Compare commits

..

14 Commits

7 changed files with 206 additions and 67 deletions

View File

@@ -423,3 +423,38 @@
### Features
* Add error logging for user info retrieval in OpenIDConnectService ([861f2f1](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/861f2f1184e860fdd164481167f941c11accfedd))
## (2026-01-20)
### Features
* Add idClaimName parameter to OpenIDConnectService for flexible ID claim mapping ([2f38855](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/2f388554495d8bd44b4c533baa0f2fc27eea22c2))
## (2026-01-21)
### Features
* Change log level to warn for OpenID callback in OpenIDController ([23cdbe9](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/23cdbe9bd127bc26405fd216372bbb2d7e718a77))
## (2026-01-21)
### Features
* Change log level to warn for OpenID callback in OpenIDController ([4a6598f](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/4a6598f102d8934c7502944a0addd400dd0cbcac))
## (2026-01-21)
### Features
* Update ID mapping in OpenIDUserInfo to use hashed value and remove name field ([4b74de1](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/4b74de12610120831fc1529f0409db66aafd4d03))
## (2026-01-21)
### Features
* Update ID mapping in OpenIDUserInfo to use hashed value and remove name field ([daa072f](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/daa072f2bf260ed62402096b41ce85aa071efaf5))
## (2026-01-21)
### Features
* Implement OAuth session management with Redis caching for OpenID user data ([0430c7f](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/0430c7f4deb37661c697406a714e2693bf0c7307))
## (2026-01-21)
### Features
* Update CORS allowed origins to use production URL ([66b5594](https://git.janis-eccarius.de/KnockOutWhist/KnockOutWhist-Web/commit/66b55945eb8f095c08a8f859955d31f7fc32ce0e))

