Changeset 7408

Timestamp:

Oct 6, 2017, 11:37:18 AM (5 years ago)

Author:

Nicklas Nordborg

Message:

References #2097: Implement support for device verification

The major part of device verification should now be implemented. If the web application has a stored token it is submitted with the login information (LoginRequest.setDeviceToken()). The SessionControl.login() method will check if the device is known or not.

If not, a DeviceNotVerifiedException is thrown and the user is taken to the verify_device.jsp page. The code should be sent by email but is currently only display on that page (to be fixed!). If the verification code is correct, information about the device is stored in the database so that the user can be allowed access immediately the next time.

Location:

trunk

Files:

• src/core/common-queries.xml (modified) (1 diff)
• src/core/net/sf/basedb/core/DeviceNotVerifiedException.java (added)
• src/core/net/sf/basedb/core/SessionControl.java (modified) (15 diffs)
• src/core/net/sf/basedb/core/authentication/LoginRequest.java (modified) (4 diffs)
• www/exception/not_logged_in.jsp (modified) (1 diff)
• www/login.js (modified) (1 diff)
• www/login.jsp (modified) (4 diffs)
• www/main.jsp (modified) (1 diff)
• www/switch.jsp (modified) (1 diff)
• www/verify_device.js (added)
• www/verify_device.jsp (added)
• www/views/devices/list_devices.jsp (modified) (2 diffs)

trunk/src/core/common-queries.xml

@@ -3932 +3932 @@
     </description>
   </query>
+  
+  <query id="GET_USER_DEVICE" type="HQL">
+    <sql>
+      SELECT dev
+      FROM UserDeviceData dev
+      WHERE dev.user = :userId
+      AND dev.client = :clientId
+      AND dev.token = :token
+    </sql>
+    <description>
+      HQL query that selects a device for a given user and client
+      with a given device token.
+    </description>
+  </query>
 
 </predefined-queries>

trunk/src/core/net/sf/basedb/core/SessionControl.java

@@ -38 +38 @@
 import net.sf.basedb.core.data.UserClientSettingData;
 import net.sf.basedb.core.data.UserDefaultSettingData;
+import net.sf.basedb.core.data.UserDeviceData;
 import net.sf.basedb.core.hibernate.TypeWrapper;
 import net.sf.basedb.core.data.ClientDefaultSettingData;
 import net.sf.basedb.core.data.ContextData;
 import net.sf.basedb.core.data.ContextIndex;
+import net.sf.basedb.util.EmailUtil;
 import net.sf.basedb.util.Enumeration;
+import net.sf.basedb.util.MD5;
 import net.sf.basedb.util.extensions.ExtensionsInvoker;
 import net.sf.basedb.util.extensions.Registry;
@@ -57 +60 @@
 import java.util.Locale;
 import java.util.Set;
+import java.util.UUID;
 import java.util.Map;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.WeakHashMap;
+
 import java.util.Collections;
 import java.util.List;
@@ -133 +138 @@
   private LoginInfo loginInfo;
   
+  /**
+    Temporary login information before a device is verified.
+  */
+  private UnverifiedDeviceInfo unverifiedDeviceInfo;
+
   /**
     Map for storing current contexts.
@@ -302 +312 @@
     return externalClientId;
   }
+  
+  /**
+    Get the id of the <code>UserDevice</code> in use. Use
+    {@link UserDevice#getById(DbControl, int)} to get the {@link UserDevice} object.
+    @return Device id as an int, 0 if the device is unknown
+    @since 3.12
+  */
+  public int getDeviceId()
+  {
+    updateLastAccess();
+    return loginInfo == null ? 0 : loginInfo.deviceId;
+  }
 
   
@@ -384 +406 @@
     org.hibernate.Session session = null;
     org.hibernate.Transaction tx = null;
+    
+    UserDeviceData device = null;
+    AuthenticatedUser authUser = null;
+    UserData user = null;
     try
     {
@@ -390 +416 @@
       tx = HibernateUtil.newTransaction(session);
 
-      AuthenticatedUser authUser = verifyUserExternal(session, loginRequest);
+      authUser = verifyUserExternal(session, loginRequest);
       if (authUser == null)
       {
@@ -397 +423 @@
       }
       
