Adding cookie-based authentication (as configurable option) so the files can be properly downloaded via links even when authentication is required.

Author: krulis-martin

app/V1Module/security/AccessManager.php

@@ -39,6 +39,9 @@ class AccessManager
     /** @var int Expiration time of newly issued invitation tokens (in seconds) */
     private $invitationExpiration;
 
+    /** @var string|null Name of the cookie where to look for the token */
+    private $tokenCookieName;
+
     public function __construct(array $parameters, Users $users)
     {
         $this->users = $users;
@@ -48,6 +51,7 @@ public function __construct(array $parameters, Users $users)
         $this->issuer = Arrays::get($parameters, "issuer", "https://recodex.mff.cuni.cz");
         $this->audience = Arrays::get($parameters, "audience", "https://recodex.mff.cuni.cz");
         $this->usedAlgorithm = Arrays::get($parameters, "usedAlgorithm", "HS256");
+        $this->tokenCookieName = Arrays::get($parameters, "tokenCookieName", null);
         JWT::$leeway = Arrays::get($parameters, "leeway", 10); // 10 seconds
     }
 
@@ -140,9 +144,9 @@ public function getUser(AccessToken $token): User
      */
     public function issueToken(
         User $user,
-        string $effectiveRole = null,
+        ?string $effectiveRole = null,
         array $scopes = [],
-        int $exp = null,
+        ?int $exp = null,
         array $payload = []
     ) {
         if (!$user->isAllowed()) {
@@ -208,7 +212,7 @@ public function issueInvitationToken(
         string $titlesBefore = "",
         string $titlesAfter = "",
         array $groupsIds = [],
-        int $invitationExpiration = null,
+        ?int $invitationExpiration = null,
     ): string {
         $token = InvitationToken::create(
             $invitationExpiration ?? $this->invitationExpiration,
@@ -227,25 +231,30 @@ public function issueInvitationToken(
      * Extract the access token from the request.
      * @return string|null  The access token parsed from the HTTP request, or null if there is no access token.
      */
-    public static function getGivenAccessToken(IRequest $request)
+    public function getGivenAccessToken(IRequest $request)
     {
         $accessToken = $request->getQuery("access_token");
         if ($accessToken !== null && Strings::length($accessToken) > 0) {
-            return $accessToken; // the token specified in the URL is prefered
+            return $accessToken; // the token specified in the URL is preferred
         }
 
         // if the token is not in the URL, try to find the "Authorization" header with the bearer token
         $authorizationHeader = $request->getHeader("Authorization");
-
-        if ($authorizationHeader === null) {
-            return null;
+        if ($authorizationHeader !== null) {
+            $parts = Strings::split($authorizationHeader, "/ /");
+            if (count($parts) === 2) {
+                list($bearer, $accessToken) = $parts;
+                if ($bearer === "Bearer" && !str_contains($accessToken, " ") && Strings::length($accessToken) > 0) {
+                    return $accessToken;
+                }
+            }
         }
 
-        $parts = Strings::split($authorizationHeader, "/ /");
-        if (count($parts) === 2) {
-            list($bearer, $accessToken) = $parts;
-            if ($bearer === "Bearer" && !str_contains($accessToken, " ") && Strings::length($accessToken) > 0) {
-                return $accessToken;
+        // finally, try fallback to cookie if configured
+        if ($this->tokenCookieName !== null) {
+            $cookieToken = $request->getCookie($this->tokenCookieName);
+            if ($cookieToken !== null && Strings::length($cookieToken) > 0) {
+                return $cookieToken; // token found in the cookie
             }
         }
 

app/config/config.local.neon.example

@@ -6,8 +6,8 @@ parameters:
     address: "https://your.recodex.domain"
 
   async:
-    pollingInterval: 10 # seconds (you may set this to larger values if inotify wakeups are allowed)
-    # inotify can wake the async worker (immediately once an async opertion is issued)
+    pollingInterval: 10 # seconds (you may set this to larger values if inotify wake-ups are allowed)
+    # inotify can wake the async worker (immediately once an async operation is issued)
     inotify: false # set to true only if your system (and PHP) supports inotify (not available on Windows, extension required on Linux)
 
   fileStorage: # where the local files are being stored
@@ -17,7 +17,7 @@ parameters:
       root: %appDir%/../storage/hash # this should be replaced with path to existing directory
 