View File

@@ -1,13 +1,15 @@
package controllers
import com.github.benmanes.caffeine.cache.{Cache, Caffeine}
import logic.user.{SessionManager, UserManager}
import model.users.User
import play.api.{Configuration, Logger}
import play.api.libs.json.Json
import play.api.mvc.*
import play.api.mvc.Cookie.SameSite.Lax
import services.{OpenIDConnectService, OpenIDUserInfo}
import services.{OpenIDConnectService, OpenIDUserInfo, OAuthCacheService}
import java.util.concurrent.TimeUnit
import javax.inject.*
import scala.concurrent.{ExecutionContext, Future}
@@ -17,7 +19,8 @@ class OpenIDController @Inject()(
val openIDService: OpenIDConnectService,
val sessionManager: SessionManager,
val userManager: UserManager,
val config: Configuration
val config: Configuration,
val oauthCache: OAuthCacheService
)(implicit ec: ExecutionContext) extends BaseController {
private val logger = Logger(this.getClass)
@@ -49,7 +52,7 @@ class OpenIDController @Inject()(
val code = request.getQueryString("code")
val error = request.getQueryString("error")
logger.info(s"Received callback from $provider with state $sessionState, nonce $sessionNonce, provider $sessionProvider, returned state $returnedState, code $code, error $error")
logger.warn(s"Received callback from $provider with state $sessionState, nonce $sessionNonce, provider $sessionProvider, returned state $returnedState, code $code, error $error")
error match {
case Some(err) =>
@@ -61,6 +64,7 @@ class OpenIDController @Inject()(
_ <- Option(sessionProvider.contains(provider))
authCode <- code
} yield {
logger.warn(s"Authentication successful for $provider")
openIDService.exchangeCodeForTokens(provider, authCode, sessionState.get).flatMap {
case Some(tokenResponse) =>
openIDService.getUserInfo(provider, tokenResponse.accessToken).flatMap {
@@ -68,7 +72,7 @@ class OpenIDController @Inject()(
// Check if user already exists
userManager.authenticateOpenID(provider, userInfo.id) match {
case Some(user) =>
logger.info(s"User ${userInfo.name} (${userInfo.id}) already exists, logging them in")
logger.warn(s"User ${userInfo.name} (${userInfo.id}) already exists, logging them in")
// User already exists, log them in
val sessionToken = sessionManager.createSession(user)
Future.successful(Redirect(config.getOptional[String]("openid.mainRoute").getOrElse("/"))
@@ -81,14 +85,12 @@ class OpenIDController @Inject()(
))
.removingFromSession("oauth_state", "oauth_nonce", "oauth_provider", "oauth_access_token"))
case None =>
logger.info(s"User ${userInfo.name} (${userInfo.id}) not found, creating new user")
// New user, redirect to username selection
logger.warn(s"User ${userInfo.name} (${userInfo.id}) not found, creating new user")
// Store OAuth data in cache and get session ID
val oauthSessionId = oauthCache.storeOAuthData(userInfo, tokenResponse.accessToken, provider)
// New user, redirect to username selection with only session ID
Future.successful(Redirect(config.get[String]("openid.selectUserRoute"))
.withSession(
"oauth_user_info" -> Json.toJson(userInfo).toString(),
"oauth_provider" -> provider,
"oauth_access_token" -> tokenResponse.accessToken
))
.withSession("oauth_session_id" -> oauthSessionId))
}
case None =>
logger.error("Failed to retrieve user information")
@@ -106,9 +108,10 @@ class OpenIDController @Inject()(
}
def selectUsername(): Action[AnyContent] = Action.async { implicit request =>
request.session.get("oauth_user_info") match {
case Some(userInfoJson) =>
val userInfo = Json.parse(userInfoJson).as[OpenIDUserInfo]
request.session.get("oauth_session_id") match {
case Some(sessionId) =>
oauthCache.getOAuthData(sessionId) match {
case Some((userInfo, _, _)) =>
Future.successful(Ok(Json.obj(
"id" -> userInfo.id,
"email" -> userInfo.email,
@@ -118,6 +121,11 @@ class OpenIDController @Inject()(
"providerName" -> userInfo.providerName
)))
case None =>
logger.error(s"OAuth session data not found for session ID: $sessionId")
Future.successful(Redirect("/login").flashing("error" -> "Session expired"))
}
case None =>
logger.error("No OAuth session ID found")
Future.successful(Redirect("/login").flashing("error" -> "No authentication information found"))
}
}
@@ -125,13 +133,12 @@ class OpenIDController @Inject()(
def submitUsername(): Action[AnyContent] = Action.async { implicit request =>
val username = request.body.asJson.flatMap(json => (json \ "username").asOpt[String])
.orElse(request.body.asFormUrlEncoded.flatMap(_.get("username").flatMap(_.headOption)))
val userInfoJson = request.session.get("oauth_user_info")
val provider = request.session.get("oauth_provider").getOrElse("unknown")
(username, userInfoJson) match {
case (Some(uname), Some(userInfoJson)) =>
val userInfo = Json.parse(userInfoJson).as[OpenIDUserInfo]
val sessionId = request.session.get("oauth_session_id")
(username, sessionId) match {
case (Some(uname), Some(sid)) =>
oauthCache.getOAuthData(sid) match {
case Some((userInfo, accessToken, provider)) =>
// Check if username already exists
val trimmedUsername = uname.trim
userManager.userExists(trimmedUsername) match {
@@ -141,10 +148,12 @@ class OpenIDController @Inject()(
// Create new user with OpenID info (no password needed)
val success = userManager.addOpenIDUser(trimmedUsername, userInfo)
if (success) {
// Get the created user and create session
// Get created user and create session
userManager.userExists(trimmedUsername) match {
case Some(user) =>
val sessionToken = sessionManager.createSession(user)
// Clean up cache after successful user creation
oauthCache.removeOAuthData(sid)
Future.successful(Ok(Json.obj(
"message" -> "User created successfully",
"user" -> Json.obj(
@@ -157,7 +166,7 @@ class OpenIDController @Inject()(
httpOnly = true,
secure = false,
sameSite = Some(Lax)
)).removingFromSession("oauth_user_info", "oauth_provider", "oauth_access_token"))
)).removingFromSession("oauth_session_id"))
case None =>
Future.successful(InternalServerError(Json.obj("error" -> "Failed to create user session")))
}
@@ -165,8 +174,12 @@ class OpenIDController @Inject()(
Future.successful(InternalServerError(Json.obj("error" -> "Failed to create user")))
}
}
case None =>
logger.error(s"OAuth session data not found for session ID: $sid")
Future.successful(Redirect("/login").flashing("error" -> "Session expired"))
}
case _ =>
Future.successful(BadRequest(Json.obj("error" -> "Username is required")))
Future.successful(BadRequest(Json.obj("error" -> "Username and valid session required")))
}
}
}

