fix : synchronize api/v1/... and oauth2/token for basic token errors

Author: patternhelloworld

README.md

@@ -37,7 +37,7 @@
 ```shell
 mvnw clean install
 cd client
-mvnw clean install
+mvnw clean install # Integration tests are done here, which creates docs by Spring-Rest-Doc.
 ```
 - Run the client module by running ``SpringSecurityOauth2PasswordJpaImplApplication`` in the client.
 - The API information is found on ``http://localhost:8370/docs/api-app.html``, managed by Spring Rest Doc

client/pom.xml

@@ -7,7 +7,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.patternknife.securityhelper.oauth2.client</groupId>
     <artifactId>spring-security-oauth2-password-jpa-implementation-client</artifactId>
-    <version>2.0.0</version>
+    <version>2.1.0</version>
     <packaging>jar</packaging>
 
     <properties>
@@ -41,7 +41,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
         <dependency>
             <groupId>com.patternknife.securityhelper.oauth2.api</groupId>
             <artifactId>spring-security-oauth2-password-jpa-implementation</artifactId>
-            <version>1.0.0</version>
+            <version>2.0.0</version>
         </dependency>
 
         <!-- DB -->

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/response/error/GlobalExceptionHandler.java

@@ -1,6 +1,8 @@
 package com.patternknife.securityhelper.oauth2.client.config.response.error;
 
 
+import com.patternknife.securityhelper.oauth2.api.config.response.error.dto.ErrorResponsePayload;
+import com.patternknife.securityhelper.oauth2.api.config.response.error.exception.auth.KnifeOauth2AuthenticationException;
 import com.patternknife.securityhelper.oauth2.api.config.response.error.message.SecurityUserExceptionMessage;
 import com.patternknife.securityhelper.oauth2.client.config.response.error.dto.CustomErrorResponsePayload;
 import com.patternknife.securityhelper.oauth2.client.config.response.error.exception.auth.*;
@@ -35,96 +37,10 @@
 import java.util.HashMap;
 import java.util.Map;
 
-@Order(Ordered.HIGHEST_PRECEDENCE)
+
 @ControllerAdvice
 public class GlobalExceptionHandler {
 
