add tamper protection

2023-11-12 09:18:27 +05:30 · 2023-11-12 09:18:27 +05:30 · b4a6308d5a
commit b4a6308d5a
parent 10813529f2
2 changed files with 22 additions and 4 deletions
--- a/src/main/kotlin/com/restapi/Main.kt
+++ b/src/main/kotlin/com/restapi/Main.kt
@ -15,6 +15,7 @@ import com.restapi.domain.Session
 import com.restapi.domain.Session.objectMapper
 import com.restapi.domain.Session.redis
 import com.restapi.domain.Session.setAuthorizedUser
+import com.restapi.domain.Session.signPayload
 import io.ebean.DataIntegrityException
 import io.ebean.DuplicateKeyException
 import io.javalin.Javalin
@ -32,9 +33,12 @@ import java.net.http.HttpRequest
 import java.net.http.HttpRequest.BodyPublishers
 import java.net.http.HttpResponse.BodyHandlers
 import java.nio.charset.StandardCharsets
+import java.security.MessageDigest
+import java.util.*
 import java.util.concurrent.TimeUnit
 import kotlin.jvm.optionals.getOrDefault

+
 fun main(args: Array<String>) {
    val logger = LoggerFactory.getLogger("api")
    val adminRole = Role.Standard(Action.ADMIN)
@ -104,6 +108,12 @@ fun main(args: Array<String>) {
                    it.result(atResponse.accessToken).contentType(ContentType.TEXT_PLAIN)

                }
+                get("/keys") {
+                    //for the UI to validate signature and response
+                    it.json(
+                        Session.jwk()
+                    )
+                }
            }

            before("/api/*") { ctx ->
@ -121,15 +131,21 @@ fun main(args: Array<String>) {

                setAuthorizedUser(validateAuthToken(authToken = authToken))

-                if(appConfig.enforcePayloadEncryption()){
+                if (appConfig.enforcePayloadEncryption()) {
                    //todo: decrypt the request from user
                }
            }
            after("/api/*") {

-                it.header("X-Signature", Session.sign(it.body()))
+                val md = MessageDigest.getInstance("SHA-512")
+                md.update((it.result() ?: "").toByteArray())
+                val aMessageDigest = md.digest()

-                if(appConfig.enforcePayloadEncryption()){
+                val outEncoded: String = Base64.getEncoder().encodeToString(aMessageDigest)
+                it.header("X-Checksum", outEncoded)
+                it.header("X-Signature", signPayload(outEncoded))
+
+                if (appConfig.enforcePayloadEncryption()) {
                    //todo:, encrypt and set the response back to user
                }

--- a/src/main/kotlin/com/restapi/domain/db.kt
+++ b/src/main/kotlin/com/restapi/domain/db.kt
@ -13,6 +13,7 @@ import io.ebean.config.DatabaseConfig
 import io.ebean.config.TenantMode
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter
 import org.bouncycastle.util.io.pem.PemReader
+import org.jose4j.jwk.JsonWebKey
 import org.jose4j.jwk.PublicJsonWebKey
 import org.jose4j.jwk.RsaJsonWebKey
 import org.jose4j.jwk.RsaJwkGenerator
@ -108,7 +109,7 @@ object Session {

    }

-    fun sign(payload: String): String {
+    fun signPayload(payload: String): String {

        // Create a new JsonWebSignature
        val jws = JsonWebSignature()
@ -161,6 +162,7 @@ object Session {
    fun currentUser() = currentUser.get().userName
    fun currentTenant() = currentUser.get().tenant
    fun currentRoles() = currentUser.get().roles
+    fun jwk() = keypair.toParams(JsonWebKey.OutputControlLevel.PUBLIC_ONLY)

    fun Database.findByEntityAndId(entity: String, id: String): DataModel {
        return find(DataModel::class.java)