+      // The login was ok so far... check device verification
+      device = verifyDevice(session, loginRequest, authUser);
+      user = HibernateUtil.loadData(session, UserData.class, authUser.getInternalId());
+      
+      // A null value means that either device verification is disabled 
+      // An existing device means that it is already verified
+      LoginInfo li = null;
+      if (device == null || device.getId() != 0)
+      {
+        // All is ok, finalize the login
+        li = createLoginInfo(session, user, loginRequest.getComment(), false, authUser.getAuthenticationMethod(), device == null ? 0 : device.getId());
+      }
+      HibernateUtil.commit(tx);
+      
+      if (li != null)
+      {
+        currentContexts.clear();
+        allowedClients.clear();
+        loginInfo = li;
+      }
+    }
+    catch (InterruptedException ex)
+    {
+      throw new LoginException("Login aborted");
+    }
+    catch (BaseException ex)
+    {
+      if (tx != null) HibernateUtil.rollback(tx);
+      throw ex;
+    }
+    finally
+    {
+      if (session != null) HibernateUtil.close(session);
+    }
+    
+    if (device != null && device.getId() == 0)
+    {
+      // Device verification is enabled and the user is using an unverified device
+      // Send verification code to the user and keep the information we have so far
+      // Once the user has got the verification code it is expected that the
+      // verifyDevice(String, boolean) method is called
+      
+      UnverifiedDeviceInfo udi = new UnverifiedDeviceInfo();
+      // Prepare the information that is needed to verify the device
+      udi.device = device;
+      udi.loginRequest = loginRequest;
+      udi.authenticatedUser = authUser;
+      udi.verificationCode = MD5.leftPad(Integer.toString((int)(Math.random()*1000000)), '0', 6);
+
+      udi.message = "A verification code has been sent to your registered email address: " + 
+        "<b>" + user.getEmail() + "</b>\n" + 
+        "Please enter the verification code in the form below to continue with the login.";
+      
+      udi.message += "\n\nDEBUG!!! The verification code for device '" + udi.getDeviceToken() + "' is: " + udi.verificationCode;
+      unverifiedDeviceInfo = udi;
+      
+      throw new DeviceNotVerifiedException();
+    }
+  }
+  
+  /**
+    Get information about a device that is currently waiting to
+    be verified. If this method returns a non-null value a verification
+    has been sent to the user via email. This code should be used as
+    a parameter when calling {@link #verifyDevice(String, boolean)}.
+    
+    @return Information about the unverified device, or null if device verification
+      is not needed
+    @since 3.12
+  */
+  public UnverifiedDeviceInfo getUnverifiedDeviceInfo()
+  {
+    return unverifiedDeviceInfo;
+  }
+  
+  /**
+    Call this method to verify a device. If device verification is not needed
+    at this moment, an IllegalStateException is thrown. If the verification
+    fails the login process must be re-started from the beginning. There is no
+    second try. If the verification is successful, the user will be logged in
+    after this method completes.
+    
+    @param code The verification code that was sent (by email) to the user
+    @param rememberDevice A flag indicating if the device should be remembered.
+      If not, the device needs to be verified again the next time it is used
+    @since 3.12
+    @see #getUnverifiedDeviceInfo()
+  */
+  public synchronized void verifyDevice(String code, boolean rememberDevice)
+  {
+    if (unverifiedDeviceInfo == null)
+    {
+      throw new IllegalStateException("No device is waiting for verification.");
+    }
+    org.hibernate.Session session = null;
+    org.hibernate.Transaction tx = null;
+    try
+    {
+      // Check the verification code!
+      if (!unverifiedDeviceInfo.verificationCode.equals(code))
+      {
+        // Not correct. Login must be re-started
+        throw new LoginException("The verification code was not correct.");
+      }
+    
+      // The verification code was correct, finalize the login
+      session = HibernateUtil.newSession();
+      tx = HibernateUtil.newTransaction(session);
+      
+      LoginRequest loginRequest = unverifiedDeviceInfo.loginRequest;
+      AuthenticatedUser authUser = unverifiedDeviceInfo.authenticatedUser;
+      
+      int deviceId = 0;
+      if (rememberDevice)
+      {
+        HibernateUtil.saveData(session, unverifiedDeviceInfo.device);
+        deviceId = unverifiedDeviceInfo.device.getId();
+      }
+      
       UserData user = HibernateUtil.loadData(session, UserData.class, authUser.getInternalId());
+      LoginInfo li = createLoginInfo(session, user, loginRequest.getComment(), false, authUser.getAuthenticationMethod(), deviceId);
+      HibernateUtil.commit(tx);
       