-    /*
-    *   General
-    * */
-    // Login Failure
-    @ExceptionHandler({InsufficientAuthenticationException.class, CustomOauth2AuthenticationException.class, AuthenticationException.class})
-    public ResponseEntity<?> authenticationException(Exception ex, WebRequest request) {
-        CustomErrorResponsePayload customErrorResponsePayload;
-        if(ex instanceof CustomOauth2AuthenticationException && ((CustomOauth2AuthenticationException) ex).getErrorMessages() != null) {
-            customErrorResponsePayload = new CustomErrorResponsePayload(((CustomOauth2AuthenticationException) ex).getErrorMessages(),
-                    ex, request.getDescription(false), CustomExceptionUtils.getAllStackTraces(ex),
-                    CustomExceptionUtils.getAllCauses(ex), null);
-        }else {
-            customErrorResponsePayload = new CustomErrorResponsePayload(CustomExceptionUtils.getAllCauses(ex), request.getDescription(false), SecurityUserExceptionMessage.AUTHENTICATION_LOGIN_FAILURE.getMessage(),
-                    ex.getMessage(), ex.getStackTrace()[0].toString());
-        }
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.UNAUTHORIZED);
-    }
-    // Role (=Permission) Failure
-    @ExceptionHandler({UnauthorizedException.class, AccessDeniedException.class, DisabledException.class})
-    public ResponseEntity<?> authorizationException(Exception ex, WebRequest request) {
-        CustomErrorResponsePayload customErrorResponsePayload = new CustomErrorResponsePayload(ex.getMessage() != null ? ex.getMessage() : CustomExceptionUtils.getAllCauses(ex), request.getDescription(false),
-                ex.getMessage() == null || ex.getMessage().equals("Access Denied") ? SecurityUserExceptionMessage.AUTHORIZATION_FAILURE.getMessage() : ex.getMessage(), ex.getStackTrace()[0].toString());
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.FORBIDDEN);
-    }
-    // Custom or Admin
-    @ExceptionHandler({CustomAuthGuardException.class})
-    public ResponseEntity<?> customAuthorizationException(Exception ex, WebRequest request) {
-        CustomErrorResponsePayload customErrorResponsePayload = new CustomErrorResponsePayload(CustomExceptionUtils.getAllCauses(ex), request.getDescription(false), SecurityUserExceptionMessage.AUTHORIZATION_FAILURE.getMessage(),
-                ex.getMessage(), ex.getStackTrace()[0].toString());
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.FORBIDDEN);
-    }
-
-    /*
-    *  Issues with ID, Password
-    * */
-    @ExceptionHandler({UsernameNotFoundException.class, BadCredentialsException.class})
-    public ResponseEntity<?> usernameOrPasswordIssueException(Exception ex, WebRequest request) {
-
-        CustomErrorResponsePayload customErrorResponsePayload = new CustomErrorResponsePayload(CustomExceptionUtils.getAllCauses(ex), request.getDescription(false), ex.getMessage(),
-                ex.getMessage(), ex.getStackTrace()[0].toString());
-
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.UNAUTHORIZED);
-    }
-
-    /*
-    *   Social Login (Access Token Failure)
-    * */
-    // 1. NoSocialRegisteredException: Trying to do social login but the user does not exist (TO DO. Need separation. The app is branching based on the message of this Exception)
-    // 2. AlreadySocialRegisteredException: Trying to create a social user but it already exists
-    @ExceptionHandler({ AlreadySocialRegisteredException.class, NoSocialRegisteredException.class })
-    public ResponseEntity<?> socialLoginFailureException(Exception ex, WebRequest request) {
-        CustomErrorResponsePayload customErrorResponsePayload = new CustomErrorResponsePayload(ex.getMessage(), request.getDescription(false), ex.getMessage(),
-                CustomExceptionUtils.getAllStackTraces(ex), CustomExceptionUtils.getAllCauses(ex));
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.UNAUTHORIZED);
-    }
-    // SocialEmailNotProvidedException: The app received a 200 status from the social platform using the access token store, but the social platform did not provide the user's email information. In this case, the company needs to obtain authorization from the social platform.
-    @ExceptionHandler({ SocialEmailNotProvidedException.class})
-    public ResponseEntity<?> accessToSocialSuccessButIssuesWithReturnedValue(Exception ex, WebRequest request) {
-        CustomErrorResponsePayload customErrorResponsePayload = new CustomErrorResponsePayload(ex.getMessage(), request.getDescription(false), ex.getMessage(),
-                CustomExceptionUtils.getAllStackTraces(ex), CustomExceptionUtils.getAllCauses(ex));
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.FORBIDDEN);
-    }
-
-    // Social Resource Access Failure (Access Token OK but No Permission)
-    // The social platform has blocked access to the requested resource.
-    @ExceptionHandler({SocialUnauthorizedException.class})
-    public ResponseEntity<?> accessToSocialDenied(Exception ex, WebRequest request) {
-        CustomErrorResponsePayload customErrorResponsePayload = new CustomErrorResponsePayload(ex.getMessage() != null ? ex.getMessage() : CustomExceptionUtils.getAllCauses(ex),
-                request.getDescription(false),"Not a valid access token." , ex.getStackTrace()[0].toString());
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.FORBIDDEN);
-    }
-
-    // OTP (Only for Admin)
-    @ExceptionHandler({OtpValueUnauthorizedException.class})
-    public ResponseEntity<?> otpException(Exception ex, WebRequest request) {
-
-        Map<String, String> userValidationMessages = new HashMap<>();
-        userValidationMessages.put("otp_value", ex.getMessage());
-
-        CustomErrorResponsePayload customErrorResponsePayload = new CustomErrorResponsePayload(ex.getMessage(), request.getDescription(false),
-                null,
-                userValidationMessages,
-                CustomExceptionUtils.getAllStackTraces(ex), CustomExceptionUtils.getAllCauses(ex));
-
-        return new ResponseEntity<>(customErrorResponsePayload, HttpStatus.UNAUTHORIZED);
-    }
 
     // UserDeletedException : caused by the process of user deactivation
     // UserRestoredException : caused by the process of user reactivation

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/serivce/userdetail/CustomerDetailsService.java

@@ -56,7 +56,7 @@ public void setEntityManager(EntityManager entityManager) {
     @Override
     public UserDetails loadUserByUsername(String username) {
 
