,6 +59,7 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.CookieValue; import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.util.UriComponentsBuilder; @@ -53,6 +69,8 @@ import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; +import java.net.URL; +import java.text.ParseException; import java.util.List; import java.util.Map; import java.util.UUID; @@ -79,7 +97,7 @@ public class SocialLogin { @Inject private ObjectMapper jsonMapper; private ServiceBuilder twitterBuilder; - private OAuth20Service facebookAuthService, vkAuthService; + private OAuth20Service facebookAuthService, vkAuthService, appleSignInService; @Value("${twitter_consumer_key:appid}") private String twitterConsumerKey; @@ -91,7 +109,8 @@ public class SocialLogin { private String VK_SECRET; @Value("${telegram_token:secret}") private String telegramToken; - + @Value("${apple_app_id:appid}") + private String appleApplicationId; @Inject private CrosspostService crosspostService; @Inject @@ -100,14 +119,16 @@ public class SocialLogin { private EmailService emailService; @Inject private TelegramService telegramService; + @Inject + private AppleClientSecretGenerator clientSecretGenerator; @PostConstruct public void init() { ServiceBuilder facebookBuilder = new ServiceBuilder(FACEBOOK_APPID); twitterBuilder = new ServiceBuilder(twitterConsumerKey); ServiceBuilder vkBuilder = new ServiceBuilder(VK_APPID); - UriComponentsBuilder facebookRedirectBuilder = UriComponentsBuilder.fromUriString(baseUri); - String facebookRedirectUri = facebookRedirectBuilder.replacePath("/_fblogin").build().toUriString(); + UriComponentsBuilder redirectBuilder = UriComponentsBuilder.fromUriString(baseUri); + String facebookRedirectUri = redirectBuilder.replacePath("/_fblogin").build().toUriString(); facebookAuthService = facebookBuilder .apiSecret(FACEBOOK_SECRET) .callback(facebookRedirectUri) @@ -118,6 +139,12 @@ public class SocialLogin { .defaultScope("friends,wall,offline") .callback(VK_REDIRECT) .build(VkontakteApi.instance()); + ServiceBuilder appleSignInBuilder = new ServiceBuilder(appleApplicationId); + String appleSignInRedirectUri = redirectBuilder.replacePath("/_apple").build().toUriString(); + appleSignInService = appleSignInBuilder + .callback(appleSignInRedirectUri) + .defaultScope("email") + .build(new AppleSignInApi(clientSecretGenerator)); } @GetMapping("/_fblogin") @@ -315,4 +342,69 @@ public class SocialLogin { } throw new HttpBadRequestException(); } + + @GetMapping("/_apple") + public String doAppleLogin(HttpServletRequest request, + @RequestParam(required = false) String code, + HttpServletResponse response) { + if (StringUtils.isBlank(code)) { + String state = UUID.randomUUID().toString(); + Cookie c = new Cookie("astate", state); + response.addCookie(c); + return "redirect:" + appleSignInService.getAuthorizationUrl(state); + } + throw new HttpBadRequestException(); + } + @PostMapping("/_apple") + public String doVerifyAppleResponse(HttpServletRequest request, HttpServletResponse response, @RequestParam Map<String, String> body) throws InterruptedException, ExecutionException, IOException, ParseException, JOSEException, BadJOSEException { + OAuth2AccessToken token = appleSignInService.getAccessToken(body.get("code")); + var jsonNode = jsonMapper.readTree(token.getRawResponse()); + var idToken = jsonNode.get("id_token").textValue(); + +// Create a JWT processor for the access tokens + ConfigurableJWTProcessor<SecurityContext> jwtProcessor = + new DefaultJWTProcessor<>(); + +// The public RSA keys to validate the signatures will be sourced from the +// OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet +// object caches the retrieved keys to speed up subsequent look-ups and can +// also handle key-rollover + JWKSource<SecurityContext> keySource = + new RemoteJWKSet<>(new URL("https://appleid.apple.com/auth/keys")); + +// The expected JWS algorithm of the access tokens (agreed out-of-band) + JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256; + +// Configure the JWT processor with a key selector to feed matching public +// RSA keys sourced from the JWK set URL + JWSKeySelector<SecurityContext> keySelector = + new JWSVerificationKeySelector<>(expectedJWSAlg, keySource); + + jwtProcessor.setJWSKeySelector(keySelector); + +// Set the required JWT claims for access tokens issued by the Connect2id +// server, may differ with other servers + jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>()); + +// Process the token + JSONObject claimsSet = jwtProcessor.process(idToken, null).toJSONObject(); + + var email = claimsSet.getAsString("email"); + var verified = claimsSet.getAsString("email_verified").equals("true"); + + if (verified) { + com.juick.User user = userService.getUserByEmail(email); + if (!user.isAnonymous()) { + Cookie c = new Cookie("hash", userService.getHashByUID(user.getUid())); + c.setMaxAge(50 * 24 * 60 * 60); + response.addCookie(c); + return "redirect:/" + Utils.getPreviousPageByRequest(request).orElse(StringUtils.EMPTY); + } else { + String verificationCode = RandomStringUtils.randomAlphanumeric(8).toUpperCase(); + emailService.addVerificationCode(null, email, verificationCode); + return "redirect:/signup?type=email&hash=" + verificationCode; + } + } + throw new HttpBadRequestException(); + } } diff --git a/src/main/resources/templates/views/login.html b/src/main/resources/templates/views/login.html index 11900c8d0..0fdfb7e21 100644 --- a/src/main/resources/templates/views/login.html +++ b/src/main/resources/templates/views/login.html @@ -128,6 +128,9 @@ data-telegram-login="Juick_bot" data-size="medium" data-radius="0" data-auth-url="https://juick.com/_tglogin" data-request-access="write"></script> </div> + <div id="apple"> + <a href="/_apple" rel="nofollow"><img src="https://appleid.cdn-apple.com/appleid/button" /></a> + </div> </div> <div id="signin"> <a href="#" onclick="$('#signinform').toggle(); $('#nickinput').focus(); return false"> diff --git a/src/test/java/com/juick/JWTTest.java b/src/test/java/com/juick/JWTTest.java new file mode 100644 index 000000000..1a6eeada8 --- /dev/null +++ b/src/test/java/com/juick/JWTTest.java @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2008-2019, Juick + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +package com.juick; + +import com.github.scribejava.apis.AppleClientSecretGenerator; +import io.jsonwebtoken.Claims; +import io.jsonwebtoken.Jws; +import io.jsonwebtoken.Jwts; +import org.apache.commons.io.FileUtils; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.jce.ECNamedCurveTable; +import org.bouncycastle.jce.interfaces.ECPrivateKey; +import org.bouncycastle.jce.interfaces.ECPublicKey; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.math.ec.ECPoint; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; +import org.junit.Test; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.core.io.Resource; + +import java.io.File; +import java.io.IOException; +import java.io.Reader; +import java.io.StringReader; +import java.nio.charset.StandardCharsets; +import java.security.*; +import java.security.spec.InvalidKeySpecException; + +import static org.junit.Assert.assertThat; +import static org.hamcrest.Matchers.*; + +public class JWTTest { + @Value("classpath:testkey.p8") + Resource p8key; + @Test + public void testAppleClientSecret() throws NoSuchAlgorithmException, IOException, InvalidKeySpecException, NoSuchProviderException { + AppleClientSecretGenerator clientSecretGenerator = + new AppleClientSecretGenerator("example", "1", "2", p8key.getFilename()); + String secret = new String(clientSecretGenerator.getClientSecret().getBytes(), StandardCharsets.UTF_8); + String p8encodedData = FileUtils.readFileToString(new File(p8key.getFilename()), StandardCharsets.UTF_8); + Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); + JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter(); + pemConverter.setProvider("BC"); + //EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(p8encodedData)); + // Strips the "---- {BEGIN,END} {CERTIFICATE,PUBLIC/PRIVATE KEY} -----"-like header and footer lines, + // base64-decodes the body, + // then uses the proper key specification format to turn it into a JCA Key instance + final Reader pemReader = new StringReader(p8encodedData); + final PEMParser parser = new PEMParser(pemReader); + PrivateKey privateKey; + Object pemObj = parser.readObject(); + + privateKey = pemConverter.getPrivateKey((PrivateKeyInfo) pemObj); + + +// Generate public key from private key + KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", "BC"); + ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("secp256r1"); + + ECPoint Q = ecSpec.getG().multiply(((ECPrivateKey)privateKey).getD()); + byte[] publicDerBytes = Q.getEncoded(false); + + ECPoint point = ecSpec.getCurve().decodePoint(publicDerBytes); + ECPublicKeySpec pubSpec = new ECPublicKeySpec(point, ecSpec); + ECPublicKey publicKeyGenerated = (ECPublicKey) keyFactory.generatePublic(pubSpec); + + Jws jwt = Jwts.parser() + .setSigningKey(publicKeyGenerated) + .parseClaimsJws(secret); + assertThat(jwt.getHeader().get("kid"), is("2")); + assertThat(jwt.getHeader().get("alg"), is("ES256")); + Claims claims = (Claims)jwt.getBody(); + assertThat(claims.get("iss"), is("1")); + assertThat(claims.get("sub"), is("example")); + assertThat(claims.get("aud"), is("https://appleid.apple.com")); + } +} diff --git a/src/test/resources/testkey.p8 b/src/test/resources/testkey.p8 new file mode 100644 index 000000000..1e5d0f986 --- /dev/null +++ b/src/test/resources/testkey.p8 @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg72/yb71r7uVirjpf +vjAPZ5aUR0si2c1yH6Lt/NlhWcWhRANCAAQydvu0D1+DTVM0/U0rbxHfkG3AswYw +hZZk58QvxSbxoBcmoLLMKAuaNBCVg+4I0xKvCfB0dkIjRATNpveON8y3 +-----END PRIVATE KEY----- |