Remove debug headers and return 403 on access denied
All checks were successful
build-and-deploy / build-deploy (push) Successful in 26s
All checks were successful
build-and-deploy / build-deploy (push) Successful in 26s
This commit is contained in:
androidlover5842
@@ -30,17 +30,9 @@ class FirebaseAuthFilter(
|
||||
response: HttpServletResponse,
|
||||
filterChain: FilterChain
|
||||
) {
|
||||
val debug = request.getHeader("X-Debug-Auth") == "1"
|
||||
fun setDebug(value: String) {
|
||||
if (debug) {
|
||||
response.setHeader("X-Auth-Debug", value)
|
||||
logger.info("Auth debug: {} {} -> {}", request.method, request.requestURI, value)
|
||||
}
|
||||
}
|
||||
val header = request.getHeader(HttpHeaders.AUTHORIZATION)
|
||||
if (header.isNullOrBlank() || !header.startsWith("Bearer ")) {
|
||||
logger.debug("Auth missing/invalid header for {}", request.requestURI)
|
||||
setDebug(if (header.isNullOrBlank()) "missing_authorization" else "invalid_authorization")
|
||||
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing Authorization token")
|
||||
return
|
||||
}
|
||||
@@ -49,10 +41,7 @@ class FirebaseAuthFilter(
|
||||
val decoded = FirebaseAuth.getInstance().verifyIdToken(token)
|
||||
val firebaseUid = decoded.uid
|
||||
val user = appUserRepo.findByFirebaseUid(firebaseUid)
|
||||
?: run {
|
||||
setDebug("user_not_found")
|
||||
throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "User not found")
|
||||
}
|
||||
?: throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "User not found")
|
||||
logger.debug("Auth verified uid={}, userId={}", firebaseUid, user.id)
|
||||
|
||||
val principal = MyPrincipal(
|
||||
@@ -61,19 +50,9 @@ class FirebaseAuthFilter(
|
||||
)
|
||||
val auth = UsernamePasswordAuthenticationToken(principal, token, emptyList())
|
||||
SecurityContextHolder.getContext().authentication = auth
|
||||
setDebug("ok:userId=${principal.userId},superAdmin=${user.superAdmin}")
|
||||
try {
|
||||
filterChain.doFilter(request, response)
|
||||
} catch (ex: Exception) {
|
||||
if (debug) {
|
||||
val msg = ex.message?.take(200) ?: ""
|
||||
response.setHeader("X-Downstream-Exception", "${ex::class.java.simpleName}:$msg")
|
||||
}
|
||||
throw ex
|
||||
}
|
||||
filterChain.doFilter(request, response)
|
||||
} catch (ex: Exception) {
|
||||
logger.debug("Auth failed for {}: {}", request.requestURI, ex.message)
|
||||
setDebug("verify_failed")
|
||||
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid token")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,12 +26,8 @@ class SecurityConfig(
|
||||
}
|
||||
.exceptionHandling {
|
||||
it.authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
|
||||
it.accessDeniedHandler { request, response, ex ->
|
||||
if (request.getHeader("X-Debug-Auth") == "1") {
|
||||
val msg = ex.message?.take(200) ?: "access_denied"
|
||||
response.setHeader("X-Access-Debug", msg)
|
||||
}
|
||||
response.sendError(HttpStatus.UNAUTHORIZED.value(), "Unauthorized")
|
||||
it.accessDeniedHandler { _, response, _ ->
|
||||
response.sendError(HttpStatus.FORBIDDEN.value(), "Forbidden")
|
||||
}
|
||||
}
|
||||
.httpBasic { it.disable() }
|
||||
|
||||
Reference in New Issue
Block a user