Removed client authentication from the client deregistration &
client-secret reset APIs.
Change-Id: I9af0c65b5a7e34af761db6d519ea72a2c6d9c46e
diff --git a/core/Changes b/core/Changes
index a315367..bec0bd2 100644
--- a/core/Changes
+++ b/core/Changes
@@ -1,6 +1,8 @@
# version 0.62.4
24/01/2020
- Removed salt from config and updated config files.
+05/02/2020
+ - Added welcome page.
# version 0.62.3
03/12/2019
diff --git a/core/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java b/core/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java
index d3b88a8..5bbcfeb 100644
--- a/core/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java
+++ b/core/src/main/java/de/ids_mannheim/korap/web/controller/SearchController.java
@@ -65,6 +65,13 @@
@Autowired
private OAuth2ScopeService scopeService;
+
+ @GET
+ @Path("{version}")
+ public Response index (){
+ return Response.ok("Welcome to KorAP API!").build();
+ }
+
@POST
@Path("{version}/index/close")
public Response closeIndexReader (@FormParam("token") String token){
diff --git a/full/Changes b/full/Changes
index ff981f6..c72f6df 100644
--- a/full/Changes
+++ b/full/Changes
@@ -6,7 +6,9 @@
05/02/2020
- Added a config properties for a long-time access token expiry
and excluded refresh tokens for public clients in OAuth2 token
- responses (margaretha)
+ responses (margaretha)
+ - Removed client authentication from the client deregistration and
+ client-secret reset APIs (margaretha)
# version 0.62.3
03/12/2019
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
index 05280a2..a4188c8 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
@@ -184,14 +184,11 @@
return true;
}
- public void deregisterClient (String clientId, String clientSecret,
- String username) throws KustvaktException {
+ public void deregisterClient (String clientId, String username)
+ throws KustvaktException {
OAuth2Client client = clientDao.retrieveClientById(clientId);
- if (client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {
- authenticateClient(clientId, clientSecret);
- }
-
+
if (adminDao.isAdmin(username)
|| client.getRegisteredBy().equals(username)) {
@@ -231,10 +228,10 @@
}
}
- public OAuth2ClientDto resetSecret (String clientId, String clientSecret,
- String username) throws KustvaktException {
+ public OAuth2ClientDto resetSecret (String clientId, String username)
+ throws KustvaktException {
- OAuth2Client client = authenticateClient(clientId, clientSecret);
+ OAuth2Client client = clientDao.retrieveClientById(clientId);
if (!client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {
throw new KustvaktException(StatusCodes.NOT_ALLOWED,
"Operation is not allowed for public clients",
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
index 6763241..04927c9 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
@@ -124,17 +124,14 @@
*/
@DELETE
@Path("deregister/{client_id}")
- @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response deregisterClient (
@Context SecurityContext securityContext,
- @PathParam("client_id") String clientId,
- @FormParam("client_secret") String clientSecret) {
+ @PathParam("client_id") String clientId) {
TokenContext context =
(TokenContext) securityContext.getUserPrincipal();
try {
scopeService.verifyScope(context, OAuth2Scope.DEREGISTER_CLIENT);
- clientService.deregisterClient(clientId, clientSecret,
- context.getUsername());
+ clientService.deregisterClient(clientId, context.getUsername());
return Response.ok().build();
}
catch (KustvaktException e) {
@@ -158,14 +155,12 @@
@Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
public OAuth2ClientDto resetClientSecret (
@Context SecurityContext securityContext,
- @FormParam("client_id") String clientId,
- @FormParam("client_secret") String clientSecret) {
+ @FormParam("client_id") String clientId) {
TokenContext context =
(TokenContext) securityContext.getUserPrincipal();
try {
scopeService.verifyScope(context, OAuth2Scope.RESET_CLIENT_SECRET);
- return clientService.resetSecret(clientId, clientSecret,
- context.getUsername());
+ return clientService.resetSecret(clientId, context.getUsername());
}
catch (KustvaktException e) {
throw responseHandler.throwit(e);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index 2ee4bc2..3183beb 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -136,13 +136,11 @@
assertNotNull(clientSecret);
testRegisterClientNonUniqueURL();
+ testResetConfidentialClientSecret(clientId, clientSecret);
- String newclientSecret =
- testResetConfidentialClientSecret(clientId, clientSecret);
-
- testDeregisterConfidentialClientMissingSecret(clientId);
- testDeregisterClientIncorrectCredentials(clientId, clientSecret);
- testDeregisterConfidentialClient(clientId, newclientSecret);
+// testDeregisterConfidentialClientMissingSecret(clientId);
+// testDeregisterClientIncorrectCredentials(clientId, clientSecret);
+ testDeregisterConfidentialClient(clientId);
}
private void testRegisterClientNonUniqueURL () throws KustvaktException {
@@ -291,24 +289,20 @@
assertEquals(Status.OK.getStatusCode(), response.getStatus());
}
- private void testDeregisterConfidentialClient (String clientId,
- String clientSecret) throws UniformInterfaceException,
- ClientHandlerException, KustvaktException {
-
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("client_secret", clientSecret);
+ private void testDeregisterConfidentialClient (String clientId)
+ throws UniformInterfaceException, ClientHandlerException,
+ KustvaktException {
ClientResponse response = resource().path(API_VERSION).path("oauth2")
.path("client").path("deregister").path(clientId)
.header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
.createBasicAuthorizationHeaderValue(username, "pass"))
- .header(HttpHeaders.CONTENT_TYPE,
- ContentType.APPLICATION_FORM_URLENCODED)
- .entity(form).delete(ClientResponse.class);
+ .delete(ClientResponse.class);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
}
+ @Deprecated
private void testDeregisterConfidentialClientMissingSecret (String clientId)
throws KustvaktException {
@@ -329,6 +323,7 @@
node.at("/error_description").asText());
}
+ @Deprecated
private void testDeregisterClientIncorrectCredentials (String clientId,
String clientSecret) throws UniformInterfaceException,
ClientHandlerException, KustvaktException {
@@ -424,7 +419,7 @@
testAccessTokenAfterUpgradingClient(clientId, accessToken);
testAccessTokenAfterDegradingSuperClient(clientId, accessToken);
- testDeregisterConfidentialClient(clientId, clientSecret);
+ testDeregisterConfidentialClient(clientId);
}
// old access tokens retain their scopes