From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password

---
 pamapi/src/main/java/com/pollex/pam/web/rest/OtpResource.java |  158 ++++++++++++++++++++++++++++++++++------------------
 1 files changed, 102 insertions(+), 56 deletions(-)

diff --git a/pamapi/src/main/java/com/pollex/pam/web/rest/OtpResource.java b/pamapi/src/main/java/com/pollex/pam/web/rest/OtpResource.java
index bb55739..609f1f1 100644
--- a/pamapi/src/main/java/com/pollex/pam/web/rest/OtpResource.java
+++ b/pamapi/src/main/java/com/pollex/pam/web/rest/OtpResource.java
@@ -1,15 +1,12 @@
 package com.pollex.pam.web.rest;
 
-import com.pollex.pam.config.ApplicationProperties;
-import com.pollex.pam.security.jwt.JWTFilter;
-import com.pollex.pam.security.jwt.TokenProvider;
-import com.pollex.pam.security.token.OtpAuthenticationToken;
-import com.pollex.pam.service.OtpWebService;
-import com.pollex.pam.service.dto.OtpResponseDTO;
-import com.pollex.pam.web.rest.vm.OtpAccount;
-import com.pollex.pam.web.rest.vm.OtpEmailLoginVM;
-import com.pollex.pam.web.rest.vm.OtpSMSLoginVM;
-import com.pollex.pam.web.rest.vm.VerifyOtpVM;
+import java.util.Arrays;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import com.pollex.pam.business.aop.logging.audit.AuditLoggingInject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -17,19 +14,31 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
-import javax.xml.rpc.ServiceException;
-import java.nio.charset.Charset;
-import java.nio.charset.StandardCharsets;
-import java.rmi.RemoteException;
-import java.util.Arrays;
-import java.util.Random;
-import java.util.UUID;
+import com.pollex.pam.config.ApplicationProperties;
+import com.pollex.pam.business.domain.Customer;
+import com.pollex.pam.business.enums.OtpLoginTypeEnum;
+import com.pollex.pam.business.repository.CustomerRepository;
+import com.pollex.pam.security.jwt.JWTFilter;
+import com.pollex.pam.security.jwt.TokenProvider;
+import com.pollex.pam.service.CustomerAuthService;
+import com.pollex.pam.service.CustomerService;
+import com.pollex.pam.business.service.OtpTmpService;
+import com.pollex.pam.service.OtpUtilService;
+import com.pollex.pam.service.OtpWebService;
+import com.pollex.pam.business.service.dto.CustomerRegisterDTO;
+import com.pollex.pam.business.service.dto.OtpResponseDTO;
+import com.pollex.pam.business.web.errors.OtpLoginFailException;
+import com.pollex.pam.business.web.vm.OtpLoginVM;
+import com.pollex.pam.business.web.vm.VerifyOtpVM;
 
-import static java.nio.charset.StandardCharsets.UTF_8;
+import static com.pollex.pam.business.aop.logging.audit.AuditLoggingType.CUSTOMER_LOGIN;
 
 @RestController
 @RequestMapping("/api/otp")
@@ -49,52 +58,89 @@
     @Autowired
     TokenProvider tokenProvider;
 
-    @PostMapping("/byPhone")
-    public ResponseEntity<Object> sendOtpByPhone(@RequestBody OtpSMSLoginVM login) {
-        try {
-            if(applicationProperty.isMockLogin()) {
-                return new ResponseEntity<>(getMockOtpResponse(), HttpStatus.OK);
-            }
+    @Autowired
+    CustomerAuthService customerAuthService;
 
