remove jwt from client token

Author: Madhav Chhura

src/main/java/com/opentok/OpenTok.java

@@ -13,6 +13,7 @@
 import com.opentok.exception.InvalidArgumentException;
 import com.opentok.exception.OpenTokException;
 import com.opentok.exception.RequestException;
+import com.opentok.util.Crypto;
 import com.opentok.util.HttpClient;
 import com.opentok.util.TokenGenerator;
 import org.xml.sax.InputSource;
@@ -22,8 +23,10 @@
 import javax.xml.xpath.XPathFactory;
 import java.io.IOException;
 import java.io.StringReader;
+import java.io.UnsupportedEncodingException;
 import java.net.Proxy;
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 
 /**
@@ -117,9 +120,24 @@ private OpenTok(int apiKey, String apiSecret, HttpClient httpClient) {
      *
      * @return The token string.
      */
-    public String generateToken(String sessionId, TokenOptions tokenOptions)
-            throws OpenTokException {
-        return TokenGenerator.generateToken(sessionId, tokenOptions, apiKey, apiSecret);
+    public String generateToken(String sessionId, TokenOptions tokenOptions) throws OpenTokException {
+        List<String> sessionIdParts = null;
+        if (sessionId == null || sessionId == "") {
+            throw new InvalidArgumentException("Session not valid");
+        }
+
+        try {
+            sessionIdParts = Crypto.decodeSessionId(sessionId);
+        } catch (UnsupportedEncodingException e) {
+            throw new InvalidArgumentException("Session ID was not valid");
+        }
+        if (!sessionIdParts.contains(Integer.toString(this.apiKey))) {
+            throw new InvalidArgumentException("Session ID was not valid");
+        }
+
+        // NOTE: kind of wasteful of a Session instance
+        Session session = new Session(sessionId, apiKey, apiSecret);
+        return session.generateToken(tokenOptions);
     }
 
     /**

src/main/java/com/opentok/Session.java

@@ -8,7 +8,17 @@
 package com.opentok;
 
 import com.opentok.exception.OpenTokException;
-import com.opentok.util.TokenGenerator;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+import java.util.Random;
+
+import com.opentok.exception.InvalidArgumentException;
+import com.opentok.util.Crypto;
+import org.apache.commons.codec.binary.Base64;
+
 
