Merge pull request #46429 from michalvavrik/feature/fix-form-auth-logout-logic

Provide a reliable way to perform form-based authentication logout

Author: sberyozkin

docs/src/main/asciidoc/security-authentication-mechanisms.adoc

@@ -194,8 +194,10 @@ code to destroy the cookie.
 
 [source,java]
 ----
-@ConfigProperty(name = "quarkus.http.auth.form.cookie-name")
-String cookieName;
+import io.quarkus.security.identity.CurrentIdentityAssociation;
+import io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.POST;
 
 @Inject
 CurrentIdentityAssociation identity;
@@ -205,15 +207,11 @@ public Response logout() {
     if (identity.getIdentity().isAnonymous()) {
         throw new UnauthorizedException("Not authenticated");
     }
-    final NewCookie removeCookie = new NewCookie.Builder(cookieName)
-            .maxAge(0)
-            .expiry(Date.from(Instant.EPOCH))
-            .path("/")
-            .build();
-    return Response.noContent().cookie(removeCookie).build();
+    FormAuthenticationMechanism.logout(identity.getIdentity()); <1>
+    return Response.noContent().build();
 }
-
 ----
+<1> Perform the logout by removing the session cookie.
 
 The following properties can be used to configure form-based authentication:
 

extensions/resteasy-reactive/rest/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/FormAuthRedirectTestCase.java

@@ -1,22 +1,45 @@
 package io.quarkus.resteasy.reactive.server.test.security;
 
+import static io.restassured.matcher.RestAssuredMatchers.detailedCookie;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
+import static org.junit.jupiter.api.Assertions.assertNull;
 
+import java.net.URI;
+import java.time.Duration;
 import java.util.function.Supplier;
 
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.core.Response;
+
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.asset.StringAsset;
 import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
+import io.quarkus.security.Authenticated;
+import io.quarkus.security.UnauthorizedException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.CurrentIdentityAssociation;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.TrustedAuthenticationRequest;
+import io.quarkus.security.runtime.QuarkusPrincipal;
+import io.quarkus.security.runtime.QuarkusSecurityIdentity;
 import io.quarkus.security.test.utils.TestIdentityController;
 import io.quarkus.security.test.utils.TestIdentityProvider;
 import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism;
 import io.restassured.RestAssured;
 import io.restassured.filter.cookie.CookieFilter;
+import io.smallrye.mutiny.Uni;
 
 public class FormAuthRedirectTestCase {
 
@@ -25,14 +48,21 @@ public class FormAuthRedirectTestCase {
         @Override
         public JavaArchive get() {
             return ShrinkWrap.create(JavaArchive.class)
-                    .addClasses(TestIdentityProvider.class, TestIdentityController.class)
-                    .addAsResource(new StringAsset("quarkus.http.auth.form.enabled=true\n"), "application.properties");
+                    .addClasses(TestIdentityProvider.class, TestIdentityController.class, FormAuthResource.class,
+                            TrustedIdentityProvider.class)
+                    .addAsResource(new StringAsset("""
+                            quarkus.http.auth.form.enabled=true
+                            quarkus.http.auth.form.landing-page=/hello
+                            quarkus.http.auth.form.new-cookie-interval=PT1S
+                            """), "application.properties");
         }
     });
 
     @BeforeAll
     public static void setup() {
-        TestIdentityController.resetRoles().add("a d m i n", "a d m i n", "a d m i n");
+        TestIdentityController.resetRoles()
+                .add("a d m i n", "a d m i n", "a d m i n")
+                .add("user", "user");
     }
 
     @Test
@@ -53,4 +83,123 @@ public void testFormAuthFailure() {
                 .header("quarkus-credential", nullValue());
     }
 
