Fix problem with backend clients

corbel-platform · Apr 26, 2017 · ee1316a · ee1316a
1 parent 9dfe677
commit ee1316a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 14 deletions.
diff --git a/iam/src/main/java/io/corbel/iam/api/UserResource.java b/iam/src/main/java/io/corbel/iam/api/UserResource.java
@@ -105,7 +105,7 @@ public Response getUsers(@PathParam("domain") String domain, @Rest QueryParamete
     public Response postUser(@PathParam("domain") String domainId, @Valid UserWithIdentity user, @Context UriInfo uriInfo,
             @Auth AuthorizationInfo authorizationInfo, @HeaderParam(CustomHeaders.X_CAPTCHA) String captcha) {
 
-        if(!captchaService.verifyRequestCaptcha(domainId, captcha)) {
+        if(!captchaService.verifyRequestCaptcha(domainId, authorizationInfo.getClientId(), captcha)) {
             return IamErrorResponseFactory.getInstance().unauthorized();
         }
 
@@ -412,7 +412,7 @@ public Response getUserProfiles(@PathParam("domain") String domainId, @Auth Auth
     public Response generateResetPasswordEmail(@PathParam("domain") String domainId, @QueryParam("email") String email,
                                                @HeaderParam(CustomHeaders.X_CAPTCHA) String captcha,
                                                @Auth AuthorizationInfo authorizationInfo) {
-        if(captchaService.verifyRequestCaptcha(domainId, captcha)) {
+        if(captchaService.verifyRequestCaptcha(domainId, authorizationInfo.getClientId(), captcha)) {
             userService.sendMailResetPassword(email, authorizationInfo.getClientId(), domainId);
         }
         return Response.noContent().build();

diff --git a/iam/src/main/java/io/corbel/iam/service/CaptchaService.java b/iam/src/main/java/io/corbel/iam/service/CaptchaService.java
@@ -5,6 +5,6 @@
  */
 public interface CaptchaService {
 
-    boolean verifyRequestCaptcha(String domainId, String captcha);
+    boolean verifyRequestCaptcha(String domainId, String clientId, String captcha);
 
 }
diff --git a/iam/src/main/java/io/corbel/iam/service/DefaultCaptchaService.java b/iam/src/main/java/io/corbel/iam/service/DefaultCaptchaService.java
@@ -3,6 +3,7 @@
 import ch.compile.recaptcha.ReCaptchaVerify;
 import ch.compile.recaptcha.model.SiteVerifyResponse;
 import io.corbel.iam.api.IamErrorResponseFactory;
+import org.apache.commons.lang3.ArrayUtils;
 
 import javax.ws.rs.NotFoundException;
 import java.io.IOException;
@@ -14,6 +15,7 @@
  */
 public class DefaultCaptchaService implements CaptchaService {
 
+    private static final String CAPTCHA_IGNORED_CLIENTS = "ignored_clients";
     private static final String CAPTCHA_SECRET_KEY = "secret_key";
     private static final String CAPTCHA_KEY = "captcha";
 
@@ -24,18 +26,22 @@ public DefaultCaptchaService(DomainService domainService) {
     }
 
     @Override
-    public boolean verifyRequestCaptcha(String domainId, String captcha) {
+    public boolean verifyRequestCaptcha(String domainId, String clientId, String captcha) {
         return domainService.getDomain(domainId).map(domain -> {
             Map<String, String> configuration = domain.getAuthConfigurations().get(CAPTCHA_KEY);
-            if(configuration != null) {
-                ReCaptchaVerify reCaptchaVerify = new ReCaptchaVerify(configuration.get(CAPTCHA_SECRET_KEY));
-                try {
-                    SiteVerifyResponse siteVerifyResponse = reCaptchaVerify.verify(captcha, null);
-                    return siteVerifyResponse.isSuccess();
-                } catch (IOException e) {
-                    return false;
+            if (configuration != null) {
+                String[] ignoredClients = configuration.getOrDefault(CAPTCHA_IGNORED_CLIENTS, "").split(",");
+                if (!ArrayUtils.contains(ignoredClients, clientId)) {
+                    ReCaptchaVerify reCaptchaVerify = new ReCaptchaVerify(configuration.get(CAPTCHA_SECRET_KEY));
+                    try {
+                        SiteVerifyResponse siteVerifyResponse = reCaptchaVerify.verify(captcha, null);
+                        return siteVerifyResponse.isSuccess();
+                    } catch (IOException e) {
+                        return false;
+                    }
                 }
-            } else return true;
+            }
+            return true;
         }).orElse(false);
     }
 }
diff --git a/iam/src/test/java/io/corbel/iam/api/UserResourceTest.java b/iam/src/test/java/io/corbel/iam/api/UserResourceTest.java
@@ -122,7 +122,7 @@ protected ResourceTestRule getTestRule() {
     public void setUp() {
         reset(userServiceMock, domainServiceMock, identityServiceMock);
         when(TEST_DOMAIN.getDefaultScopes()).thenReturn(ImmutableSet.of("defaultScope1", "defaultScope2"));
-        when(captchaServiceMock.verifyRequestCaptcha(TEST_DOMAIN_ID, null)).thenReturn(true);
+        when(captchaServiceMock.verifyRequestCaptcha(TEST_DOMAIN_ID, TEST_CLIENT_ID, null)).thenReturn(true);
         when(domainServiceMock.getDomain(TEST_DOMAIN_ID)).thenReturn(Optional.of(TEST_DOMAIN));
     }
 
@@ -1188,7 +1188,7 @@ public void testGetProfilesWithValidQuery() throws MalformedJsonQueryException,
     public void testGenerateResetPasswordEmail() {
         Response response = RULE.client().target("/v1.0/" + TEST_DOMAIN_ID + "/user/resetPassword")
                 .request(MediaType.APPLICATION_JSON_TYPE).header(AUTHORIZATION, "Bearer " + TEST_TOKEN).get(Response.class);
-        when(captchaServiceMock.verifyRequestCaptcha(TEST_DOMAIN_ID, null)).thenReturn(true);
+        when(captchaServiceMock.verifyRequestCaptcha(TEST_DOMAIN_ID, TEST_CLIENT_ID, null)).thenReturn(true);
         assertThat(response.getStatus()).isEqualTo(Response.Status.NO_CONTENT.getStatusCode());
     }