 /**
 * Represents an OpenTok session. Use the {@link OpenTok#createSession(SessionProperties properties)}
@@ -93,6 +103,88 @@ public String generateToken() throws OpenTokException {
      * @return The token string.
      */
     public String generateToken(TokenOptions tokenOptions) throws OpenTokException {
-        return TokenGenerator.generateToken(sessionId, tokenOptions, apiKey, apiSecret);
+        // Token format
+        //
+        // | ------------------------------  tokenStringBuilder ----------------------------- |
+        // | "T1=="+Base64Encode(| --------------------- innerBuilder --------------------- |)|
+        //                       | "partner_id={apiKey}&sig={sig}:| -- dataStringBuilder -- |
+
+        if (tokenOptions == null) {
+            throw new InvalidArgumentException("Token options cannot be null");
+        }
+
+        Role role = tokenOptions.getRole();
+        double expireTime = tokenOptions.getExpireTime(); // will be 0 if nothing was explicitly set
+        String data = tokenOptions.getData();             // will be null if nothing was explicitly set
+        Long create_time = new Long(System.currentTimeMillis() / 1000).longValue();
+
+        StringBuilder dataStringBuilder = new StringBuilder();
+        Random random = new Random();
+        int nonce = random.nextInt();
+        dataStringBuilder.append("session_id=");
+        dataStringBuilder.append(sessionId);
+        dataStringBuilder.append("&create_time=");
+        dataStringBuilder.append(create_time);
+        dataStringBuilder.append("&nonce=");
+        dataStringBuilder.append(nonce);
+        dataStringBuilder.append("&role=");
+        dataStringBuilder.append(role);
+
+        double now = System.currentTimeMillis() / 1000L;
+        if (expireTime == 0) {
+            expireTime = now + (60*60*24); // 1 day
+        } else if(expireTime < now-1) {
+            throw new InvalidArgumentException(
+                    "Expire time must be in the future. relative time: "+ (expireTime - now));
+        } else if(expireTime > (now + (60*60*24*30) /* 30 days */)) {
+            throw new InvalidArgumentException(
+                    "Expire time must be in the next 30 days. too large by "+ (expireTime - (now + (60*60*24*30))));
+        }
+        // NOTE: Double.toString() would print the value with scientific notation
+        dataStringBuilder.append(String.format("&expire_time=%.0f", expireTime));
+
+        if (data != null) {
+            if(data.length() > 1000) {
+                throw new InvalidArgumentException(
+                        "Connection data must be less than 1000 characters. length: " + data.length());
+            }
+            dataStringBuilder.append("&connection_data=");
+            try {
+                dataStringBuilder.append(URLEncoder.encode(data, "UTF-8"));
+            } catch (UnsupportedEncodingException e) {
+                throw new InvalidArgumentException(
+                        "Error during URL encode of your connection data: " +  e.getMessage());
+            }
+        }
+
+
+        StringBuilder tokenStringBuilder = new StringBuilder();
+        try {
+            tokenStringBuilder.append("T1==");
+
+            StringBuilder innerBuilder = new StringBuilder();
+            innerBuilder.append("partner_id=");
+            innerBuilder.append(this.apiKey);
+
+            innerBuilder.append("&sig=");
+
+            innerBuilder.append(Crypto.signData(dataStringBuilder.toString(), this.apiSecret));
+            innerBuilder.append(":");
+            innerBuilder.append(dataStringBuilder.toString());
+
+            tokenStringBuilder.append(
+                    Base64.encodeBase64String(
+                            innerBuilder.toString().getBytes("UTF-8")
+                    )
+                            .replace("+", "-")
+                            .replace("/", "_")
+            );
+
+        } catch (SignatureException | NoSuchAlgorithmException
+                | InvalidKeyException | UnsupportedEncodingException e) {
+            throw new OpenTokException("Could not generate token, a signing error occurred.", e);
+        }
+
+        return tokenStringBuilder.toString();
     }
 }

src/main/java/com/opentok/util/TokenGenerator.java

@@ -7,90 +7,40 @@
  */
 package com.opentok.util;
 
-import com.opentok.TokenOptions;
-import com.opentok.exception.InvalidArgumentException;
 import com.opentok.exception.OpenTokException;
-import org.apache.commons.lang.StringUtils;
 import org.jose4j.jws.AlgorithmIdentifiers;
 import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.jwt.JwtClaims;
 import org.jose4j.jwt.NumericDate;
 import org.jose4j.lang.JoseException;
 
 import javax.crypto.spec.SecretKeySpec;
-import java.io.UnsupportedEncodingException;
-import java.util.List;
+import java.util.concurrent.TimeUnit;
 
 public class TokenGenerator {
 
     public static final String ISSUER = "iss";
+    public static final String ISSUER_TYPE = "ist";
     public static final String ISSUED_AT = "iat";
     public static final String EXP = "exp";
-    public static final String SID = "sid";
-    public static final String CONNECTION_DATA = "connectionData";
-    public static final String ROLE = "role";
-    public static final String INITIAL_LAYOUT_CLASS_LIST = "initialLayoutClassList";
+    public static final String PROJECT_ISSUER_TYPE = "project";
+
 
     // Used by the REST Endpoints
     public static String generateToken(final Integer apiKey, final String apiSecret)
             throws OpenTokException {
 