   submissions:
-    locked: false  # if set to true, the API will not be accepting submissions (and it will be incidated in can-submit/permission hints)
+    locked: false  # if set to true, the API will not be accepting submissions (and it will be indicated in can-submit/permission hints)
     lockedReason:  # Localized message with reason displayed in UI, why the submissions are locked (ignored if locked == false)
       cs: "Odevzdávání řešení bylo zablokováno v konfiguraci aplikace."
       en: "Submitting new solutions is currently locked out in the application configuration."
@@ -28,12 +28,13 @@ parameters:
     expiration: 604800  # 7 days in seconds
     invitationExpiration: 604800  # of an invitation token (7 days in seconds)
     verificationKey: "recodex-123"	# this should be a really secret string
+    tokenCookieName: 'recodex_accessToken'  # web-app config value 'PERSISTENT_TOKENS_KEY_PREFIX' + '_accessToken', null if only Authorization header is used
 
   broker:
     address: "tcp://127.0.0.1:9658"
     auth:
       username: "user"  # these credentials must match credentials
-      password: "pass"  # in broker configration file
+      password: "pass"  # in broker configuration file
 
   monitor:
     address: "wss://your.recodex.domain:443/ws"
@@ -59,7 +60,7 @@ parameters:
     footerUrl: "%webapp.address%"
     from: "ReCodEx <[email protected]>"
     defaultAdminTo: "Administrator <[email protected]>"
-    #debugMode: true  # in debug mode, no messages are sent via SMPT (you should also active archiving)
+    #debugMode: true  # in debug mode, no messages are sent via SMTP (you should also active archiving)
     #archivingDir: "%appDir%/../log/email-debug"  # a directory where copies of all emails sent are stored (in text files)
 
   exercises:
@@ -72,7 +73,7 @@ parameters:
     solutionSizeLimitDefault: 262144       # 256 KiB, max. size for all submitted files (default, configurable per assignment)
 
   removeInactiveUsers:
-    # How long the user has to be inactive to warant the removal (null = never remove students, 1 month is minimum).
+    # How long the user has to be inactive to warrant the removal (null = never remove students, 1 month is minimum).
     # Please note that the length of the auth. token expiration should be considered (readonly tokens may expire after 1 year).
     threshold: "2 years"
 

app/config/config.neon

@@ -23,9 +23,9 @@ parameters:
     versionFormat: "{tag}"
 
   async:
-    pollingInterval: 60 # seconds (you may set this to larger values if inotify wakeups are allowed)
+    pollingInterval: 60 # seconds (you may set this to larger values if inotify wake-ups are allowed)
     retries: 3 # how many times each async job is retried when failing
-    # inotify can wake the async worker (immediately once an async opertion is issued)
+    # inotify can wake the async worker (immediately once an async operation is issued)
     inotify: false # set to true only if your system (and PHP) supports inotify (not available on Windows, extension required on Linux)
     inotifyFile: %tempDir%/async-inotify-file # file used as inotify rod for triggering async worker on dispatch
     restartWorkerAfter: # memory leak precaution - worker is restarted once in a while
@@ -44,7 +44,7 @@ parameters:
     address: "https://your.recodex.domain"
 
   submissions:
-    locked: false  # if set to true, the API will not be accepting submissions (and it will be incidated in can-submit/permission hints)
+    locked: false  # if set to true, the API will not be accepting submissions (and it will be indicated in can-submit/permission hints)
     lockedReason:  # Localized message with reason displayed in UI, why the submissions are locked (ignored if locked == false)
       cs: "Odevzdávání řešení bylo zablokováno v konfiguraci aplikace."
       en: "Submitting new solutions is currently locked out in the application configuration."
@@ -57,6 +57,7 @@ parameters:
     invitationExpiration: 86400  # of an invitation token (seconds)
     usedAlgorithm: HS256
     verificationKey: "recodex-123"
+    tokenCookieName: 'recodex_accessToken'  # web-app config value 'PERSISTENT_TOKENS_KEY_PREFIX' + '_accessToken', null if only Authorization header is used
 
   broker:  # connection to broker
     address: "tcp://127.0.0.1:9658"
@@ -198,7 +199,7 @@ parameters:
     deletedEmailSuffix: "@deleted.recodex"  # Suffix string appended to an email address of a user, when account is deleted
 
   removeInactiveUsers:
-    # How long the user has to be inactive to warant the removal (null = never remove students, 1 month is minimum).
+    # How long the user has to be inactive to warrant the removal (null = never remove students, 1 month is minimum).
     # Please note that the length of the auth. token expiration should be considered (readonly tokens may expire after 1 year).
     disableAfter: "2 years"
     deleteAfter: null   # null = never, if not null, better be > disableAfter
@@ -225,7 +226,7 @@ mail:  # configuration of sending mails
   password: ""  # password to the server
   secure: "tls"  # security, values are empty for no security, "ssl" or "tls"
   context:  # additional parameters, depending on used mail engine
-    ssl:  # examle self-signed certificates can be allowed as verify_peer and verify_peer_name to false and allow_self_signed to true under ssl key (see example)
+    ssl:  # example self-signed certificates can be allowed as verify_peer and verify_peer_name to false and allow_self_signed to true under ssl key (see example)
       verify_peer: false
       verify_peer_name: false
       allow_self_signed: true

