Add hmac to user and api

Author: Sheikah45

src/main/java/com/faforever/client/api/HmacTokenFilter.java

@@ -0,0 +1,26 @@
+package com.faforever.client.api;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.jetbrains.annotations.NotNull;
+import org.springframework.http.HttpHeaders;
+import org.springframework.stereotype.Component;
+import org.springframework.web.reactive.function.client.ClientRequest;
+import org.springframework.web.reactive.function.client.ClientResponse;
+import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
+import org.springframework.web.reactive.function.client.ExchangeFunction;
+import reactor.core.publisher.Mono;
+
+@Component
+@RequiredArgsConstructor
+@Slf4j
+public class HmacTokenFilter implements ExchangeFilterFunction {
+  private final TokenRetriever tokenRetriever;
+
+  @Override
+  public @NotNull Mono<ClientResponse> filter(@NotNull ClientRequest request, @NotNull ExchangeFunction next) {
+    return tokenRetriever.getRefreshedHmacValue().flatMap(hmac -> next.exchange(ClientRequest.from(request)
+        .headers(headers -> headers.add("X-HMAC", hmac))
+        .build()));
+  }
+}

src/main/java/com/faforever/client/api/TokenRetriever.java

@@ -5,6 +5,7 @@
 import com.faforever.client.login.NoRefreshTokenException;
 import com.faforever.client.login.TokenRetrievalException;
 import com.faforever.client.preferences.LoginPrefs;
+import com.nimbusds.jwt.JWTParser;
 import javafx.beans.property.SimpleStringProperty;
 import javafx.beans.property.StringProperty;
 import lombok.RequiredArgsConstructor;
@@ -41,9 +42,8 @@ public class TokenRetriever implements InitializingBean {
   private final Flux<Long> invalidateFlux = invalidateSink.asFlux().publish().autoConnect();
   private final StringProperty refreshTokenValue = new SimpleStringProperty();
 
-  private final Mono<String> refreshedTokenMono = Mono.defer(this::refreshAccess)
-                                                      .cacheInvalidateWhen(this::getExpirationMono)
-                                                      .map(OAuth2AccessToken::getTokenValue);
+  private final Mono<OAuth2AccessToken> refreshedTokenMono = Mono.defer(this::refreshAccess)
+                                                                 .cacheInvalidateWhen(this::getExpirationMono);
 
   @Override
   public void afterPropertiesSet() throws Exception {
@@ -59,7 +59,17 @@ private Mono<Void> getExpirationMono(OAuth2AccessToken token) {
   }
 
   public Mono<String> getRefreshedTokenValue() {
-    return refreshedTokenMono.doOnError(this::onTokenError);
+    return refreshedTokenMono.map(OAuth2AccessToken::getTokenValue).doOnError(this::onTokenError);
+  }
+
+  public Mono<String> getRefreshedHmacValue() {
+    return getRefreshedTokenValue().flatMap(tokenValue -> {
+      try {
+        return Mono.just(JWTParser.parse(tokenValue).getJWTClaimsSet().getJSONObjectClaim("ext").get("hmac").toString());
+      } catch (Exception e) {
+        return Mono.error(e);
+      }
+    });
   }
 
   public Mono<Void> loginWithAuthorizationCode(String code, String codeVerifier, URI redirectUri) {
@@ -99,26 +109,26 @@ private Mono<OAuth2AccessToken> refreshAccess() {
 
   private Mono<OAuth2AccessToken> retrieveToken(MultiValueMap<String, String> properties) {
     return defaultWebClient.post()
-        .uri(String.format("%s/oauth2/token", clientProperties.getOauth().getBaseUrl()))
-        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
-        .accept(MediaType.APPLICATION_JSON)
-        .bodyValue(properties)
-        .exchangeToMono(response -> {
-          if (response.statusCode().isError()) {
-            return response.bodyToMono(String.class)
-                .switchIfEmpty(Mono.just(response.statusCode().toString()))
-                .flatMap(body -> Mono.error(new TokenRetrievalException(body)));
-          }
-
-          return response.body(OAuth2BodyExtractors.oauth2AccessTokenResponse());
-        })
-        .doOnSubscribe(subscription -> log.debug("Retrieving OAuth token"))
-        .doOnNext(tokenResponse -> {
-          OAuth2RefreshToken refreshToken = tokenResponse.getRefreshToken();
-          refreshTokenValue.set(refreshToken != null ? refreshToken.getTokenValue() : null);
-        })
-        .map(OAuth2AccessTokenResponse::getAccessToken)
-        .doOnNext(token -> log.info("Token valid until {}", token.getExpiresAt()));
+                           .uri(String.format("%s/oauth2/token", clientProperties.getOauth().getBaseUrl()))
+                           .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+                           .accept(MediaType.APPLICATION_JSON)
+                           .bodyValue(properties)
+                           .exchangeToMono(response -> {
+                             if (response.statusCode().isError()) {
+                               return response.bodyToMono(String.class)
+                                              .switchIfEmpty(Mono.just(response.statusCode().toString()))
+                                              .flatMap(body -> Mono.error(new TokenRetrievalException(body)));
+                             }
+
+                             return response.body(OAuth2BodyExtractors.oauth2AccessTokenResponse());
+                           })
+                           .doOnSubscribe(subscription -> log.debug("Retrieving OAuth token"))
+                           .doOnNext(tokenResponse -> {
+                             OAuth2RefreshToken refreshToken = tokenResponse.getRefreshToken();
+                             refreshTokenValue.set(refreshToken != null ? refreshToken.getTokenValue() : null);
+                           })
+                           .map(OAuth2AccessTokenResponse::getAccessToken)
+                           .doOnNext(token -> log.info("Token valid until {}", token.getExpiresAt()));
   }
 
