Simplify authentication in rest api (#24)

* Set correct authentication roles and clean up no longer needed authentication paths.
* Update the MFA end-point to create a new security principal with updated access_token.
* Combine IT test reports with the unit test for the api subproject.
* Remove unused code, update test to render the QR code.

Author: gjong

build.gradle.kts

@@ -20,7 +20,7 @@ subprojects {
     apply(plugin = "maven-publish")
     apply(plugin = "jacoco")
 
-    tasks.test {
+    tasks.check {
         finalizedBy(tasks.jacocoTestReport)
     }
 

fintrack-api/build.gradle.kts

@@ -26,6 +26,10 @@ tasks.register<Test>("itTest") {
     shouldRunAfter(tasks.test)
 }
 
+tasks.jacocoTestReport {
+    executionData(layout.buildDirectory.files("/jacoco/test.exec", "jacoco/itTest.exec"))
+}
+
 tasks.check {
     dependsOn("itTest")
 }

fintrack-api/src/integration/java/com/jongsoft/finance/MultiFactorLoginTest.java

@@ -0,0 +1,39 @@
+package com.jongsoft.finance;
+
+import com.jongsoft.finance.extension.IntegrationTest;
+import com.jongsoft.finance.extension.TestContext;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.Matchers.equalTo;
+
+@IntegrationTest(phase = 1)
+@DisplayName("User registers and logins with MFA")
+public class MultiFactorLoginTest {
+
+    @Test
+    void registerAndLoginWithMFA(TestContext testContext) {
+        var profileContext = testContext
+                .register("mfa-sample@e", "Zomer2020")
+                .authenticate("mfa-sample@e", "Zomer2020")
+                .profile();
+
+        profileContext
+                .get(response -> response
+                        .body("theme", equalTo("dark"))
+                        .body("currency", equalTo("EUR"))
+                        .body("mfa", equalTo(false)))
+                .qrCode();
+
+        testContext.enableMFA();
+
+        testContext
+                .authenticate("mfa-sample@e", "Zomer2020")
+                .multiFactor()
+                .profile()
+                .get(response -> response
+                        .body("theme", equalTo("dark"))
+                        .body("currency", equalTo("EUR"))
+                        .body("mfa", equalTo(true)));
+    }
+}

fintrack-api/src/integration/java/com/jongsoft/finance/extension/IntegrationTestExtension.java

@@ -39,7 +39,7 @@ public void beforeAll(ExtensionContext context) {
                     testContext = new TestContext(new TestContext.Server(
                             server.getScheme() + "://" + server.getHost(),
                             server.getPort()
-                    ));
+                    ), applicationContext);
                 });
     }
 

fintrack-api/src/integration/java/com/jongsoft/finance/extension/ProfileContext.java

@@ -0,0 +1,41 @@
+package com.jongsoft.finance.extension;
+
+import io.micronaut.http.MediaType;
+import io.restassured.response.ValidatableResponse;
+import io.restassured.specification.RequestSpecification;
+import org.apache.http.HttpStatus;
+
+import java.util.function.Consumer;
+import java.util.function.Supplier;
+
+public class ProfileContext {
+    private final Supplier<RequestSpecification> requestSpecification;
+
+    public ProfileContext(Supplier<RequestSpecification> requestSpecification) {
+        this.requestSpecification = requestSpecification;
+    }
+
+    public ProfileContext get(Consumer<ValidatableResponse> validator) {
+        var response = requestSpecification.get()
+            .when()
+                .get("/profile")
+            .then()
+                .statusCode(HttpStatus.SC_OK);
+
+        validator.accept(response);
+
+        return this;
+    }
+
+    public ProfileContext qrCode() {
+        requestSpecification.get()
+            .when()
+                .accept(MediaType.IMAGE_PNG)
+                .get("/profile/multi-factor/qr-code")
+            .then()
+                .statusCode(HttpStatus.SC_OK)
+                .contentType(MediaType.IMAGE_PNG);
+
+        return this;
+    }
+}

fintrack-api/src/integration/java/com/jongsoft/finance/extension/TestContext.java

@@ -6,10 +6,18 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializerProvider;
 import com.fasterxml.jackson.databind.module.SimpleModule;
+import com.jongsoft.finance.domain.user.UserAccount;
+import com.jongsoft.finance.providers.UserProvider;
+import com.jongsoft.lang.Control;
+import dev.samstevens.totp.code.DefaultCodeGenerator;
+import dev.samstevens.totp.time.SystemTimeProvider;
+import io.micronaut.context.ApplicationContext;
 import io.restassured.RestAssured;
 import io.restassured.builder.RequestSpecBuilder;
 import io.restassured.config.ObjectMapperConfig;
 import io.restassured.specification.RequestSpecification;
+import org.apache.http.HttpStatus;
+import org.assertj.core.api.Assertions;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -24,9 +32,12 @@ public class TestContext {
     public record Server(String baseUri, int port) {
     }
 