app/model/view/InstanceViewFactory.php

@@ -44,8 +44,6 @@ public function getInstance(Instance $instance, ?User $loggedUser = null): array
 
         return [
             "id" => $instance->getId(),
-            "name" => $localizedRootGroup ? $localizedRootGroup->getName() : "", // BC
-            "description" => $localizedRootGroup ? $localizedRootGroup->getDescription() : "", // BC
             "hasValidLicence" => $instance->hasValidLicense(),
             "isOpen" => $instance->isOpen(),
             "isAllowed" => $instance->isAllowed(),
@@ -56,6 +54,10 @@ public function getInstance(Instance $instance, ?User $loggedUser = null): array
             "rootGroup" => $this->groupViewFactory->getGroup($instance->getRootGroup()),
             "rootGroupId" => $instance->getRootGroup()->getId(),
             "extensions" => $extensions,
+
+            // deprecated
+            "name" => $localizedRootGroup ? $localizedRootGroup->getName() : "", // BC
+            "description" => $localizedRootGroup ? $localizedRootGroup->getDescription() : "", // BC
         ];
     }
 

tests/AccessToken/AccessManager.phpt

@@ -227,47 +227,60 @@ class TestAccessManager extends Tester\TestCase
         $token = "abcdefg";
         $url = new UrlScript("https://www.whatever.com/bla/bla/bla?x=y&access_token=$token");
         $request = new Request($url);
-        Assert::equal($token, AccessManager::getGivenAccessToken($request));
+
+        $users = Mockery::mock(App\Model\Repository\Users::class);
+        $manager = new AccessManager(["verificationKey" => "abc"], $users);
+        Assert::equal($token, $manager->getGivenAccessToken($request));
     }
 
     public function testExtractFromEmptyQuery()
     {
         $token = "";
         $url = new UrlScript("https://www.whatever.com/bla/bla/bla?x=y&access_token=$token");
         $request = new Request($url);
-        Assert::null(AccessManager::getGivenAccessToken($request));
+        $users = Mockery::mock(App\Model\Repository\Users::class);
+        $manager = new AccessManager(["verificationKey" => "abc"], $users);
+        Assert::null($manager->getGivenAccessToken($request));
     }
 
     public function testExtractFromHeader()
     {
         $token = "abcdefg";
         $url = new UrlScript("https://www.whatever.com/bla/bla/bla?x=y");
         $request = new Request($url, [], [], [], ["Authorization" => "Bearer $token"]);
-        Assert::equal($token, AccessManager::getGivenAccessToken($request));
+        $users = Mockery::mock(App\Model\Repository\Users::class);
+        $manager = new AccessManager(["verificationKey" => "abc"], $users);
+        Assert::equal($token, $manager->getGivenAccessToken($request));
     }
 
     public function testExtractFromHeaderWrongType()
     {
         $token = "abcdefg";
         $url = new UrlScript("https://www.whatever.com/bla/bla/bla?x=y");
         $request = new Request($url, [], [], [], ["Authorization" => "Basic $token"]);
-        Assert::null(AccessManager::getGivenAccessToken($request));
+        $users = Mockery::mock(App\Model\Repository\Users::class);
+        $manager = new AccessManager(["verificationKey" => "abc"], $users);
+        Assert::null($manager->getGivenAccessToken($request));
     }
 
     public function testExtractFromHeaderEmpty()
     {
         $token = "";
         $url = new UrlScript("https://www.whatever.com/bla/bla/bla?x=y");
         $request = new Request($url, [], [], [], ["Authorization" => "Basic $token"]);
-        Assert::null(AccessManager::getGivenAccessToken($request));
+        $users = Mockery::mock(App\Model\Repository\Users::class);
+        $manager = new AccessManager(["verificationKey" => "abc"], $users);
+        Assert::null($manager->getGivenAccessToken($request));
     }
 
     public function testExtractFromHeaderWithSpace()
     {
         $token = "";
         $url = new UrlScript("https://www.whatever.com/bla/bla/bla?x=y");
         $request = new Request($url, [], [], [], ["Authorization" => "Bearer $token and more!"]);
-        Assert::null(AccessManager::getGivenAccessToken($request));
+        $users = Mockery::mock(App\Model\Repository\Users::class);
+        $manager = new AccessManager(["verificationKey" => "abc"], $users);
+        Assert::null($manager->getGivenAccessToken($request));
     }
 }