Prevent oauth2 sub to leak through the API

Author: blacelle

authorization/src/main/java/eu/solven/kumite/oauth2/authorizationserver/KumiteTokenService.java

@@ -22,7 +22,7 @@
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 
-import eu.solven.kumite.account.KumiteUser;
+import eu.solven.kumite.account.internal.KumiteUserRaw;
 import eu.solven.kumite.login.AccessTokenWrapper;
 import eu.solven.kumite.login.RefreshTokenWrapper;
 import eu.solven.kumite.oauth2.IKumiteOAuth2Constants;
@@ -76,7 +76,7 @@ public static JWK generateSignatureSecret(IUuidGenerator uuidGenerator) {
 		return jwk;
 	}
 
-	public String generateAccessToken(KumiteUser user,
+	public String generateAccessToken(KumiteUserRaw user,
 			Set<UUID> playerIds,
 			Duration accessTokenValidity,
 			boolean isRefreshToken) {
@@ -143,7 +143,7 @@ private String getIssuer() {
 	 * @return The generated JWT access token.
 	 * @throws IllegalStateException
 	 */
-	public AccessTokenWrapper wrapInJwtAccessToken(KumiteUser user, UUID playerId) {
+	public AccessTokenWrapper wrapInJwtAccessToken(KumiteUserRaw user, UUID playerId) {
 		// access_token are short-lived
 		Duration accessTokenValidity = Duration.parse("PT1H");
 
@@ -161,7 +161,7 @@ public AccessTokenWrapper wrapInJwtAccessToken(KumiteUser user, UUID playerId) {
 
 	// https://stackoverflow.com/questions/38986005/what-is-the-purpose-of-a-refresh-token
 	// https://stackoverflow.com/questions/40555855/does-the-refresh-token-expire-and-if-so-when
-	public RefreshTokenWrapper wrapInJwtRefreshToken(KumiteUser user, Set<UUID> playerIds) {
+	public RefreshTokenWrapper wrapInJwtRefreshToken(KumiteUserRaw user, Set<UUID> playerIds) {
 		// refresh_token are long-lived
 		Duration refreshTokenValidity = Duration.parse("P365D");
 

contest-core/src/main/java/eu/solven/kumite/account/AccountSearchHandler.java

@@ -8,6 +8,7 @@
 import org.springframework.web.reactive.function.server.ServerRequest;
 import org.springframework.web.reactive.function.server.ServerResponse;
 
+import eu.solven.kumite.account.internal.KumiteUser;
 import eu.solven.kumite.app.webflux.api.KumiteHandlerHelper;
 import lombok.AllArgsConstructor;
 import reactor.core.publisher.Mono;

contest-core/src/main/java/eu/solven/kumite/account/IKumiteUserRepository.java

@@ -3,6 +3,9 @@
 import java.util.Map;
 import java.util.Optional;
 
+import eu.solven.kumite.account.internal.KumiteUser;
+import eu.solven.kumite.account.internal.KumiteUserPreRegister;
+
 /**
  * This is kind-of a {@link Map} from {@link KumiteUserRawRaw} to {@link KumiteUser}.
  * 
@@ -12,5 +15,5 @@
 public interface IKumiteUserRepository {
 	Optional<KumiteUser> getUser(KumiteUserRawRaw accountId);
 
-	KumiteUser registerOrUpdate(KumiteUserRaw kumiteUserRaw);
+	KumiteUser registerOrUpdate(KumiteUserPreRegister kumiteUserPreRegister);
 }

contest-core/src/main/java/eu/solven/kumite/account/InMemoryUserRepository.java

@@ -6,7 +6,11 @@
 import java.util.concurrent.ConcurrentHashMap;
 
 import eu.solven.kumite.account.fake_player.FakePlayer;
+import eu.solven.kumite.account.fake_player.FakeUser;
 import eu.solven.kumite.account.fake_player.RandomPlayer;
+import eu.solven.kumite.account.fake_player.RandomUser;
+import eu.solven.kumite.account.internal.KumiteUser;
+import eu.solven.kumite.account.internal.KumiteUserPreRegister;
 import eu.solven.kumite.player.IAccountPlayersRegistry;
 import eu.solven.kumite.player.KumitePlayer;
 import eu.solven.kumite.tools.IUuidGenerator;
@@ -39,18 +43,24 @@ public void putIfAbsent(UUID accountId, KumiteUserRawRaw rawRaw) {
 	}
 