         //This is the default expire time we use for rest endpoints.
-        final long defaultExpireTime = System.currentTimeMillis() / 1000L + 300;  // 5 minutes
+        final long defaultExpireTime = System.currentTimeMillis() / 1000L
+                + TimeUnit.MINUTES.toSeconds(3);
         final JwtClaims claims = new JwtClaims();
         claims.setIssuer(apiKey.toString());
+        claims.setStringClaim(ISSUER_TYPE, PROJECT_ISSUER_TYPE);
+        claims.setGeneratedJwtId(); // JTI a unique identifier for the JWT.
 
         return getToken(claims, defaultExpireTime, apiSecret);
     }
 
-    public static String generateToken(final String sessionId, final TokenOptions tokenOptions,
-                                       final Integer apiKey, final String apiSecret)
-            throws OpenTokException {
-
-        List<String> sessionIdParts;
-        if(sessionId == null || sessionId.isEmpty()) {
-            throw new InvalidArgumentException("Session ID not valid");
-        }
-
-        try {
-            sessionIdParts = Crypto.decodeSessionId(sessionId);
-        } catch (UnsupportedEncodingException e) {
-            throw new InvalidArgumentException("Session ID was not valid");
-        }
-
-        if (!sessionIdParts.contains(Integer.toString(apiKey))) {
-            throw new InvalidArgumentException("Session ID was not valid");
-        }
-
-        if (tokenOptions == null) {
-            throw new InvalidArgumentException("Token options cannot be null");
-        }
-
-        long expireTime = tokenOptions.getExpireTime();
-        final long now = System.currentTimeMillis() / 1000L;
-        if (expireTime == 0) {
-            expireTime = now + (60 * 60 * 24); // 1 day
-        } else if(expireTime < now - 1) {
-            throw new InvalidArgumentException(
-                    "Expire time must be in the future. relative time: " + (expireTime - now));
-        } else if(expireTime > (now + (60 * 60 * 24 * 30) /* 30 days */)) {
-            throw new InvalidArgumentException(
-                    "Expire time must be in the next 30 days. too large by " +
-                            (expireTime - (now + (60 * 60 * 24 * 30))));
-        }
-
-        final JwtClaims claims = new JwtClaims();
-        claims.setIssuer(apiKey.toString());
-        claims.setClaim(SID, sessionId);
-        claims.setClaim(CONNECTION_DATA, tokenOptions.getData());
-        claims.setClaim(ROLE, tokenOptions.getRole());
-        claims.setClaim(INITIAL_LAYOUT_CLASS_LIST,
-                StringUtils.join(tokenOptions.getInitialLayoutClassList(), " "));
-
-        return getToken(claims, expireTime, apiSecret);
-
-    }
-
     private static String getToken(final JwtClaims claims, final long expireTime,
                                    final String apiSecret) throws OpenTokException {
         final SecretKeySpec spec = new SecretKeySpec(apiSecret.getBytes(),

src/test/java/com/opentok/test/Helpers.java

@@ -11,42 +11,65 @@
 import com.github.tomakehurst.wiremock.http.Request;
 import com.github.tomakehurst.wiremock.verification.LoggedRequest;
 import com.opentok.constants.Version;
+import org.apache.commons.codec.binary.Base64;
 import org.jose4j.jws.AlgorithmIdentifiers;
 import org.jose4j.jwt.consumer.InvalidJwtException;
 import org.jose4j.jwt.consumer.JwtConsumer;
 import org.jose4j.jwt.consumer.JwtConsumerBuilder;
 
 import javax.crypto.spec.SecretKeySpec;
 import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
 import java.util.Formatter;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 import static com.github.tomakehurst.wiremock.client.WireMock.matching;
 import static com.github.tomakehurst.wiremock.client.WireMock.verify;
+import static com.opentok.util.Crypto.signData;
+import static com.opentok.util.TokenGenerator.ISSUED_AT;
+import static com.opentok.util.TokenGenerator.ISSUER;
+import static com.opentok.util.TokenGenerator.ISSUER_TYPE;
+import static com.opentok.util.TokenGenerator.PROJECT_ISSUER_TYPE;
 import static org.junit.Assert.assertTrue;
 
 public class Helpers {
 
-    public static Map<String, Object> decodeToken(String token, Integer apiKey, String apiSecret)
-            throws UnsupportedEncodingException, InvalidJwtException {
-        return getClaims(token, apiKey, apiSecret);
-    }
-
-    public static boolean verifyTokenSignature(String token, Integer apiKey, String apiSecret) {
+    public static final String JTI = "jti";
 