+    private String authenticatedWith;
     private String authenticationToken;
+    private final ApplicationContext applicationContext;
 
-    public TestContext(Server server) {
+    public TestContext(Server server, ApplicationContext applicationContext) {
+        this.applicationContext = applicationContext;
         RestAssured.requestSpecification = new RequestSpecBuilder()
                 .setBaseUri(server.baseUri)
                 .setPort(server.port)
@@ -73,7 +84,7 @@ public TestContext register(String username, String password) {
 
     public TestContext authenticate(String username, String password) {
         log.info("Authenticating user: {}", username);
-        authenticationToken = RestAssured.given()
+        var jsonPath = RestAssured.given()
                 .body("""
                         {
                             "username": "%s",
@@ -84,11 +95,52 @@ public TestContext authenticate(String username, String password) {
                 .statusCode(200)
                 .extract()
                 .body()
+                .jsonPath();
+
+        authenticationToken = jsonPath.getString("access_token");
+        authenticatedWith = username;
+        return this;
+    }
+
+    public TestContext multiFactor() {
+        authenticationToken = authRequest()
+            .given()
+                .contentType("application/json")
+                .body("""
+                        {
+                          "verificationCode": "%s"
+                        }""".formatted(generateToken()))
+            .when()
+                .post("/security/2-factor")
+            .then()
+                .statusCode(HttpStatus.SC_OK)
+                .extract()
                 .jsonPath()
                 .getString("access_token");
+
+        return this;
+    }
+
+    public TestContext enableMFA() {
+        authRequest()
+            .given()
+                .contentType("application/json")
+                .body("""
+                        {
+                          "verificationCode": "%s"
+                        }""".formatted(generateToken()))
+            .when()
+                .post("/profile/multi-factor/enable")
+            .then()
+                .statusCode(HttpStatus.SC_NO_CONTENT);
+
         return this;
     }
 
+    public ProfileContext profile() {
+        return new ProfileContext(this::authRequest);
+    }
+
     public AccountContext accounts() {
         return new AccountContext(authRequest());
     }
@@ -106,7 +158,7 @@ public String upload(InputStream inputStream) {
                 .contentType("multipart/form-data")
                 .multiPart("upload", "account1.svg", inputStream)
                 .post("/attachment")
-                .then()
+            .then()
                 .statusCode(201)
                 .extract()
                 .body()
@@ -118,4 +170,16 @@ public RequestSpecification authRequest() {
         return RestAssured.given()
                 .header("Authorization", "Bearer " + authenticationToken);
     }
+
+    private String generateToken() {
+        var optionalUser = applicationContext.getBean(UserProvider.class)
+                .lookup(authenticatedWith);
+        Assertions.assertThat(optionalUser.isPresent()).isTrue();
+
+        return optionalUser.map(UserAccount::getSecret)
+                .map(secret -> Control.Try(() -> new DefaultCodeGenerator()
+                                .generate(secret, Math.floorDiv(new SystemTimeProvider().getTime(), 30)))
+                        .get())
+                .get();
+    }
 }

fintrack-api/src/main/java/com/jongsoft/finance/filter/AuthenticationFailureHandler.java

@@ -0,0 +1,43 @@
+package com.jongsoft.finance.filter;
+
+import io.micronaut.context.annotation.Replaces;
+import io.micronaut.http.HttpRequest;
+import io.micronaut.http.HttpResponse;
+import io.micronaut.http.HttpStatus;
+import io.micronaut.http.annotation.Produces;
+import io.micronaut.http.hateoas.JsonError;
+import io.micronaut.http.server.exceptions.ExceptionHandler;
+import io.micronaut.security.authentication.AuthorizationException;
+import io.micronaut.security.authentication.DefaultAuthorizationExceptionHandler;
+import jakarta.inject.Singleton;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@Produces
+@Singleton
+@Replaces(DefaultAuthorizationExceptionHandler.class)
+public class AuthenticationFailureHandler implements ExceptionHandler<AuthorizationException, HttpResponse<JsonError>> {
+
+    private final Logger log = LoggerFactory.getLogger(AuthenticationFailureHandler.class);
+
+    @Override
+    public HttpResponse<JsonError> handle(HttpRequest request, AuthorizationException exception) {
+        if (exception.isForbidden()) {
+            log.info("{}: {} - User {} does not have access based upon the roles {}.",
+                    request.getMethod(),
+                    request.getPath(),
+                    exception.getAuthentication().getName(),
+                    exception.getAuthentication().getRoles());
+
+            return HttpResponse.status(HttpStatus.FORBIDDEN)
+                    .body(new JsonError("User does not have access based upon the roles"));
+        }
+
+        log.info("{}: {} - User {} is not authenticated.",
+                request.getMethod(),
+                request.getPath(),
+                exception.getAuthentication().getName());
+
+        return HttpResponse.unauthorized();
+    }
+}

