Session: JWT Web Token implementation

Author: jknack

jooby/src/main/java/io/jooby/Cookie.java

@@ -5,6 +5,8 @@
  */
 package io.jooby;
 
+import com.typesafe.config.Config;
+
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import javax.crypto.Mac;
@@ -22,7 +24,10 @@
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Optional;
 import java.util.concurrent.TimeUnit;
+import java.util.function.BiFunction;
+import java.util.function.Consumer;
 
 /**
  * Response cookie implementation. Response are send it back to client using
@@ -458,12 +463,46 @@ public long getMaxAge() {
         start = end + 1;
       } while (start < len);
 
-      return attributes.isEmpty() ? Collections.emptyMap() : Collections.unmodifiableMap(attributes);
+      return attributes.isEmpty()
+          ? Collections.emptyMap()
+          : Collections.unmodifiableMap(attributes);
     } catch (UnsupportedEncodingException x) {
       throw SneakyThrows.propagate(x);
     }
   }
 
+  /**
+   * Attempt to create/parse a cookie from application configuration object. The namespace given
+   * must be present and must defined a <code>name</code> property.
+   *
+   * The namespace might optionally defined: value, path, domain, secure, httpOnly and maxAge.
+   *
+   * @param namespace Cookie namespace/prefix.
+   * @param conf Configuration object.
+   * @return Parsed cookie or empty.
+   */
+  public static @Nonnull Optional<Cookie> create(@Nonnull String namespace, @Nonnull Config conf) {
+    if (conf.hasPath(namespace)) {
+      Cookie cookie = new Cookie(conf.getString(namespace + ".name"));
+      value(conf, namespace + ".value", Config::getString, cookie::setValue);
+      value(conf, namespace + ".path", Config::getString, cookie::setPath);
+      value(conf, namespace + ".domain", Config::getString, cookie::setDomain);
+      value(conf, namespace + ".secure", Config::getBoolean, cookie::setSecure);
+      value(conf, namespace + ".httpOnly", Config::getBoolean, cookie::setHttpOnly);
+      value(conf, namespace + ".maxAge", (c, path) -> c.getDuration(path, TimeUnit.SECONDS),
+          cookie::setMaxAge);
+      return Optional.of(cookie);
+    }
+    return Optional.empty();
+  }
+
+  private static <T> void value(Config conf, String name, BiFunction<Config, String, T> mapper,
+      Consumer<T> consumer) {
+    if (conf.hasPath(name)) {
+      consumer.accept(mapper.apply(conf, name));
+    }
+  }
+
   private void append(StringBuilder sb, String str) {
     if (needQuote(str)) {
       sb.append('"');

jooby/src/main/java/io/jooby/SessionStore.java

@@ -11,6 +11,8 @@
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import java.time.Instant;
+import java.util.Map;
+import java.util.function.Function;
 
 /**
  * Load and save sessions from store (memory, database, etc.).
@@ -112,23 +114,47 @@ public interface SessionStore {
    * <code>HMAC_SHA256</code>. See {@link Cookie#sign(String, String)}.
    *
    * @param secret Secret token to signed data.
-   * @param cookie Cookie to use.
    * @return A browser session store.
    */
-  static @Nonnull SessionStore cookie(@Nonnull String secret, @Nonnull Cookie cookie) {
-    return new CookieSessionStore(secret, cookie);
+  static @Nonnull SessionStore cookie(@Nonnull String secret) {
+    return cookie(secret, SessionToken.SID);
   }
 
