diff --git a/deploy/docker/docker-compose.yml b/deploy/docker/docker-compose.yml index f0446d33..0bf8c43f 100755 --- a/deploy/docker/docker-compose.yml +++ b/deploy/docker/docker-compose.yml @@ -52,8 +52,6 @@ services: condition: service_healthy mongodb: condition: service_healthy - mailhog: - condition: service_healthy healthcheck: test: /app/health.sh interval: 15s diff --git a/services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java b/services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java index 5df66e38..38cf0ba5 100644 --- a/services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java +++ b/services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java @@ -76,9 +76,6 @@ protected void doFilterInternal( response.sendError( HttpServletResponse.SC_UNAUTHORIZED, UserMessage.ACCOUNT_LOCKED_MESSAGE); } - } else { - tokenLogger.error(UserMessage.INVALID_CREDENTIALS); - response.sendError(HttpServletResponse.SC_UNAUTHORIZED, UserMessage.INVALID_CREDENTIALS); } } catch (Exception e) { tokenLogger.error("Can NOT set user authentication -> Message:%d", e); @@ -125,13 +122,10 @@ public String getUserFromToken(HttpServletRequest request) throws ParseException String username = null; if (token != null) { if (apiType == ApiType.APIKEY) { - logger.debug("Token is api token"); username = tokenProvider.getUserNameFromApiToken(token); } else { - logger.debug("Token is jwt token"); - if (tokenProvider.validateJwtToken(token)) { - username = tokenProvider.getUserNameFromJwtToken(token); - } + tokenProvider.validateJwtToken(token); + username = tokenProvider.getUserNameFromJwtToken(token); } // checking username from token if (username != null) return username; diff --git a/services/identity/src/main/java/com/crapi/config/JwtProvider.java b/services/identity/src/main/java/com/crapi/config/JwtProvider.java index 965ca604..268a18db 100644 --- a/services/identity/src/main/java/com/crapi/config/JwtProvider.java +++ b/services/identity/src/main/java/com/crapi/config/JwtProvider.java @@ -175,26 +175,25 @@ public boolean validateJwtToken(String authToken) { SignedJWT signedJWT = SignedJWT.parse(authToken); JWSHeader header = signedJWT.getHeader(); Algorithm alg = header.getAlgorithm(); - boolean valid = false; + // JWT Algorithm confusion vulnerability - logger.debug("Algorithm: " + alg.getName()); - JWSVerifier verifier; + logger.info("Algorithm: " + alg.getName()); if (Objects.equals(alg.getName(), "HS256")) { String secret = getJwtSecret(header); - logger.debug("JWT Secret: " + secret); - verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8)); + logger.info("JWT Secret: " + secret); + JWSVerifier verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8)); + return signedJWT.verify(verifier); } else { RSAKey verificationKey = getKeyFromJkuHeader(header); + JWSVerifier verifier; if (verificationKey == null) { - logger.debug("Key from JWKS: " + this.publicRSAKey.toJSONString()); verifier = new RSASSAVerifier(this.publicRSAKey); } else { - logger.debug("Key from JKU: " + verificationKey.toJSONString()); + logger.info("Key from JKU: " + verificationKey.toJSONString()); verifier = new RSASSAVerifier(verificationKey); } - valid = signedJWT.verify(verifier); - logger.info("JWT valid?: " + valid); - return valid; + + return signedJWT.verify(verifier); } } catch (ParseException e) {