-      LoginInfo li = createLoginInfo(session, user, loginRequest.getComment(), false, authUser.getAuthenticationMethod());
-      HibernateUtil.commit(tx);
       currentContexts.clear();
       allowedClients.clear();
       loginInfo = li;
     }
-    catch (InterruptedException ex)
-    {
-      throw new LoginException("Login aborted");
-    }
-    catch (BaseException ex)
-    {
-      if (tx != null) HibernateUtil.rollback(tx);
-      throw ex;
-    }
     finally
     {
+      unverifiedDeviceInfo = null;
       if (session != null) HibernateUtil.close(session);
     }
   }
-  
 
   /**
@@ -608 +744 @@
 
   /**
+    Verify the device the user is using. The verification is done if the 
+    current client application supports it and if the user has enabled
+    device verification. If the device is found to be unverified a
+    UnverifiedLoginInfo instance is created and returned. 
+    
+    @return An {@link UnverifiedLoginInfo} object if device verification is
+      supported and needed, null to continue with normal login
+    @since 3.12
+  */
+  private UserDeviceData verifyDevice(org.hibernate.Session session, LoginRequest loginRequest, AuthenticatedUser authUser)
+  {
+    // No email = no device verification
+    if (!EmailUtil.isEnabled()) return null;
+
+    // Check if the client application supports device verification
+    ClientData client = getClientId() != 0 ? HibernateUtil.loadData(session, ClientData.class, getClientId()) : null;
+    if (client == null || !client.getSupportsDeviceVerification()) return null;
+    
+    // Check if the user has enabled device verification
+    UserData user = HibernateUtil.loadData(session, UserData.class, authUser.getInternalId());
+    if (!user.getUseDeviceVerification()) return null;
+    
+    // Check the submitted deviceToken
+    String deviceToken = loginRequest.getDeviceToken();
+    String userAgent = loginRequest.getAttribute("user-agent");
+    UserDeviceData device = null;
+    
+    if (deviceToken != null)
+    {
+      org.hibernate.query.Query<UserDeviceData> query = HibernateUtil.getPredefinedQuery(session, 
+        "GET_USER_DEVICE", UserDeviceData.class);
+      /*
+        SELECT dev
+        FROM UserDeviceData dev
+        WHERE dev.user = :userId
+        AND dev.client = :clientId
+        AND dev.token = :token
+      */
+      query.setParameter("userId", authUser.getInternalId(), TypeWrapper.H_INTEGER);
+      query.setParameter("clientId", clientId, TypeWrapper.H_INTEGER);
+      query.setParameter("token", deviceToken, TypeWrapper.H_STRING);
+      device = HibernateUtil.loadData(query);
+      
+      if (device != null)
+      {
+        // This device is already verified
+        // We update the user agent string since it may be different due to version upgrade
+        if (userAgent != null) device.setUserAgent(userAgent);
+        // And the lastUsed date
+        device.setLastUsed(new Date());         
+      }
+    }
+      
+    if (device == null)
+    {
+      // The user is using an unverified device
+      if (deviceToken != null)
+      {
+        // If the submitted deviceToken is already stored in the database (for any other user/client)
+        // we accept it as a possible valid device (that still needs to be verified for this
+        // particular user)
+        org.hibernate.query.Query<Long> query = HibernateUtil.createQuery(session, 
+          "SELECT count(*) FROM UserDeviceData dev WHERE dev.token = :token", Long.class);
+        query.setParameter("token", deviceToken, TypeWrapper.H_STRING);
+        if (HibernateUtil.loadData(query) == 0)
+        {
+          // Not found, so we generate a new deviceToken
+          deviceToken = null;
+        }
+      }
+      if (deviceToken == null) deviceToken = UUID.randomUUID().toString();
+
+      // Create the new device (but we do not save it until it has been verified!)
+      Date now = new Date();
+      device = new UserDeviceData();
+      device.setName("New device");
+      device.setUser(user);
+      device.setClient(client);
+      device.setEntryDate(now);
+      device.setLastUsed(now);
+      device.setToken(deviceToken);
+      device.setUserAgent(userAgent);
+    }
+    return device;
+  }
+
+  
+  /**
     Log in as another user or create a clone of the currently logged in user's session.
     If this call is successful, you will get a new <code>SessionControl</code> object which 
@@ -639 +863 @@
       // Load user data
       UserData userData = HibernateUtil.loadData(session, UserData.class, userId);
-      LoginInfo li = createLoginInfo(session, userData, comment, true, getAuthenticationMethod());
+      LoginInfo li = createLoginInfo(session, userData, comment, true, getAuthenticationMethod(), getDeviceId());
       HibernateUtil.commit(tx);
       SessionControl impersonated = Application.newSessionControl(getExternalClientId(), getRemoteId(), null);
@@ -741 +965 @@
     Create a LoginInfo object and load all information that it needs.
   */
-  private LoginInfo createLoginInfo(org.hibernate.Session session, UserData userData, String comment, boolean impersonated, AuthenticationMethod authenticationMethod)
+  private LoginInfo createLoginInfo(org.hibernate.Session session, UserData userData, String comment, boolean impersonated, AuthenticationMethod authenticationMethod, int deviceId)
     throws BaseException
   {
@@ -765 +989 @@
       }
     }
+    UserDeviceData deviceData = null;
+    li.deviceId = deviceId;
+    if (deviceId != 0)
+    {
+      deviceData = HibernateUtil.loadData(session, UserDeviceData.class, deviceId);
+    }
 