fintrack-api/src/main/java/com/jongsoft/finance/filter/AuthenticationFilter.java

@@ -63,7 +63,7 @@ public Publisher<MutableHttpResponse<?>> doFilter(final HttpRequest<?> request,
     }
 
     private void handleAuthentication(Principal principal) {
-        log.debug("Authenticated user {}", principal.getName());
+        log.trace("Authenticated user {}", principal.getName());
         eventPublisher.publishEvent(new InternalAuthenticationEvent(this, principal.getName()));
     }
 }

fintrack-api/src/main/java/com/jongsoft/finance/rest/account/AccountResource.java

@@ -7,12 +7,12 @@
 import com.jongsoft.finance.providers.SettingProvider;
 import com.jongsoft.finance.rest.model.AccountResponse;
 import com.jongsoft.finance.rest.model.ResultPageResponse;
+import com.jongsoft.finance.security.AuthenticationRoles;
 import com.jongsoft.finance.security.CurrentUserProvider;
 import com.jongsoft.lang.Collections;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.annotation.*;
 import io.micronaut.security.annotation.Secured;
-import io.micronaut.security.rules.SecurityRule;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.enums.ParameterIn;
@@ -24,7 +24,7 @@
 
 @Controller("/api/accounts")
 @Tag(name = "Account information")
-@Secured(SecurityRule.IS_AUTHENTICATED)
+@Secured(AuthenticationRoles.IS_AUTHENTICATED)
 public class AccountResource {
 
     private final SettingProvider settingProvider;

fintrack-api/src/main/java/com/jongsoft/finance/rest/account/AccountTopResource.java

@@ -4,13 +4,13 @@
 import com.jongsoft.finance.providers.AccountProvider;
 import com.jongsoft.finance.providers.SettingProvider;
 import com.jongsoft.finance.rest.DateFormat;
+import com.jongsoft.finance.security.AuthenticationRoles;
 import com.jongsoft.lang.Collections;
 import com.jongsoft.lang.Dates;
 import io.micronaut.http.annotation.Controller;
 import io.micronaut.http.annotation.Get;
 import io.micronaut.http.annotation.PathVariable;
 import io.micronaut.security.annotation.Secured;
-import io.micronaut.security.rules.SecurityRule;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 
@@ -19,7 +19,7 @@
 
 @Controller("/api/accounts/top")
 @Tag(name = "Account information")
-@Secured(SecurityRule.IS_AUTHENTICATED)
+@Secured(AuthenticationRoles.IS_AUTHENTICATED)
 public class AccountTopResource {
 
     private final AccountProvider accountProvider;

fintrack-api/src/main/java/com/jongsoft/finance/rest/account/AccountTransactionResource.java

@@ -11,14 +11,14 @@
 import com.jongsoft.finance.providers.TransactionProvider;
 import com.jongsoft.finance.rest.model.ResultPageResponse;
 import com.jongsoft.finance.rest.model.TransactionResponse;
+import com.jongsoft.finance.security.AuthenticationRoles;
 import com.jongsoft.lang.Collections;
 import com.jongsoft.lang.Control;
 import com.jongsoft.lang.Dates;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.HttpStatus;
 import io.micronaut.http.annotation.*;
 import io.micronaut.security.annotation.Secured;
-import io.micronaut.security.rules.SecurityRule;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.enums.ParameterIn;
@@ -31,7 +31,7 @@
 import java.util.function.Consumer;
 
 @Tag(name = "Transactions")
-@Secured(SecurityRule.IS_AUTHENTICATED)
+@Secured(AuthenticationRoles.IS_AUTHENTICATED)
 @Controller("/api/accounts/{accountId}/transactions")
 public class AccountTransactionResource {
 

fintrack-api/src/main/java/com/jongsoft/finance/rest/account/AccountTypeResource.java

@@ -1,10 +1,10 @@
 package com.jongsoft.finance.rest.account;
 
 import com.jongsoft.finance.providers.AccountTypeProvider;
+import com.jongsoft.finance.security.AuthenticationRoles;
 import io.micronaut.http.annotation.Controller;
 import io.micronaut.http.annotation.Get;
 import io.micronaut.security.annotation.Secured;
-import io.micronaut.security.rules.SecurityRule;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.inject.Singleton;
@@ -14,7 +14,7 @@
 @Singleton
 @Tag(name = "Account information")
 @Controller("/api/account-types")
-@Secured(SecurityRule.IS_AUTHENTICATED)
+@Secured(AuthenticationRoles.IS_AUTHENTICATED)
 public class AccountTypeResource {
 
     private final AccountTypeProvider accountTypeProvider;