Improving login

redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/RequestTokenRequest.java

@@ -27,7 +27,7 @@ import javax.xml.bind.annotation.XmlRootElement;
 @XmlRootElement(name="refreshToken")
 public class RequestTokenRequest
 {
-    String grantType = "authorization_code";
+    String grantType = "";
     String clientId;
     String clientSecret;
     String code;
@@ -116,6 +116,7 @@ public class RequestTokenRequest
         return password;
     }
 
+    @XmlElement(name="password", required = true, nillable = false)
     public void setPassword( String password )
     {
         this.password = password;
@@ -153,4 +154,5 @@ public class RequestTokenRequest
     {
         this.state = state;
     }
+
 }

redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/TokenResponse.java

@@ -32,7 +32,7 @@ import java.time.Instant;
 public class TokenResponse
 {
     String accessToken;
-    String tokenType = "bearer";
+    String tokenType = "Bearer";
     long expiresIn;
     String refreshToken;
     String scope;

redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultAuthenticationService.java

@@ -113,6 +113,9 @@ public class DefaultAuthenticationService
     public TokenResponse logIn( RequestTokenRequest loginRequest )
         throws RedbackServiceException
     {
+        if (!"authorization_code".equals(loginRequest.getGrantType())) {
+            throw new RedbackServiceException( "redback:bad_authorization_code", Response.Status.FORBIDDEN.getStatusCode( ) );
+        }
         String userName = loginRequest.getUserId(), password = loginRequest.getPassword();
         PasswordBasedAuthenticationDataSource authDataSource =
             new PasswordBasedAuthenticationDataSource( userName, password );
@@ -199,6 +202,8 @@ public class DefaultAuthenticationService
         {
             Token accessToken = jwtAuthenticator.refreshAccessToken( request.getRefreshToken( ) );
             Token refreshToken = jwtAuthenticator.tokenFromString( request.getRefreshToken( ) );
+            response.setHeader( "Cache-Control", "no-store" );
+            response.setHeader( "Pragma", "no-cache" );
             return new TokenResponse( accessToken, refreshToken );
         }
         catch ( TokenAuthenticationException e )

redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/v2/AbstractNativeRestServices.java

@@ -63,11 +63,13 @@ public abstract class AbstractNativeRestServices
     public static final String SYSPROP_START_SERVER = "archiva.rest.start.server";
     public static final String SYSPROP_SERVER_PORT = "archiva.rest.server.port";
     public static final String SYSPROP_SERVER_BASE_URI = "archiva.rest.server.baseuri";
+    public static final String SYSPROP_SERVER_ADMIN_PWD = "archiva.rest.server.admin_pwd";
     public static final int STOPPED = 0;
     public static final int STOPPING = 1;
     public static final int STARTING = 2;
     public static final int STARTED = 3;
     public static final int ERROR = 4;
+    public static final String DEFAULT_ADMIN_PWD = "Ackd245_aer9sdfa#sjDfn";
 
     private RequestSpecification requestSpec;
     protected Logger log = LoggerFactory.getLogger( getClass() );
@@ -77,7 +79,12 @@ public abstract class AbstractNativeRestServices
     private static AtomicInteger serverStarted = new AtomicInteger( STOPPED );
     private UserManager userManager;
     private RoleManager roleManager;
+    private String adminPwd;
 
+    public AbstractNativeRestServices( )
+    {
+        this.adminPwd = System.getProperty( SYSPROP_SERVER_ADMIN_PWD, DEFAULT_ADMIN_PWD );
+    }
 
     protected abstract String getServicePath();
 
@@ -154,22 +161,31 @@ public abstract class AbstractNativeRestServices
         return this.roleManager;
     }
 
+    protected String getAdminPwd() {
+        return this.adminPwd;
+    }
+
+    protected String getAdminUser() {
+        return RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME;
+    }
+
     private void setupAdminUser() throws UserManagerException, RoleManagerException
     {
+
         UserManager um = getUserManager( );
 
         User adminUser = null;
         try
         {
-            adminUser = um.findUser( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME );
+            adminUser = um.findUser( getAdminUser() );
         } catch ( UserNotFoundException e ) {
             // ignore
         }
         if (adminUser==null)
         {
-            adminUser = um.createUser( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME, "Administrator", "admin@local.home" );
-            adminUser.setUsername( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME );
-            adminUser.setPassword( FakeCreateAdminServiceImpl.ADMIN_TEST_PWD );
+            adminUser = um.createUser( getAdminUser(), "Administrator", "admin@local.home" );
+            adminUser.setUsername( getAdminUser() );
+            adminUser.setPassword( getAdminPwd() );
             adminUser.setFullName( "the admin user" );
             adminUser.setEmail( "toto@toto.fr" );
             adminUser.setPermanent( true );

redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/v2/NativeAuthenticationServiceTest.java

@@ -34,11 +34,14 @@ import org.springframework.test.context.junit.jupiter.SpringExtension;
 
 import java.time.Instant;
 import java.time.OffsetDateTime;
+import java.util.HashMap;
+import java.util.Map;
 
 import static io.restassured.RestAssured.*;
 import static io.restassured.http.ContentType.JSON;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.springframework.core.annotation.MergedAnnotations.from;
 
@@ -87,4 +90,45 @@ public class NativeAuthenticationServiceTest extends AbstractNativeRestServices
         assertTrue( dateTime.toInstant( ).isBefore( afterCall ) );
     }
 
+    @Test
+    void tokenLogin() {
+        Map<String, Object> jsonAsMap = new HashMap<>();
+        jsonAsMap.put( "grant_type", "authorization_code" );
+        jsonAsMap.put("user_id", getAdminUser());
+        jsonAsMap.put("password", getAdminPwd() );
+        Response result = given( ).spec( getRequestSpec( ) )
+            .contentType( JSON )
+            .body( jsonAsMap )
+            .when( ).post( "/token").then( ).statusCode( 200 )
+            .extract( ).response( );
+        assertNotNull( result.body( ).jsonPath( ).getString( "access_token" ) );
+        assertNotNull( result.body( ).jsonPath( ).getString( "refresh_token" ) );
+    }
+
+    @Test
+    void invalidGrantTypeLogin() {
+        Map<String, Object> jsonAsMap = new HashMap<>();
+        jsonAsMap.put( "grant_type", "bad_code" );
+        jsonAsMap.put("user_id", getAdminUser());
+        jsonAsMap.put("password", getAdminPwd() );
+        Response result = given( ).spec( getRequestSpec( ) )
+            .contentType( JSON )
+            .body( jsonAsMap )
+            .when( ).post( "/token").then( ).statusCode( 403 )
+            .extract( ).response( );
+    }
+
+    @Test
+    void invalidPasswordLogin() {
+        Map<String, Object> jsonAsMap = new HashMap<>();
+        jsonAsMap.put( "grant_type", "authorization_code" );
+        jsonAsMap.put("user_id", getAdminUser());
+        jsonAsMap.put("password", "xxxx" );
+        Response result = given( ).spec( getRequestSpec( ) )
+            .contentType( JSON )
+            .body( jsonAsMap )
+            .when( ).post( "/token").then( ).statusCode( 401 )
+            .extract( ).response( );
+    }
+
 }