     // Load settings
@@ -777 +1007 @@
     sessionData.setUser(userData);
     sessionData.setClient(clientData);
+    sessionData.setDevice(deviceData);
     sessionData.setLoginTime(new Date());
     sessionData.setLoginComment(comment);
@@ -2412 +2643 @@
     private AuthenticationMethod authenticationMethod;
     
+    
+    /**
+      The id of the {@link UserDevice} in use.
+      @since 3.12
+    */
+    private int deviceId;
+    
     /**
       The id of the {@link ProjectData} object of the active project.
@@ -2458 +2696 @@
       this.userId = parent.userId;
       this.userLogin = parent.userLogin;
+      this.deviceId = parent.deviceId;
       this.activeProjectId = parent.activeProjectId;
       this.projectKeyId = parent.projectKeyId;
@@ -2467 +2706 @@
     
   }
+  
+  /**
+    Class for storing temporary device information for a user
+    that has been authenticated but before a device has been 
+    verified.
+    
+    @since 3.12
+  */
+  public static class UnverifiedDeviceInfo
+  {
+    UserDeviceData device;
+    LoginRequest loginRequest;
+    AuthenticatedUser authenticatedUser;
+    
+    String verificationCode;
+    String message;
+    
+    /**
+      Get the token for this device. If the verification is successful
+      (see {@link SessionControl#verifyDevice(String, boolean)} the
+      client must store this token and submit it together with the login
+      information the next time the user is logging in.
+    */
+    public String getDeviceToken()
+    {
+      return device.getToken();
+    }
+    
+    /**
+      Get a message to display for the user on the form where the
+      verification code should be entered.
+    */
+    public String getVerificationSentMessage()
+    {
+      return message;
+    }
+    
+    /**
+      The preferred setting for the "rememberDevice" parameter when
+      verifying the device.
+    */
+    public boolean getDefaultRememberDevice()
+    {
+      return true;
+    }
+  }
+
   
   /**

trunk/src/core/net/sf/basedb/core/authentication/LoginRequest.java

@@ -38 +38 @@
   private String login;
   private String password;
+  private String deviceToken;
   private String comment;
   
@@ -55 +56 @@
   
   /**
+    Create a login request with login + password + deviceToken
+    @since 3.12
+  */
+  public LoginRequest(String login, String password, String deviceToken)
+  {
+    this.login = login;
+    this.password = password;
+    this.deviceToken = deviceToken;
+  }
+  
+  /**
     Create a login request with user id + password
   */
@@ -62 +74 @@
     this.password = password;
   }
+
+  /**
+    Create a login request with user id + password + deviceToken
+    @since 3.12
+  */
+  public LoginRequest(int userId, String password, String deviceToken)
+  {
+    this.userId = userId;
+    this.password = password;
+    this.deviceToken = deviceToken;
+  }
+
   