View File

@@ -0,0 +1,89 @@
package services
import org.redisson.Redisson
import org.redisson.api.RMapCache
import org.redisson.config.Config
import play.api.Logger
import play.api.libs.json.Json
import java.util.concurrent.TimeUnit
import javax.inject.*
@Singleton
class OAuthCacheService @Inject()() {
private val logger = Logger(this.getClass)
// Initialize Redis connection similar to Gateway
private val redis = {
val config: Config = Config()
val url = "redis://" + sys.env.getOrElse("REDIS_HOST", "localhost") + ":" + sys.env.getOrElse("REDIS_PORT", "6379")
logger.info(s"OAuthCacheService connecting to Redis at $url")
config.useSingleServer.setAddress(url)
Redisson.create(config)
}
// Cache for OAuth data with 30 minute TTL
private val oauthCache: RMapCache[String, String] = redis.getMapCache("oauth_cache")
/**
* Store OAuth data with random ID and return the ID
*/
def storeOAuthData(userInfo: OpenIDUserInfo, accessToken: String, provider: String): String = {
val sessionId = java.util.UUID.randomUUID().toString
val oauthData = Json.obj(
"userInfo" -> Json.toJson(userInfo),
"accessToken" -> accessToken,
"provider" -> provider,
"timestamp" -> System.currentTimeMillis()
).toString()
// Store with 30 minute TTL
oauthCache.put(sessionId, oauthData, 30, TimeUnit.MINUTES)
logger.info(s"Stored OAuth data for session $sessionId")
sessionId
}
/**
* Retrieve OAuth data by session ID
*/
def getOAuthData(sessionId: String): Option[(OpenIDUserInfo, String, String)] = {
Option(oauthCache.get(sessionId)) match {
case Some(dataJson) =>
try {
val json = Json.parse(dataJson)
val userInfo = (json \ "userInfo").as[OpenIDUserInfo]
val accessToken = (json \ "accessToken").as[String]
val provider = (json \ "provider").as[String]
logger.info(s"Retrieved OAuth data for session $sessionId")
Some((userInfo, accessToken, provider))
} catch {
case e: Exception =>
logger.error(s"Failed to parse OAuth data for session $sessionId: ${e.getMessage}")
None
}
case None =>
logger.warn(s"No OAuth data found for session $sessionId")
None
}
}
/**
* Remove OAuth data after use
*/
def removeOAuthData(sessionId: String): Unit = {
oauthCache.remove(sessionId)
logger.info(s"Removed OAuth data for session $sessionId")
}
/**
* Clean up expired sessions (optional maintenance)
*/
def cleanupExpiredSessions(): Unit = {
oauthCache.clear()
logger.info("Cleaned up expired OAuth sessions")
}
}

View File

@@ -35,7 +35,8 @@ case class OpenIDProvider(
authorizationEndpoint: String,
tokenEndpoint: String,
userInfoEndpoint: String,
scopes: Set[String] = Set("openid", "profile", "email")
scopes: Set[String] = Set("openid", "profile", "email"),
idClaimName: String = "id"
)
case class TokenResponse(
@@ -70,7 +71,8 @@ class OpenIDConnectService@Inject(ws: WSClient, config: Configuration)(implicit
authorizationEndpoint = config.get[String]("openid.keycloak.authUrl") + "/protocol/openid-connect/auth",
tokenEndpoint = config.get[String]("openid.keycloak.authUrl") + "/protocol/openid-connect/token",
userInfoEndpoint = config.get[String]("openid.keycloak.authUrl") + "/protocol/openid-connect/userinfo",
scopes = Set("openid", "profile", "email")
scopes = Set("openid", "profile", "email"),
idClaimName = "sub"
)
)
@@ -136,7 +138,7 @@ class OpenIDConnectService@Inject(ws: WSClient, config: Configuration)(implicit
if (response.status == 200) {
val json = response.json
Some(OpenIDUserInfo(
id = (json \ "id").as[String],
id = (json \ provider.idClaimName).as[String],
email = (json \ "email").asOpt[String],
name = (json \ "name").asOpt[String].orElse((json \ "login").asOpt[String]),
picture = (json \ "picture").asOpt[String].orElse((json \ "avatar_url").asOpt[String]),

View File

@@ -8,7 +8,7 @@ play.http.context="/api"
play.modules.enabled += "modules.GatewayModule"
play.filters.cors {
allowedOrigins = ["http://localhost:5173"]
allowedOrigins = ["https://knockout.janis-eccarius.de"]
allowedCredentials = true
allowedHttpMethods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
allowedHttpHeaders = ["Accept", "Content-Type", "Origin", "X-Requested-With"]

View File

@@ -1,3 +1,3 @@
MAJOR=4
MINOR=46
MINOR=53
PATCH=0