   /**
    * Creates a session store that save data into Cookie. Cookie data is signed it using
    * <code>HMAC_SHA256</code>. See {@link Cookie#sign(String, String)}.
    *
-   * It uses the default session cookie: {@link SessionToken#SID}.
-   *
    * @param secret Secret token to signed data.
+   * @param cookie Cookie to use.
    * @return A browser session store.
    */
-  static @Nonnull SessionStore cookie(@Nonnull String secret) {
-    return cookie(secret, SessionToken.SID);
+  static @Nonnull SessionStore cookie(@Nonnull String secret, @Nonnull Cookie cookie) {
+    SneakyThrows.Function<String, Map<String, String>> decoder = value -> {
+      String unsign = Cookie.unsign(value, secret);
+      if (unsign == null) {
+        return null;
+      }
+      return Cookie.decode(unsign);
+    };
+
+    SneakyThrows.Function<Map<String, String>, String> encoder = attributes ->
+        Cookie.sign(Cookie.encode(attributes), secret);
+
+    return new CookieSessionStore(cookie, decoder, encoder);
+  }
+
+  /**
+   * Creates a session store that save data into Cookie. Cookie data is (un)signed it using the given
+   * decoder and encoder.
+   *
+   * @param cookie Cookie to use.
+   * @param decoder Decoder to use.
+   * @param encoder Encoder to use.
+   * @return Cookie session store.
+   */
+  static @Nonnull SessionStore cookie(@Nonnull Cookie cookie,
+      @Nonnull Function<String, Map<String, String>> decoder,
+      @Nonnull Function<Map<String, String>, String> encoder) {
+    return new CookieSessionStore(cookie, decoder, encoder);
   }
 }

jooby/src/main/java/io/jooby/internal/CookieSessionStore.java

@@ -10,11 +10,13 @@
 import io.jooby.Session;
 import io.jooby.SessionStore;
 import io.jooby.SessionToken;
+import io.jooby.SneakyThrows;
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.Function;
 
 public class CookieSessionStore implements SessionStore {
 
@@ -41,11 +43,16 @@ public CookieToken(@Nonnull Cookie cookie) {
 
   private static final String NO_ID = "<missing>";
 
-  private final String secret;
+  private final Function<String, Map<String, String>> decoder;
+
+  private final Function<Map<String, String>, String> encoder;
+
   private final SessionToken token;
 
-  public CookieSessionStore(String secret, Cookie cookie) {
-    this.secret = secret;
+  public CookieSessionStore(Cookie cookie, Function<String, Map<String, String>> decoder,
+      Function<Map<String, String>, String> encoder) {
+    this.decoder = decoder;
+    this.encoder = encoder;
     this.token = new CookieToken(cookie);
   }
 
@@ -58,12 +65,8 @@ public CookieSessionStore(String secret, Cookie cookie) {
     if (signed == null) {
       return null;
     }
-    String unsign = Cookie.unsign(signed, secret);
-    if (unsign == null) {
-      return null;
-    }
-    Map<String, String> attributes = Cookie.decode(unsign);
-    if (attributes.isEmpty()) {
+    Map<String, String> attributes = decoder.apply(signed);
+    if (attributes == null || attributes.size() == 0) {
       return null;
     }
     return Session.create(ctx, NO_ID, new HashMap<>(attributes)).setNew(false);
@@ -74,8 +77,7 @@ public CookieSessionStore(String secret, Cookie cookie) {
   }
 
   @Override public void touchSession(@Nonnull Context ctx, @Nonnull Session session) {
-    String value = Cookie.encode(session.toMap());
-    token.saveToken(ctx, Cookie.sign(value, secret));
+    token.saveToken(ctx, encoder.apply(session.toMap()));
   }
 
   @Override public void saveSession(@Nonnull Context ctx, @Nonnull Session session) {

modules/jooby-jwt/pom.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+  <parent>
+    <groupId>io.jooby</groupId>
+    <artifactId>modules</artifactId>
+    <version>2.1.1-SNAPSHOT</version>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>jooby-jwt</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.google.code.findbugs</groupId>
+      <artifactId>jsr305</artifactId>
+      <scope>provided</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>io.jooby</groupId>
+      <artifactId>jooby</artifactId>
+      <version>${jooby.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-impl</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-orgjson</artifactId>
+    </dependency>
+
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jacoco</groupId>
+      <artifactId>org.jacoco.agent</artifactId>
+      <classifier>runtime</classifier>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>