-        Customer customer = customerRepository.findByIdName(username).orElseThrow(() -> new UsernameNotFoundException("Customer (ID : \"" + username + "\") NOT foUND"));
+        Customer customer = customerRepository.findByIdName(username).orElseThrow(() -> new UsernameNotFoundException("Customer (ID : \"" + username + "\") NOT Found"));
         if(customer.getDeletedAt() != null){
             if(customer.getDeleteAdminId() == null) {
                 if (customer.getOneWeekAfterDeletedAsString() != null) {

client/src/test/java/com/patternknife/securityhelper/oauth2/client/integration/auth/CustomerIntegrationTest.java

@@ -1,6 +1,7 @@
 package com.patternknife.securityhelper.oauth2.client.integration.auth;
 
 
+import com.patternknife.securityhelper.oauth2.api.config.response.error.message.SecurityUserExceptionMessage;
 import com.patternknife.securityhelper.oauth2.api.config.security.KnifeHttpHeaders;
 import jakarta.xml.bind.DatatypeConverter;
 import lombok.SneakyThrows;
@@ -47,6 +48,13 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+
+
+/*
+*    Functions ending with
+*       "ORIGINAL" : '/oauth2/token'
+*       "EXPOSED" : '/api/v1/traditional-oauth/token'
+* */
 @ExtendWith(RestDocumentationExtension.class)
 @ExtendWith(SpringExtension.class)
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
@@ -432,6 +440,134 @@ public void test_SameAppTokensUseSameAccessToken_ORIGINAL() throws Exception {
         }
     }
 