-        try {
-            getClaims(token, apiKey, apiSecret);
-            return true;
-        } catch (InvalidJwtException e) {
-            return false;
+    public static Map<String, String> decodeToken(String token) throws UnsupportedEncodingException {
+        Map<String, String> tokenData = new HashMap<String, String>();
+        token = token.substring(4);
+        byte[] buffer = Base64.decodeBase64(token);
+        String decoded = new String(buffer, "UTF-8");
+        String[] decodedParts = decoded.split(":");
+        for (String part : decodedParts) {
+            tokenData.putAll(decodeFormData(part));
         }
+        return tokenData;
     }
 
-    public static void verifyTokenAuth(int apiKey, String apiSecret, List<LoggedRequest> requests) {
+    public static boolean verifyTokenSignature(String token, String apiSecret) throws
+            UnsupportedEncodingException, NoSuchAlgorithmException, SignatureException, InvalidKeyException {
+        token = token.substring(4);
+        byte[] buffer = Base64.decodeBase64(token);
+        String decoded = new String(buffer, "UTF-8");
+        String[] decodedParts = decoded.split(":");
+        String signature = decodeToken(token).get("sig");
+        return (signature.equals(signData(decodedParts[1], apiSecret)));
+    }
+
+    public static boolean verifyTokenAuth(Integer apiKey, String apiSecret, List<LoggedRequest> requests) {
         for (Request request: requests) {
-            assertTrue(verifyTokenSignature(request.getHeader("X-OPENTOK-AUTH"), apiKey, apiSecret));
+            if (!verifyJWTClaims(request.getHeader("X-OPENTOK-AUTH"), apiKey, apiSecret)) {
+                return false;
+            }
         }
+        return true;
     }
 
     public static void verifyUserAgent() {
@@ -55,6 +78,18 @@ public static void verifyUserAgent() {
                         + Version.VERSION + ".*JRE/" + System.getProperty("java.version") + ".*")));
     }
 
+    private static Map<String, String> decodeFormData(String formData) throws UnsupportedEncodingException {
+        Map<String, String> decodedFormData = new HashMap<String, String>();
+        String[] pairs = formData.split("\\&");
+        for (int i = 0; i < pairs.length; i++) {
+            String[] fields = pairs[i].split("=");
+            String name = URLDecoder.decode(fields[0], "UTF-8");
+            String value = URLDecoder.decode(fields[1], "UTF-8");
+            decodedFormData.put(name, value);
+        }
+        return decodedFormData;
+    }
+
     private static Map<String, Object> getClaims(final String token, final Integer apiKey,
                                                  final String apiSecret)
             throws InvalidJwtException {
@@ -79,4 +114,17 @@ private static String toHexString(byte[] bytes) {
         }
         return formatter.toString();
     }
+
+    public static boolean verifyJWTClaims(String token, Integer apiKey, String apiSecret) {
+        try {
+            Map<String, Object> tokenData = getClaims(token, apiKey, apiSecret);
+            return apiKey.toString().equals(tokenData.get(ISSUER))
+                    && PROJECT_ISSUER_TYPE.equals(tokenData.get(ISSUER_TYPE))
+                    && System.currentTimeMillis() / 1000 >= (long) tokenData.get(ISSUED_AT)
+                    && null != tokenData.get(JTI);
+        } catch (InvalidJwtException e) {
+            return false;
+        }
+    }
+
 }