DS-3542: invalided sessions with salt

dspace-api/src/main/java/org/dspace/eperson/EPerson.java

@@ -65,6 +65,9 @@ public class EPerson extends DSpaceObject implements DSpaceObjectLegacySupport
     @Column(name="salt", length = 32)
     private String salt;
 
+    @Column(name="jwt_salt", length = 16)
+    private String jwtSalt;
+
     @Column(name="digest_algorithm", length = 16)
     private String digestAlgorithm;
 
@@ -433,4 +436,12 @@ public class EPerson extends DSpaceObject implements DSpaceObjectLegacySupport
         }
         return ePersonService;
     }
+
+    public String getJwtSalt() {
+        return jwtSalt;
+    }
+
+    public void setJwtSalt(String jwtSalt) {
+        this.jwtSalt = jwtSalt;
+    }
 }

dspace-spring-rest/src/main/java/org/dspace/app/rest/security/JWTTokenHandler.java

@@ -11,6 +11,9 @@ import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.EPersonService;
+import org.springframework.security.crypto.keygen.KeyGenerators;
+import org.springframework.security.crypto.keygen.StringKeyGenerator;
 
 import java.sql.SQLException;
 import java.text.ParseException;
@@ -21,25 +24,36 @@ import java.util.stream.Collectors;
 
 public class JWTTokenHandler {
 
+    private static String jwtKey = "testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest";
     private AuthenticationService authenticationService = AuthenticateServiceFactory.getInstance().getAuthenticationService();
-
+    private EPersonService ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
 
     public EPerson parseEPersonFromToken(String token) throws JOSEException, ParseException, SQLException {
-        JWSVerifier verifier = new MACVerifier("testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest");
+
         SignedJWT signedJWT = SignedJWT.parse(token);
-        if (signedJWT.verify(verifier)) {
         Context context = new Context();
-            return EPersonServiceFactory.getInstance().getEPersonService().find(context, UUID.fromString(signedJWT.getJWTClaimsSet().getClaim("EPersonID").toString()));
+        EPerson ePerson = ePersonService.find(context, UUID.fromString(signedJWT.getJWTClaimsSet().getClaim("EPersonID").toString()));
+        JWSVerifier verifier = new MACVerifier(jwtKey + ePerson.getJwtSalt());
+        if (signedJWT.verify(verifier)) {
+            return ePerson;
         } else {
             return null;
         }
     }
 
 
-    public String createTokenForEPerson(EPerson ePerson, List<Group> groups) throws JOSEException {
-        JWSSigner signer = new MACSigner("testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest");
+    public String createTokenForEPerson(Context context, EPerson ePerson, List<Group> groups) throws JOSEException {
+        StringKeyGenerator stringKeyGenerator = KeyGenerators.string();
+        String salt = stringKeyGenerator.generateKey();
+        JWSSigner signer = new MACSigner(jwtKey + salt);
 
         List<Integer> groupIds = groups.stream().map(Group::getLegacyId).collect(Collectors.toList());
+        ePerson.setJwtSalt(salt);
+        try {
+            context.commit();
+        } catch (SQLException e) {
+            e.printStackTrace();
+        }
 
         JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
                 .claim("EPersonID", ePerson.getID().toString())

dspace-spring-rest/src/main/java/org/dspace/app/rest/security/TokenAuthenticationService.java

@@ -4,6 +4,7 @@ import com.nimbusds.jose.JOSEException;
 import org.dspace.app.rest.utils.ContextUtil;
 import org.dspace.authenticate.factory.AuthenticateServiceFactory;
 import org.dspace.authenticate.service.AuthenticationService;
+import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.factory.EPersonServiceFactory;
@@ -32,8 +33,9 @@ public class TokenAuthenticationService {
     public void addAuthentication(HttpServletRequest request, HttpServletResponse response, String email) {
         try {
             EPerson ePerson = ePersonService.findByEmail(ContextUtil.obtainContext(request), email);
-            List<Group> groups = authenticationService.getSpecialGroups(ContextUtil.obtainContext(request), request);
-            String token = jwtTokenHandler.createTokenForEPerson(ePerson, groups);
+            Context context = ContextUtil.obtainContext(request);
+            List<Group> groups = authenticationService.getSpecialGroups(context, request);
+            String token = jwtTokenHandler.createTokenForEPerson(context, ePerson, groups);
             Cookie cookie = new Cookie("access_token", token);
             response.addCookie(cookie);
         } catch (JOSEException e) {