NIFI-8697: When login endpoint is encountered and JWT is no longer valid, request cookie to be deleted. Also fixed NPE that was encountered when going to /logout without the expected cookie being present

Signed-off-by: Nathan Gough <thenatog@gmail.com> This closes #5155.
2025-02-09 03:25:04 +00:00 · 2021-06-14 14:36:03 -04:00 · 2021-06-14 14:36:03 -04:00 · 576338cd55
commit 576338cd55
parent de7fef8a0a
1 changed files with 9 additions and 4 deletions
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@ -1158,7 +1158,7 @@ public class AccessResource extends ApplicationResource {
                    @ApiResponse(code = 500, message = "Unable to determine access status because an unexpected error occurred.")
            }
    )
-    public Response getAccessStatus(@Context HttpServletRequest httpServletRequest) {
+    public Response getAccessStatus(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {

        // only consider user specific access over https
        if (!httpServletRequest.isSecure()) {
@ -1192,8 +1192,12 @@ public class AccessResource extends ApplicationResource {
                        // attempt authorize to /flow
                        accessStatus.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                        accessStatus.setMessage("You are already logged in.");
-                    } catch (JwtException e) {
-                        throw new InvalidAuthenticationException(e.getMessage(), e);
+                    } catch (final InvalidAuthenticationException iae) {
+                        if (WebUtils.getCookie(httpServletRequest, NiFiBearerTokenResolver.JWT_COOKIE_NAME) != null) {
+                            removeCookie(httpServletResponse, NiFiBearerTokenResolver.JWT_COOKIE_NAME);
+                        }
+
+                        throw iae;
                    }
                }
            } else {
@ -1553,7 +1557,8 @@ public class AccessResource extends ApplicationResource {
        LogoutRequest logoutRequest = null;

        // check if a logout request identifier is present and if so complete the request
-        final String logoutRequestIdentifier = WebUtils.getCookie(httpServletRequest, LOGOUT_REQUEST_IDENTIFIER).getValue();
+        final Cookie cookie = WebUtils.getCookie(httpServletRequest, LOGOUT_REQUEST_IDENTIFIER);
+        final String logoutRequestIdentifier = cookie == null ? null : cookie.getValue();
        if (logoutRequestIdentifier != null) {
            logoutRequest = logoutRequestManager.complete(logoutRequestIdentifier);
        }