 	@Override
-	public KumiteUser registerOrUpdate(KumiteUserRaw kumiteUserRaw) {
-		KumiteUserRawRaw rawRaw = kumiteUserRaw.getRawRaw();
+	public KumiteUser registerOrUpdate(KumiteUserPreRegister kumiteUserPreRegister) {
+		KumiteUserRawRaw rawRaw = kumiteUserPreRegister.getRawRaw();
 
 		return accountIdToUser.compute(rawRaw, (k, alreadyIn) -> {
-			KumiteUser.KumiteUserBuilder kumiteUserBuilder = KumiteUser.builder().raw(kumiteUserRaw);
+			KumiteUser.KumiteUserBuilder kumiteUserBuilder = KumiteUser.builder()
+					.rawRaw(rawRaw)
+					// TODO We should merge with pre-existing details
+					.details(kumiteUserPreRegister.getDetails());
 			if (alreadyIn == null) {
 				UUID accountId = generateAccountId(rawRaw);
 
 				KumitePlayer player = register(rawRaw, accountId);
 
 				UUID playerId = player.getPlayerId();
-				log.info("Registering as new user accountId={} playerId={} raw={}", accountId, playerId, kumiteUserRaw);
+				log.info("Registering as new user accountId={} playerId={} raw={}",
+						accountId,
+						playerId,
+						kumiteUserPreRegister);
 
 				kumiteUserBuilder.accountId(accountId).playerId(playerId);
 			} else {
@@ -66,9 +76,9 @@ protected UUID generateAccountId(KumiteUserRawRaw rawRaw) {
 	}
 
 	public static UUID generateAccountId(IUuidGenerator uuidGenerator, KumiteUserRawRaw rawRaw) {
-		if (rawRaw.equals(FakePlayer.user().getRaw().getRawRaw())) {
+		if (rawRaw.equals(FakeUser.rawRaw())) {
 			return FakePlayer.ACCOUNT_ID;
-		} else if (rawRaw.equals(RandomPlayer.user().getRaw().getRawRaw())) {
+		} else if (rawRaw.equals(RandomUser.rawRaw())) {
 			return RandomPlayer.ACCOUNT_ID;
 		}
 		return uuidGenerator.randomUUID();

contest-core/src/main/java/eu/solven/kumite/account/KumiteUsersRegistry.java

@@ -3,6 +3,8 @@
 import java.util.Optional;
 import java.util.UUID;
 
+import eu.solven.kumite.account.internal.KumiteUser;
+import eu.solven.kumite.account.internal.KumiteUserPreRegister;
 import eu.solven.kumite.player.KumitePlayer;
 import lombok.RequiredArgsConstructor;
 
@@ -35,8 +37,8 @@ public KumiteUser getUser(KumiteUserRawRaw rawUser) {
 	 * @return a {@link KumiteUser}. This may be a new account if this was not known. If this was already known, we
 	 *         update the oauth2 details and return an existing accountId
 	 */
-	public KumiteUser registerOrUpdate(KumiteUserRaw kumiteUserRaw) {
-		KumiteUser kumiteUser = userRepository.registerOrUpdate(kumiteUserRaw);
+	public KumiteUser registerOrUpdate(KumiteUserPreRegister userPreRegister) {
+		KumiteUser kumiteUser = userRepository.registerOrUpdate( userPreRegister);
 
 		return kumiteUser;
 	}

contest-core/src/main/java/eu/solven/kumite/app/InjectKumiteAccountsConfig.java

@@ -5,10 +5,12 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 
-import eu.solven.kumite.account.KumiteUser;
 import eu.solven.kumite.account.KumiteUsersRegistry;
 import eu.solven.kumite.account.fake_player.FakePlayer;
+import eu.solven.kumite.account.fake_player.FakeUser;
 import eu.solven.kumite.account.fake_player.RandomPlayer;
+import eu.solven.kumite.account.fake_player.RandomUser;
+import eu.solven.kumite.account.internal.KumiteUser;
 import eu.solven.kumite.player.IAccountPlayersRegistry;
 import lombok.extern.slf4j.Slf4j;
 
@@ -23,7 +25,7 @@ public KumiteUser initFakePlayer(KumiteUsersRegistry usersRegistry,
 			IAccountPlayersRegistry accountPlayersRegistry) {
 		log.info("Registering the {} account and players", IKumiteSpringProfiles.P_FAKEUSER);
 
-		KumiteUser user = usersRegistry.registerOrUpdate(FakePlayer.user().getRaw());
+		KumiteUser user = usersRegistry.registerOrUpdate(FakeUser.pre());
 		// Register an additional player
 		accountPlayersRegistry.registerPlayer(FakePlayer.player(1));
 
@@ -36,7 +38,7 @@ public KumiteUser initRandomPlayer(KumiteUsersRegistry usersRegistry,
 			IAccountPlayersRegistry accountPlayersRegistry) {
 		log.info("Registering the random account and players");
 