+    @Test
+    public void testFormAuthLoginLogout() throws InterruptedException {
+        RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
+        CookieFilter cookies = new CookieFilter();
+        var response = RestAssured
+                .given()
+                .filter(cookies)
+                .redirects().follow(false)
+                .when()
+                .get("/hello")
+                .then()
+                .assertThat()
+                .statusCode(302)
+                .header("location", containsString("/login.html"))
+                .extract();
+        assertNull(response.cookie("quarkus-credential"));
+
+        RestAssured
+                .given()
+                .filter(cookies)
+                .redirects().follow(false)
+                .when()
+                .formParam("j_username", "user")
+                .formParam("j_password", "user")
+                .post("/j_security_check")
+                .then()
+                .assertThat()
+                .statusCode(302)
+                .header("location", containsString("/hello"))
+                .cookie("quarkus-credential", detailedCookie().value(notNullValue()).sameSite("Strict").path("/"));
+
+        RestAssured
+                .given()
+                .filter(cookies)
+                .redirects().follow(false)
+                .when()
+                .get("/hello")
+                .then()
+                .assertThat()
+                .statusCode(200)
+                .body(equalTo("hello user"));
+
+        Thread.sleep(Duration.ofSeconds(2).toMillis());
+
+        response = RestAssured
+                .given()
+                .filter(cookies)
+                .redirects().follow(false)
+                .when()
+                .get("/logout")
+                .then()
+                .assertThat()
+                .statusCode(303)
+                .header("location", containsString("/"))
+                .extract();
+        String credentialsCookieValue = response.cookie("quarkus-credential");
+        Assertions.assertTrue(credentialsCookieValue == null || credentialsCookieValue.isEmpty(),
+                "Expected credentials cookie was removed, but actual value was " + credentialsCookieValue);
+
+        response = RestAssured
+                .given()
+                .filter(cookies)
+                .redirects().follow(false)
+                .when()
+                .get("/hello")
+                .then()
+                .assertThat()
+                .statusCode(302)
+                .header("location", containsString("/login.html"))
+                .extract();
+        credentialsCookieValue = response.cookie("quarkus-credential");
+        Assertions.assertTrue(credentialsCookieValue == null || credentialsCookieValue.isEmpty());
+    }
+
+    @Path("/")
+    public static class FormAuthResource {
+
+        private final CurrentIdentityAssociation identity;
+
+        public FormAuthResource(CurrentIdentityAssociation identity) {
+            this.identity = identity;
+        }
+
+        @Authenticated
+        @GET
+        @Path("hello")
+        public String hello() {
+            return "hello " + identity.getIdentity().getPrincipal().getName();
+        }
+
+        @GET
+        @Path("logout")
+        public Response logout() {
+            if (identity.getIdentity().isAnonymous()) {
+                throw new UnauthorizedException("Not authenticated");
+            }
+            FormAuthenticationMechanism.logout(identity.getIdentity());
+            return Response.seeOther(URI.create("/"))
+                    .build();
+        }
+    }
+
+    @ApplicationScoped
+    public static class TrustedIdentityProvider implements IdentityProvider<TrustedAuthenticationRequest> {
+        @Override
+        public Class<TrustedAuthenticationRequest> getRequestType() {
+            return TrustedAuthenticationRequest.class;
+        }
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(TrustedAuthenticationRequest trustedAuthenticationRequest,
+                AuthenticationRequestContext authenticationRequestContext) {
+            if ("user".equals(trustedAuthenticationRequest.getPrincipal())) {
+                return Uni.createFrom()
+                        .item(QuarkusSecurityIdentity.builder().setPrincipal(new QuarkusPrincipal("user")).build());
+            }
+            return Uni.createFrom().nullItem();
+        }
+    }
 }