   public void invalidateToken() {
@@ -129,8 +139,4 @@ public void invalidateToken() {
   public Flux<Long> invalidationFlux() {
     return invalidateFlux;
   }
-
-  public Mono<String> getAccessToken() {
-    return refreshedTokenMono;
-  }
 }

src/main/java/com/faforever/client/config/WebClientConfig.java

@@ -1,5 +1,6 @@
 package com.faforever.client.config;
 
+import com.faforever.client.api.HmacTokenFilter;
 import com.faforever.client.api.OAuthTokenFilter;
 import org.springframework.beans.factory.config.ConfigurableBeanFactory;
 import org.springframework.context.annotation.Bean;
@@ -18,15 +19,21 @@ public WebClient defaultWebClient(WebClient.Builder webClientBuilder) {
   @Bean
   @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
   public WebClient apiWebClient(WebClient.Builder webClientBuilder, OAuthTokenFilter oAuthTokenFilter,
-                                ClientProperties clientProperties) {
-    return webClientBuilder.baseUrl(clientProperties.getApi().getBaseUrl()).filter(oAuthTokenFilter).build();
+                                HmacTokenFilter hmacTokenFilter, ClientProperties clientProperties) {
+    return webClientBuilder.baseUrl(clientProperties.getApi().getBaseUrl())
+                           .filter(oAuthTokenFilter)
+                           .filter(hmacTokenFilter)
+                           .build();
   }
 
   @Bean
   @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
   public WebClient userWebClient(WebClient.Builder webClientBuilder, OAuthTokenFilter oAuthTokenFilter,
-                                 ClientProperties clientProperties) {
-    return webClientBuilder.baseUrl(clientProperties.getUser().getBaseUrl()).filter(oAuthTokenFilter).build();
+                                 HmacTokenFilter hmacTokenFilter, ClientProperties clientProperties) {
+    return webClientBuilder.baseUrl(clientProperties.getUser().getBaseUrl())
+                           .filter(oAuthTokenFilter)
+                           .filter(hmacTokenFilter)
+                           .build();
   }
 
 }

src/main/java/com/faforever/client/headerbar/UserButtonController.java

@@ -65,7 +65,7 @@ public void onReport() {
   }
 
   public void onCopyAccessToken() {
-    tokenRetriever.getAccessToken().publishOn(fxApplicationThreadExecutor.asScheduler()).subscribe(accessToken -> {
+    tokenRetriever.getRefreshedTokenValue().publishOn(fxApplicationThreadExecutor.asScheduler()).subscribe(accessToken -> {
       log.info("Copied access token to clipboard");
       ClipboardUtil.copyToClipboard(accessToken);
     });

src/test/java/com/faforever/client/api/TokenRetrieverTest.java

@@ -191,8 +191,8 @@ public void testGetAccessToken() throws Exception {
                                                  TOKEN_TYPE, "bearer");
     prepareTokenResponse(tokenProperties);
 
-    StepVerifier.create(instance.getAccessToken())
-                .assertNext(accessToken -> assertEquals(accessToken, "test"))
+    StepVerifier.create(instance.getRefreshedTokenValue())
+                .assertNext(accessToken -> assertEquals("test", accessToken))
                 .verifyComplete();
   }
 }

src/test/java/com/faforever/client/headerbar/UserButtonControllerTest.java

@@ -71,11 +71,11 @@ public void testReport() {
 
   @Test
   public void testCopyAccessToken() {
-    when(tokenRetriever.getAccessToken()).thenReturn(Mono.just("someToken"));
+    when(tokenRetriever.getRefreshedTokenValue()).thenReturn(Mono.just("someToken"));
 
     instance.onCopyAccessToken();
 
-    verify(tokenRetriever).getAccessToken();
+    verify(tokenRetriever).getRefreshedTokenValue();
   }
 
   @Test