   /**
@@ -112 +136 @@
   
   /**
+    Set the deviceToken to use.
+    @since 3.12
+  */
+  public void setDeviceToken(String deviceToken)
+  {
+    this.deviceToken = deviceToken;
+  }
+  
+  /**
+    Get the deviceToken to use.
+    @since 3.12
+  */
+  public String getDeviceToken()
+  {
+    return deviceToken;
+  }
+
+  /**
     Set the comment to use.
   */

trunk/www/exception/not_logged_in.jsp

@@ -101 +101 @@
       <input type="hidden" name="redirect" value="<%=redirect%>">
       <input type="hidden" name="useAutoStartPage" value="0">
+      <input type="hidden" name="deviceToken" value="">
   
       <table style="margin: auto; width: 700px; margin-top:5em; ">

trunk/www/login.js

@@ -198 +198 @@
     
     if (frm.target) Dialogs.openPopup('', frm.target, 300, 200);
+    // Set the deviceToken if we have it in local storage
+    if (frm.deviceToken)
+    {
+      var deviceToken = App.getLocal('deviceToken');
+      if (deviceToken) frm.deviceToken.value = deviceToken;
+    }
     if (!pUseLastLogin)
     {

trunk/www/login.jsp

@@ -59 +59 @@
   String errorTitle = null;
   String errorMessage = null;
+  String message = null;
   String login = request.getParameter("login");
     
@@ -64 +65 @@
   {
     String password = request.getParameter("password");
+    String deviceToken = Values.getStringOrNull(request.getParameter("deviceToken"));
     try
     {
       if (sc.isLoggedIn()) sc.logout();
-      LoginRequest loginRequest = new LoginRequest(login, password);
+      LoginRequest loginRequest = new LoginRequest(login, password, deviceToken);
+      loginRequest.setAttribute("user-agent", request.getHeader("User-Agent"));
       sc.login(loginRequest);
       useAutoStartPage = Values.getBoolean(request.getParameter("useAutoStartPage"));
     }
+    catch (DeviceNotVerifiedException ex)
+    {
+      message = "Device not verified";
+      redirect = root + "verify_device.jsp?ID=" + sc.getId();
+    }
     catch (LoginException ex)
     {
@@ -89 +97 @@
     {
       errorTitle = "Permission denied";
+      errorMessage = ex.getMessage();
+    }
+  }
+  else if ("VerifyDevice".equals(cmd))
+  {
+    String verificationCode = request.getParameter("verificationCode");
+    boolean rememberDevice = Values.getBoolean(request.getParameter("rememberDevice"));
+    try
+    {
+      sc.verifyDevice(verificationCode, rememberDevice);
+    }
+    catch (LoginException ex)
+    {
+      errorTitle = "Login failed";
       errorMessage = ex.getMessage();
     }
@@ -190 +212 @@
     else
     {
+      if (message == null) message = "Login successful";
       if (redirect == null)
       {
-        response.sendRedirect(root+"common/close_popup.jsp?message=Login+successful&refresh_opener=1");
+        response.sendRedirect(root+"common/close_popup.jsp?message="+HTML.urlEncode(message)+"&refresh_opener=1");
       }
       else
       {
-        response.sendRedirect(root+"common/close_popup.jsp?message=Login+successful&redirect_opener="+HTML.urlEncode(redirect));
+        response.sendRedirect(root+"common/close_popup.jsp?message="+HTML.urlEncode(message)+"&redirect_opener="+HTML.urlEncode(redirect));
       }
     }

trunk/www/main.jsp

@@ -112 +112 @@
     <input type="hidden" name="ID" value="<%=ID%>">
     <input type="hidden" name="useAutoStartPage" value="1">
+    <input type="hidden" name="deviceToken" value="">
     
     <table style="margin: auto; width: 700px;">

trunk/www/switch.jsp

@@ -93 +93 @@
     <input type="hidden" name="redirect" value="">
     <input type="hidden" name="useAutoStartPage" value="0">
+    <input type="hidden" name="deviceToken" value="">
   
     <div class="content">

trunk/www/views/devices/list_devices.jsp

@@ -323 +323 @@
           if (devices != null)
           {
+            int currentDeviceId = sc.getDeviceId();
             while (devices.hasNext())
             {
@@ -363 +364 @@
                   clazz="icons" 
                   visible="<%=mode.hasIcons()%>"
-                  >&nbsp;</tbl:header>
+                  ><base:icon
+                    image="star.png"
+                    tooltip="This is the current device"
+                    visible="<%=itemId == currentDeviceId%>" 
+                  />&nbsp;</tbl:header>
                 <tbl:cell column="name"><div
                   class="link table-item"