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java

@@ -2,16 +2,19 @@
 
 import static io.quarkus.security.spi.runtime.SecurityEventHelper.fire;
 import static io.quarkus.vertx.http.runtime.security.FormAuthenticationEvent.createLoginEvent;
+import static io.quarkus.vertx.http.runtime.security.RoutingContextAwareSecurityIdentity.addRoutingCtxToIdentityIfMissing;
 
 import java.net.URI;
 import java.security.SecureRandom;
 import java.time.Duration;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.HashSet;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.Consumer;
+import java.util.function.Function;
 
 import jakarta.enterprise.event.Event;
 import jakarta.enterprise.inject.spi.BeanManager;
@@ -41,11 +44,13 @@
 import io.vertx.core.http.Cookie;
 import io.vertx.core.http.CookieSameSite;
 import io.vertx.core.http.HttpMethod;
+import io.vertx.core.http.impl.CookieImpl;
 import io.vertx.ext.web.RoutingContext;
 
 public class FormAuthenticationMechanism implements HttpAuthenticationMechanism {
     private static final String FORM = "form";
-
+    private static final String COOKIE_NAME = "io.quarkus.vertx.http.runtime.security.form.cookie-name";
+    private static final String COOKIE_PATH = "io.quarkus.vertx.http.runtime.security.form.cookie-path";
     private static final Logger log = Logger.getLogger(FormAuthenticationMechanism.class);
 
     private final String loginPage;
@@ -261,7 +266,16 @@ public Uni<SecurityIdentity> authenticate(RoutingContext context,
         if (context.normalizedPath().endsWith(postLocation) && context.request().method().equals(HttpMethod.POST)) {
             //we always re-auth if it is a post to the auth URL
             context.put(HttpAuthenticationMechanism.class.getName(), this);
-            return runFormAuth(context, identityProviderManager);
+            return runFormAuth(context, identityProviderManager)
+                    .onItem().ifNotNull().transform(new Function<SecurityIdentity, SecurityIdentity>() {
+                        @Override
+                        public SecurityIdentity apply(SecurityIdentity identity) {
+                            // used for logout
+                            context.put(COOKIE_NAME, loginManager.getCookieName());
+                            context.put(COOKIE_PATH, cookiePath);
+                            return addRoutingCtxToIdentityIfMissing(identity, context);
+                        }
+                    });
         } else {
             PersistentLoginManager.RestoreResult result = loginManager.restore(context);
             if (result != null) {
@@ -274,6 +288,14 @@ public Uni<SecurityIdentity> authenticate(RoutingContext context,
                     public void accept(SecurityIdentity securityIdentity) {
                         loginManager.save(securityIdentity, context, result, context.request().isSSL());
                     }
+                }).onItem().ifNotNull().transform(new Function<SecurityIdentity, SecurityIdentity>() {
+                    @Override
+                    public SecurityIdentity apply(SecurityIdentity identity) {
+                        // used for logout
+                        context.put(COOKIE_NAME, loginManager.getCookieName());
+                        context.put(COOKIE_PATH, cookiePath);
+                        return addRoutingCtxToIdentityIfMissing(identity, context);
+                    }
                 });
             }
             return Uni.createFrom().optional(Optional.empty());
@@ -311,6 +333,21 @@ public Uni<HttpCredentialTransport> getCredentialTransport(RoutingContext contex
         return Uni.createFrom().item(new HttpCredentialTransport(HttpCredentialTransport.Type.POST, postLocation, FORM));
     }
 
+    public static void logout(SecurityIdentity securityIdentity) {
+        RoutingContext routingContext = HttpSecurityUtils.getRoutingContextAttribute(securityIdentity);
+        logout(routingContext);
+    }
+
+    public static void logout(RoutingContext routingContext) {
+        Objects.requireNonNull(routingContext);
+        String cookieName = Objects.requireNonNull(routingContext.get(COOKIE_NAME));
+        String cookiePath = Objects.requireNonNull(routingContext.get(COOKIE_PATH));
+        Cookie cookie = new CookieImpl(cookieName, "");
+        cookie.setMaxAge(0);
+        cookie.setPath(cookiePath);
+        routingContext.response().addCookie(cookie);
+    }
+
     private static String startWithSlash(String page) {
         if (page == null) {
             return null;

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/PersistentLoginManager.java

@@ -167,6 +167,10 @@ public void clear(RoutingContext ctx) {
         ctx.response().removeCookie(cookieName);
     }
 
+    String getCookieName() {
+        return cookieName;
+    }
+
     public static class RestoreResult {
 
         private final String principal;