-		KumiteUser user = usersRegistry.registerOrUpdate(RandomPlayer.user().getRaw());
+		KumiteUser user = usersRegistry.registerOrUpdate(RandomUser.pre());
 		// Register an additional player
 		accountPlayersRegistry.registerPlayer(RandomPlayer.player(1));
 

contest-core/src/main/java/eu/solven/kumite/randomgamer/RandomPlaysVs1Config.java

@@ -10,7 +10,7 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Profile;
 
-import eu.solven.kumite.account.KumiteUser;
+import eu.solven.kumite.account.internal.KumiteUser;
 import eu.solven.kumite.app.IKumiteSpringProfiles;
 import eu.solven.kumite.contest.ActiveContestGenerator;
 import eu.solven.kumite.contest.ContestSearchParameters;

contest-core/src/main/java/eu/solven/kumite/randomgamer/RandomPlaysVsThemselvesConfig.java

@@ -8,7 +8,7 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Profile;
 
-import eu.solven.kumite.account.KumiteUser;
+import eu.solven.kumite.account.internal.KumiteUser;
 import eu.solven.kumite.app.IKumiteSpringProfiles;
 import eu.solven.kumite.contest.ActiveContestGenerator;
 import eu.solven.kumite.eventbus.EventSubscriber;

contest-core/src/test/java/eu/solven/kumite/scenario/TestTSPLifecycle.java

@@ -15,8 +15,8 @@
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
-import eu.solven.kumite.account.KumiteUser;
 import eu.solven.kumite.account.KumiteUsersRegistry;
+import eu.solven.kumite.account.internal.KumiteUser;
 import eu.solven.kumite.account.login.IKumiteTestConstants;
 import eu.solven.kumite.app.IKumiteSpringProfiles;
 import eu.solven.kumite.app.KumiteServerComponentsConfiguration;
@@ -74,7 +74,7 @@ public class TestTSPLifecycle {
 
 	@Test
 	public void testSinglePlayer() {
-		KumiteUser account = usersRegistry.registerOrUpdate(IKumiteTestConstants.userRaw());
+		KumiteUser account = usersRegistry.registerOrUpdate(IKumiteTestConstants.userPreRegister());
 		UUID accountId = account.getAccountId();
 
 		List<GameMetadata> games =

player/src/main/java/eu/solven/kumite/app/KumiteWebclientServerProperties.java

@@ -4,7 +4,10 @@
 import org.springframework.core.env.Profiles;
 
 import eu.solven.kumite.account.fake_player.FakePlayer;
+import eu.solven.kumite.account.fake_player.FakeUser;
 import eu.solven.kumite.account.fake_player.RandomPlayer;
+import eu.solven.kumite.account.fake_player.RandomUser;
+import eu.solven.kumite.account.internal.KumiteUser;
 import eu.solven.kumite.login.RefreshTokenWrapper;
 import eu.solven.kumite.oauth2.authorizationserver.KumiteTokenService;
 import eu.solven.kumite.tools.IUuidGenerator;
@@ -39,15 +42,15 @@ public static String loadRefreshToken(Environment env, IUuidGenerator uuidGenera
 			}
 			KumiteTokenService kumiteTokenService = new KumiteTokenService(env, uuidGenerator);
 			RefreshTokenWrapper wrappedRefreshToken =
-					kumiteTokenService.wrapInJwtRefreshToken(FakePlayer.user(), FakePlayer.fakePlayers());
+					kumiteTokenService.wrapInJwtRefreshToken(KumiteUser.raw(FakeUser.user()), FakePlayer.fakePlayers());
 			refreshToken = wrappedRefreshToken.getRefreshToken();
 		} else if (KumiteWebclientServerProperties.PLACEHOLDER_GENERATERANDOMPLAYER.equals(refreshToken)) {
 			{
 				log.info("Generating on-the-fly a fakeUser refreshToken");
 			}
 			KumiteTokenService kumiteTokenService = new KumiteTokenService(env, uuidGenerator);
-			RefreshTokenWrapper wrappedRefreshToken =
-					kumiteTokenService.wrapInJwtRefreshToken(RandomPlayer.user(), RandomPlayer.playerIds());
+			RefreshTokenWrapper wrappedRefreshToken = kumiteTokenService
+					.wrapInJwtRefreshToken(KumiteUser.raw(RandomUser.user()), RandomPlayer.playerIds());
 			refreshToken = wrappedRefreshToken.getRefreshToken();
 		}
 		return refreshToken;

public/src/main/java/eu/solven/kumite/account/KumiteUser.java

@@ -2,6 +2,7 @@
 
 import java.net.URI;
 