modules/jooby-jwt/src/main/java/io/jooby/jwt/JwtSession.java

@@ -0,0 +1,139 @@
+package io.jooby.jwt;
+
+import com.typesafe.config.Config;
+import io.jooby.Cookie;
+import io.jooby.Extension;
+import io.jooby.Jooby;
+import io.jooby.SessionStore;
+import io.jooby.SessionToken;
+import io.jooby.SneakyThrows;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
+
+import javax.annotation.Nonnull;
+import java.security.Key;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * A HTTP cookie session store using JSON Web Token. Usage:
+ * <pre>{@code
+ * {
+ *   install(new JwtSession());
+ * }
+ * }</pre>
+ *
+ * It uses <code>HMAC-SHA-256</code> for signing the cookie. Secret key and cookie option can be
+ * specify programmatically or in your application configuration file.
+ *
+ * @author edgar
+ * @since 2.2.0
+ */
+public class JwtSession implements Extension {
+
+  private final Key key;
+
+  private final Cookie cookie;
+
+  /**
+   * Creates a JSON Web Token session store. The <code>session.secret</code> property must be
+   * defined in your application configuration.
+   *
+   * Cookie details are created from <code>session.cookie</code> when present, otherwise uses
+   * {@link SessionToken#SID}.
+   */
+  public JwtSession() {
+    this.key = null;
+    this.cookie = null;
+  }
+
+  /**
+   * Creates a JSON Web Token session store. It uses the provided key unless the
+   * <code>session.secret</code> property is present in your application configuration.
+   *
+   * Cookie details are created from <code>session.cookie</code> when present, otherwise uses
+   * {@link SessionToken#SID}.
+   *
+   * @param key Key to use. Override it by <code>session.secret</code> property.
+   */
+  public JwtSession(@Nonnull String key) {
+    this(key, SessionToken.SID);
+  }
+
+  /**
+   * Creates a JSON Web Token session store. It uses the provided key unless the
+   * <code>session.secret</code> property is present in your application configuration.
+   *
+   * Cookie details are created from <code>session.cookie</code> when present, otherwise uses
+   * the provided cookie.
+   *
+   * See {@link Cookie#create(String, Config)}.
+   *
+   * @param key Key to use. Override it by <code>session.secret</code> property.
+   * @param cookie Cookie to use. Override it by <code>session.cookie</code> property.
+   */
+  public JwtSession(@Nonnull String key, @Nonnull Cookie cookie) {
+    this(Keys.hmacShaKeyFor(key.getBytes()), cookie);
+  }
+
+  /**
+   * Creates a JSON Web Token session store. It uses the provided key unless the
+   * <code>session.secret</code> property is present in your application configuration.
+   *
+   * Cookie details are created from <code>session.cookie</code> when present, otherwise uses
+   * the provided cookie.
+   *
+   * See {@link Cookie#create(String, Config)}.
+   *
+   * @param key Key to use. Override it by <code>session.secret</code> property.
+   * @param cookie Cookie to use. Override it by <code>session.cookie</code> property.
+   */
+  public JwtSession(@Nonnull Key key, @Nonnull Cookie cookie) {
+    this.key = key;
+    this.cookie = cookie;
+  }
+
+  @Override public void install(@Nonnull Jooby application) throws Exception {
+    Config config = application.getConfig();
+    Key key = config.hasPath("session.secret")
+        ? Keys.hmacShaKeyFor(config.getString("session.secret").getBytes())
+        : this.key;
+    if (key == null) {
+      throw new IllegalStateException("No secret session secret key");
+    }
+    Cookie cookie = Cookie.create("session.cookie", config)
+        .orElse(Optional.ofNullable(this.cookie).orElse(SessionToken.SID));
+
+    application.setSessionStore(SessionStore.cookie(cookie, decoder(key), encoder(key)));
+  }
+
+  static SneakyThrows.Function<String, Map<String, String>> decoder(Key key) {
+    return value -> {
+      try {
+        Jws<Claims> claims = Jwts.parser().setSigningKey(key).parseClaimsJws(value);
+        Map<String, String> attributes = new HashMap<>();
+        for (Map.Entry<String, Object> entry : claims.getBody().entrySet()) {
+          attributes.put(entry.getKey(), entry.getValue().toString());
+        }
+        return attributes;
+      } catch (JwtException x) {
+        return null;
+      }
+    };
+  }
+
+  static SneakyThrows.Function<Map<String, String>, String> encoder(Key key) {
+    return attributes -> {
+      JwtBuilder builder = Jwts.builder().signWith(key);
+      for (Map.Entry<String, String> entry : attributes.entrySet()) {
+        builder.claim(entry.getKey(), entry.getValue());
+      }
+      return builder.compact();
+    };
+  }
+}