Merge pull request #946 from RADAR-base/bugfix/httpclient-static-vari…

…able

Bugfix/httpclient static variable

radar-auth/src/main/java/org/radarbase/auth/jwks/JwksTokenVerifierLoader.kt

@@ -28,23 +28,6 @@ class JwksTokenVerifierLoader(
     private val resourceName: String,
     private val algorithmParser: JwkParser,
 ) : TokenVerifierLoader {
-    private val httpClient = HttpClient(CIO).config {
-        install(HttpTimeout) {
-            connectTimeoutMillis = Duration.ofSeconds(10).toMillis()
-            socketTimeoutMillis = Duration.ofSeconds(10).toMillis()
-            requestTimeoutMillis = Duration.ofSeconds(30).toMillis()
-        }
-        install(ContentNegotiation) {
-            json(Json {
-                ignoreUnknownKeys = true
-                coerceInputValues = true
-            })
-        }
-        defaultRequest {
-            url(this@JwksTokenVerifierLoader.url)
-            accept(ContentType.Application.Json)
-        }
-    }
 
     override suspend fun fetch(): List<TokenVerifier> {
         val keySet = try {
@@ -94,5 +77,23 @@ class JwksTokenVerifierLoader(
         }
 
         private val logger = LoggerFactory.getLogger(JwksTokenVerifierLoader::class.java)
+
+        private val httpClient = HttpClient(CIO).config {
+            install(HttpTimeout) {
+                connectTimeoutMillis = Duration.ofSeconds(10).toMillis()
+                socketTimeoutMillis = Duration.ofSeconds(10).toMillis()
+                requestTimeoutMillis = Duration.ofSeconds(30).toMillis()
+            }
+            install(ContentNegotiation) {
+                json(Json {
+                    ignoreUnknownKeys = true
+                    coerceInputValues = true
+                })
+            }
+            defaultRequest {
+                url(this@JwksTokenVerifierLoader.url)
+                accept(ContentType.Application.Json)
+            }
+        }
     }
 }

radar-auth/src/main/java/org/radarbase/auth/kratos/SessionService.kt

@@ -20,19 +20,6 @@ import java.time.Duration
  * Service class for handling Kratos sessions but may be extended in the future.
  */
 class SessionService(private val serverUrl: String) {
-    private val httpClient = HttpClient(CIO).config {
-        install(HttpTimeout) {
-            connectTimeoutMillis = Duration.ofSeconds(10).toMillis()
-            socketTimeoutMillis = Duration.ofSeconds(10).toMillis()
-            requestTimeoutMillis = Duration.ofSeconds(300).toMillis()
-        }
-        install(ContentNegotiation) {
-            json(Json {
-                ignoreUnknownKeys = true
-                coerceInputValues = true
-            })
-        }
-    }
 
     /** Get a [KratosSessionDTO] for a given session token. Returns the generated [KratosSessionDTO] */
     @Throws(IdpException::class)
@@ -93,5 +80,19 @@ class SessionService(private val serverUrl: String) {
 
     companion object {
         private val log = LoggerFactory.getLogger(SessionService::class.java)
+
+        private val httpClient = HttpClient(CIO).config {
+            install(HttpTimeout) {
+                connectTimeoutMillis = Duration.ofSeconds(10).toMillis()
+                socketTimeoutMillis = Duration.ofSeconds(10).toMillis()
+                requestTimeoutMillis = Duration.ofSeconds(300).toMillis()
+            }
+            install(ContentNegotiation) {
+                json(Json {
+                    ignoreUnknownKeys = true
+                    coerceInputValues = true
+                })
+            }
+        }
     }
 }

src/main/java/org/radarbase/management/security/JwtAuthenticationFilter.kt

@@ -1,6 +1,14 @@
 package org.radarbase.management.security
 
 import io.ktor.http.*
+import java.io.IOException
+import java.time.Instant
+import javax.annotation.Nonnull
+import javax.servlet.FilterChain
+import javax.servlet.ServletException
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+import javax.servlet.http.HttpSession
 import org.radarbase.auth.authentication.TokenValidator
 import org.radarbase.auth.authorization.AuthorityReference
 import org.radarbase.auth.authorization.RoleAuthority
@@ -20,14 +28,6 @@ import org.springframework.security.oauth2.provider.OAuth2Authentication
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher
 import org.springframework.web.cors.CorsUtils
 import org.springframework.web.filter.OncePerRequestFilter
-import java.io.IOException
-import java.time.Instant
-import javax.annotation.Nonnull
-import javax.servlet.FilterChain
-import javax.servlet.ServletException
-import javax.servlet.http.HttpServletRequest
-import javax.servlet.http.HttpServletResponse
-import javax.servlet.http.HttpSession
 
 
 /**
@@ -77,7 +77,12 @@ class JwtAuthenticationFilter @JvmOverloads constructor(
             val stringToken = tokenFromHeader(httpRequest)
             var token: RadarToken? = null
             var exMessage = "No token provided"
-            if (stringToken != null) {
+            token = session?.radarToken
+                ?.takeIf { Instant.now() < it.expiresAt }
+            if (token != null) {
+                Companion.logger.debug("Using token from session")
+            }
+            else if (stringToken != null) {
                 try {
                     token = validator.validateBlocking(stringToken)
                     Companion.logger.debug("Using token from header")
@@ -86,13 +91,6 @@ class JwtAuthenticationFilter @JvmOverloads constructor(
                     Companion.logger.info("Failed to validate token from header: {}", exMessage)
                 }
             }
-            if (token == null) {
-                token = session?.radarToken
-                    ?.takeIf { Instant.now() < it.expiresAt }
-                if (token != null) {
-                    Companion.logger.debug("Using token from session")
-                }
-            }
             if (!validateToken(token, httpRequest, httpResponse, session, exMessage)) {
                 return
             }