+import eu.solven.kumite.account.internal.KumiteUser;
 import lombok.Builder;
 import lombok.NonNull;
 import lombok.Value;
@@ -16,9 +17,9 @@
 @Value
 @Builder
 @Jacksonized
-public class KumiteUserRaw {
-	@NonNull
-	KumiteUserRawRaw rawRaw;
+public class KumiteUserDetails {
+	// @NonNull
+	// KumiteUserRawRaw rawRaw;
 
 	@NonNull
 	String username;
@@ -35,9 +36,9 @@ public class KumiteUserRaw {
 	String school;
 	String company;
 
-	private KumiteUserRawBuilder preloadBuilder() {
-		return KumiteUserRaw.builder()
-				.rawRaw(rawRaw)
+	private KumiteUserDetailsBuilder preloadBuilder() {
+		return KumiteUserDetails.builder()
+				// .rawRaw(rawRaw)
 				.username(username)
 				.name(name)
 				.email(email)
@@ -47,15 +48,15 @@ private KumiteUserRawBuilder preloadBuilder() {
 				.company(company);
 	}
 
-	public KumiteUserRaw setCountryCode(String countryCode) {
+	public KumiteUserDetails setCountryCode(String countryCode) {
 		return preloadBuilder().countryCode(countryCode).build();
 	}
 
-	public KumiteUserRaw setCompany(String company) {
+	public KumiteUserDetails setCompany(String company) {
 		return preloadBuilder().company(company).build();
 	}
 
-	public KumiteUserRaw setSchool(String school) {
+	public KumiteUserDetails setSchool(String school) {
 		return preloadBuilder().school(school).build();
 	}
 }

public/src/main/java/eu/solven/kumite/account/KumiteUserRaw.java public/src/main/java/eu/solven/kumite/account/KumiteUserDetails.java

@@ -1,5 +1,6 @@
 package eu.solven.kumite.account;
 
+import eu.solven.kumite.account.internal.KumiteUser;
 import lombok.Builder;
 import lombok.NonNull;
 import lombok.Value;

public/src/main/java/eu/solven/kumite/account/KumiteUserRawRaw.java

@@ -3,9 +3,6 @@
 import java.util.Set;
 import java.util.UUID;
 
-import eu.solven.kumite.account.KumiteUser;
-import eu.solven.kumite.account.KumiteUserRaw;
-import eu.solven.kumite.account.KumiteUserRawRaw;
 import eu.solven.kumite.player.KumitePlayer;
 import lombok.extern.slf4j.Slf4j;
 
@@ -42,17 +39,6 @@ public static boolean isFakePlayer(UUID playerId) {
 		}
 	}
 
-	public static KumiteUser user() {
-		KumiteUserRawRaw rawRaw = KumiteUserRawRaw.builder().providerId("kumite").sub("fakeSub").build();
-		KumiteUserRaw raw = KumiteUserRaw.builder()
-				.rawRaw(rawRaw)
-				.username("fakeUsername")
-				.email("fake@fake")
-				.name("Fake User")
-				.build();
-		return KumiteUser.builder().accountId(ACCOUNT_ID).playerId(PLAYER_ID1).raw(raw).build();
-	}
-
 	public static KumitePlayer fakePlayer() {
 		return KumitePlayer.builder().playerId(PLAYER_ID1).accountId(ACCOUNT_ID).build();
 	}

public/src/main/java/eu/solven/kumite/account/fake_player/FakePlayer.java

@@ -0,0 +1,30 @@
+package eu.solven.kumite.account.fake_player;
+
+import eu.solven.kumite.account.KumiteUserDetails;
+import eu.solven.kumite.account.KumiteUserRawRaw;
+import eu.solven.kumite.account.internal.KumiteUser;
+import eu.solven.kumite.account.internal.KumiteUserPreRegister;
+
+public class FakeUser {
+
+	public static KumiteUserRawRaw rawRaw() {
+		return KumiteUserRawRaw.builder().providerId("kumite").sub("fakeSub").build();
+	}
+
+	public static KumiteUserPreRegister pre() {
+		KumiteUserDetails details =
+				KumiteUserDetails.builder().username("fakeUsername").email("fake@fake").name("Fake User").build();
+		return KumiteUserPreRegister.builder().rawRaw(rawRaw()).details(details).build();
+	}
+
+	public static KumiteUser user() {
+		KumiteUserPreRegister pre = pre();
+		return KumiteUser.builder()
+				.accountId(FakePlayer.ACCOUNT_ID)
+				.playerId(FakePlayer.PLAYER_ID1)
+				.rawRaw(pre.getRawRaw())
+				.details(pre.getDetails())
+				.build();
+	}
+
+}