-            OtpResponseDTO otpResponseDTO = otpWebService.sendByPhone(login.getPhone());
-            return new ResponseEntity<>(otpResponseDTO, HttpStatus.OK);
-        } catch (ServiceException | RemoteException e) {
-            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("connecting otp web service error");
+    @Autowired
+    OtpTmpService otpTmpService;
+
+    @Autowired
+    CustomerService customerService;
+
+    @Autowired
+    OtpUtilService otpUtilService;
+
+    @Autowired
+    CustomerRepository customerRepository;
+
+    @PostMapping("/sendOtp/{imgCode}")
+    public ResponseEntity<Object> sendOtp(@RequestBody OtpLoginVM login
+    		, @PathVariable String imgCode, HttpServletRequest request) {
+    	
+    	HttpSession session = request.getSession();
+    	String sessionImpCode = (String) session.getAttribute("img_code");
+    	
+    	if (!StringUtils.hasText(sessionImpCode)
+				|| !StringUtils.hasText(imgCode)) {
+    		throw new OtpLoginFailException("撽�Ⅳ頛詨�隤�");
+		}
+    	
+    	if(!imgCode.equals(sessionImpCode)) {
+    		throw new OtpLoginFailException("撽�Ⅳ頛詨�隤�");
+    	}
+    	
+    	session.setAttribute("img_code", null);
+    	
+    	OtpResponseDTO otpResponse;
+        if(applicationProperty.isMockLogin()) {
+            otpResponse = getMockSendOtpResponse();
+        }else if(login.getLoginType() == OtpLoginTypeEnum.SMS) {
+            otpResponse = otpWebService.sendByPhone(login.getAccount());
         }
+        else if(login.getLoginType() == OtpLoginTypeEnum.EMAIL) {
+            otpResponse = otpWebService.sendByEmail(login.getAccount());
+        }else {
+            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("can not support this login type, loginType = " + login.getLoginType().name());
+        }
+        otpTmpService.createOtpTmp(login.getAccount(), otpResponse.getIndexKey());
+        
+        return new ResponseEntity<>(otpResponse, HttpStatus.OK);
     }
 
-    @PostMapping("/byEmail")
-    public ResponseEntity<Object> sendOtpByEmail(@RequestBody OtpEmailLoginVM login) {
-        try {
-            if(applicationProperty.isMockLogin()) {
-                return new ResponseEntity<>(getMockOtpResponse(), HttpStatus.OK);
-            }
-
-            OtpResponseDTO otpResponseDTO = otpWebService.sendByEmail(login.getEmail());
-            return new ResponseEntity<>(otpResponseDTO, HttpStatus.OK);
-        } catch (ServiceException | RemoteException e) {
-            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("connecting otp web service error");
-        }
-    }
-
+    @AuditLoggingInject(type = CUSTOMER_LOGIN)
     @PostMapping("/verify")
-    public ResponseEntity<UserJWTController.JWTToken> verifyOtp(@RequestBody VerifyOtpVM verifyOtpParam) {
-        OtpAccount otpAccount = new OtpAccount(verifyOtpParam.getAccount(), verifyOtpParam.getIndexKey());
-        OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(
-            otpAccount,
-            verifyOtpParam.getOtpCode()
-        );
+    public ResponseEntity<UserJWTController.JWTToken> verifyOtp(@RequestBody VerifyOtpVM verifyOtpParam
+    		) {
+    	
+    	otpUtilService.verifyOtp(verifyOtpParam);
 
-        Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
-        SecurityContextHolder.getContext().setAuthentication(authenticationToken);
-        String jwt = tokenProvider.createToken(authentication, false);
+    	Customer customer = customerRepository
+    						.findOneByEmailEqualsOrPhoneEquals(verifyOtpParam.getAccount())
+    						.orElse(null);
+
+    	if (customer == null) {
+    		return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+    	}
+
+    	String jwt = customerAuthService.authorize(customer, verifyOtpParam.getIndexKey(), verifyOtpParam.getOtpCode());
         HttpHeaders httpHeaders = new HttpHeaders();
         httpHeaders.add(JWTFilter.AUTHORIZATION_HEADER, "Bearer" + jwt);
         return new ResponseEntity<>(new UserJWTController.JWTToken(jwt), httpHeaders, HttpStatus.OK);
     }
 
-    private OtpResponseDTO getMockOtpResponse() {
+    private OtpResponseDTO getMockSendOtpResponse() {
         String indexKey = UUID.randomUUID().toString().substring(0, 8);
-        return new OtpResponseDTO(new String[]{indexKey, "0", "", ""});
+        return new OtpResponseDTO(Arrays.asList(indexKey, "0", "", ""));
     }
+
+    @PostMapping("/register")
+    public ResponseEntity<UserJWTController.JWTToken> registerAccount(@RequestBody CustomerRegisterDTO registDTO) {
+    	Customer account = customerService.registerCustomer(registDTO);
+    	String jwt = customerAuthService.authorize(account, registDTO.getIndexKey(), registDTO.getOtpCode());
+    	HttpHeaders httpHeaders = new HttpHeaders();
+        httpHeaders.add(JWTFilter.AUTHORIZATION_HEADER, "Bearer" + jwt);
+        return new ResponseEntity<>(new UserJWTController.JWTToken(jwt), httpHeaders, HttpStatus.OK);
+    }
+
+
 }

--
Gitblit v1.8.0