+    @Test
+    public void testLoginWithInvalidCredentials_ORIGINAL() throws Exception {
+
+
+        MvcResult result = mockMvc.perform(RestDocumentationRequestBuilders.post("/oauth2/token")
+                        .header(HttpHeaders.AUTHORIZATION, basicHeader)
+                        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+                        .param("grant_type", "password")
+                        .param("username", testUserName + "wrongcredential")
+                        .param("password", testUserPassword))
+                .andExpect(status().isUnauthorized()) // 401
+                .andDo(document( "{class-name}/{method-name}/oauth-access-token",
+                        preprocessRequest(new AccessTokenMaskingPreprocessor()),
+                        preprocessResponse(new AccessTokenMaskingPreprocessor(), prettyPrint()),
+                        requestHeaders(
+                                headerWithName(HttpHeaders.AUTHORIZATION).description("Connect the received client_id and client_secret with ':', use the base64 function, and write Basic at the beginning. ex) Basic base64(client_id:client_secret)"),
+                                headerWithName(KnifeHttpHeaders.APP_TOKEN).optional().description("Not having a value does not mean you cannot log in, but cases without an App-Token value share the same access_token. Please include it as a required value according to the device-specific session policy.")
+                        ),
+                        formParameters(
+                                parameterWithName("grant_type").description("Uses the password method among Oauth2 grant_types. Please write password."),
+                                parameterWithName("username").description("This is the user's email address."),
+                                parameterWithName("password").description("This is the user's password.")
+                        )))
+                .andReturn();
+
+
+        String responseString = result.getResponse().getContentAsString();
+        JSONObject jsonResponse = new JSONObject(responseString);
+        String userMessage = jsonResponse.getString("userMessage");
+
+        assertEquals(userMessage, SecurityUserExceptionMessage.AUTHENTICATION_LOGIN_FAILURE.getMessage());
+
+
+
+        result = mockMvc.perform(RestDocumentationRequestBuilders.post("/oauth2/token")
+                        .header(HttpHeaders.AUTHORIZATION, "Basic " + DatatypeConverter.printBase64Binary((appUserClientId + "wrongcred:" + appUserClientSecret).getBytes("UTF-8")))
+                        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+                        .param("grant_type", "password")
+                        .param("username", testUserName)
+                        .param("password", testUserPassword))
+                .andExpect(status().isUnauthorized()) // 401
+                .andDo(document( "{class-name}/{method-name}/oauth-access-token",
+                        preprocessRequest(new AccessTokenMaskingPreprocessor()),
+                        preprocessResponse(new AccessTokenMaskingPreprocessor(), prettyPrint()),
+                        requestHeaders(
+                                headerWithName(HttpHeaders.AUTHORIZATION).description("Connect the received client_id and client_secret with ':', use the base64 function, and write Basic at the beginning. ex) Basic base64(client_id:client_secret)"),
+                                headerWithName(KnifeHttpHeaders.APP_TOKEN).optional().description("Not having a value does not mean you cannot log in, but cases without an App-Token value share the same access_token. Please include it as a required value according to the device-specific session policy.")
+                        ),
+                        formParameters(
+                                parameterWithName("grant_type").description("Uses the password method among Oauth2 grant_types. Please write password."),
+                                parameterWithName("username").description("This is the user's email address."),
+                                parameterWithName("password").description("This is the user's password.")
+                        )))
+                .andReturn();
+
+
+        responseString = result.getResponse().getContentAsString();
+        jsonResponse = new JSONObject(responseString);
+        userMessage = jsonResponse.getString("userMessage");
+
+        assertEquals(userMessage, SecurityUserExceptionMessage.WRONG_CLIENT_ID_SECRET.getMessage());
+    }
+
+
+    @Test
+    public void testLoginWithInvalidCredentials_EXPOSE() throws Exception {
+
+        MvcResult result = mockMvc.perform(RestDocumentationRequestBuilders.post("/api/v1/traditional-oauth/token")
+                        .header(HttpHeaders.AUTHORIZATION, basicHeader)
+                        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+                        .param("grant_type", "password")
+                        .param("username", testUserName + "wrongcredential")
+                        .param("password", testUserPassword))
+                .andExpect(status().isUnauthorized()) // 401
+                .andDo(document( "{class-name}/{method-name}/oauth-access-token",
+                        preprocessRequest(new AccessTokenMaskingPreprocessor()),
+                        preprocessResponse(new AccessTokenMaskingPreprocessor(), prettyPrint()),
+                        requestHeaders(
+                                headerWithName(HttpHeaders.AUTHORIZATION).description("Connect the received client_id and client_secret with ':', use the base64 function, and write Basic at the beginning. ex) Basic base64(client_id:client_secret)"),
+                                headerWithName(KnifeHttpHeaders.APP_TOKEN).optional().description("Not having a value does not mean you cannot log in, but cases without an App-Token value share the same access_token. Please include it as a required value according to the device-specific session policy.")
+                        ),
+                        formParameters(
+                                parameterWithName("grant_type").description("Uses the password method among Oauth2 grant_types. Please write password."),
+                                parameterWithName("username").description("This is the user's email address."),
+                                parameterWithName("password").description("This is the user's password.")
+                        )))
+                .andReturn();
+
+
+        String responseString = result.getResponse().getContentAsString();
+        JSONObject jsonResponse = new JSONObject(responseString);
+        String userMessage = jsonResponse.getString("userMessage");
+
+        assertEquals(userMessage, SecurityUserExceptionMessage.AUTHENTICATION_LOGIN_FAILURE.getMessage());
+
+
+
+        result = mockMvc.perform(RestDocumentationRequestBuilders.post("/api/v1/traditional-oauth/token")
+                        .header(HttpHeaders.AUTHORIZATION, "Basic " + DatatypeConverter.printBase64Binary((appUserClientId + "wrongcred:" + appUserClientSecret).getBytes("UTF-8")))
+                        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+                        .param("grant_type", "password")
+                        .param("username", testUserName)
+                        .param("password", testUserPassword))
+                .andExpect(status().isUnauthorized()) // 401
+                .andDo(document( "{class-name}/{method-name}/oauth-access-token",
+                        preprocessRequest(new AccessTokenMaskingPreprocessor()),
+                        preprocessResponse(new AccessTokenMaskingPreprocessor(), prettyPrint()),
+                        requestHeaders(
+                                headerWithName(HttpHeaders.AUTHORIZATION).description("Connect the received client_id and client_secret with ':', use the base64 function, and write Basic at the beginning. ex) Basic base64(client_id:client_secret)"),
+                                headerWithName(KnifeHttpHeaders.APP_TOKEN).optional().description("Not having a value does not mean you cannot log in, but cases without an App-Token value share the same access_token. Please include it as a required value according to the device-specific session policy.")
+                        ),
+                        formParameters(
+                                parameterWithName("grant_type").description("Uses the password method among Oauth2 grant_types. Please write password."),
+                                parameterWithName("username").description("This is the user's email address."),
+                                parameterWithName("password").description("This is the user's password.")
+                        )))
+                .andReturn();
+
+
+        responseString = result.getResponse().getContentAsString();
+        jsonResponse = new JSONObject(responseString);
+        userMessage = jsonResponse.getString("userMessage");
+
+        assertEquals(userMessage, SecurityUserExceptionMessage.WRONG_CLIENT_ID_SECRET.getMessage());
+    }
+
+
+
     private static class AccessTokenMaskingPreprocessor implements OperationPreprocessor {
 
         @Override