breaking: Removed Poynt token exchange grant and added the returning …

…of refresh token within cookie. (#171)

src/it/java/it/pagopa/swclient/mil/auth/resource/TokenResourceIT.java

@@ -6,8 +6,8 @@
 package it.pagopa.swclient.mil.auth.resource;
 
 import static io.restassured.RestAssured.given;
-import static org.hamcrest.Matchers.nullValue;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
 
 import java.io.File;
 
@@ -21,8 +21,6 @@
 import com.nimbusds.jose.util.StandardCharset;
 
 import io.restassured.RestAssured;
-import io.restassured.filter.log.RequestLoggingFilter;
-import io.restassured.filter.log.ResponseLoggingFilter;
 import it.pagopa.swclient.mil.auth.bean.AuthFormParamName;
 import it.pagopa.swclient.mil.auth.bean.AuthJsonPropertyName;
 import it.pagopa.swclient.mil.auth.bean.GetAccessTokenResponse;
@@ -60,7 +58,7 @@ class TokenResourceIT {
 	 */
 	private static String adminClientId;
 	private static String adminClientSecret;
-	
+
 	/*
 	 * 
 	 */
@@ -81,15 +79,15 @@ static void loadOpenApiDescriptor() {
 			new OpenApiValidationFilter(
 				Files.contentOf(
 					new File("src/main/resources/META-INF/openapi.yaml"),
-					StandardCharset.UTF_8))/*,
-			new RequestLoggingFilter(),
-			new ResponseLoggingFilter()*/);
+					StandardCharset.UTF_8))/*
+											 * , new RequestLoggingFilter(), new ResponseLoggingFilter()
+											 */);
 
 		baseUri = System.getProperty("base_uri");
 
 		adminClientId = System.getProperty("admin_client_id");
 		adminClientSecret = System.getProperty("admin_client_secret");
-		
+
 		secretlessClientId = System.getProperty("secretless_client_id");
 
 		testUsername = System.getProperty("test_username");
@@ -297,7 +295,7 @@ void given_rightRefreshToken_when_theEndPointIsInvoked_then_getAccessAndRefreshT
 			.response()
 			.as(GetAccessTokenResponse.class);
 
-		String refreshToken = getAccessTokenResponse.getRefreshToken();
+		String refreshToken = getAccessTokenResponse.getRefreshToken().serialize();
 
 		/*
 		 * Test
@@ -357,7 +355,7 @@ void given_rightRefreshTokenAndOfflineAccessIsRequired_when_theEndPointIsInvoked
 			.response()
 			.as(GetAccessTokenResponse.class);
 
-		String refreshToken = getAccessTokenResponse.getRefreshToken();
+		String refreshToken = getAccessTokenResponse.getRefreshToken().serialize();
 
 		/*
 		 * Test

src/main/java/it/pagopa/swclient/mil/auth/AuthErrorCode.java

@@ -56,6 +56,7 @@ public final class AuthErrorCode {
 	public static final String ERROR_DECRYPTING_CLAIM           = MODULE_ID + "000028";
 	public static final String ERROR_SIGNING_TOKEN              = MODULE_ID + "000029";
 	public static final String USER_NOT_FOUND                   = MODULE_ID + "00002A";
+	public static final String WRONG_CLIENT_ID                  = MODULE_ID + "00002B";
 	// @formatter:on
 
 	public static final String MUST_NOT_BE_NULL_MSG = " must not be null";
@@ -78,6 +79,7 @@ public final class AuthErrorCode {
 	public static final String TOKEN_MUST_NOT_BE_NULL_MSG          = "[" + TOKEN_MUST_NOT_BE_NULL          + "] Token"         + MUST_NOT_BE_NULL_MSG;
 	public static final String TOKEN_MUST_MATCH_REGEXP_MSG         = "[" + TOKEN_MUST_MATCH_REGEXP         + "] Token"         + MUST_MATCH_REGEXP_MSG;
 	public static final String USER_NOT_FOUND_MSG                  = "[" + USER_NOT_FOUND                  + "] User not found";
+	public static final String WRONG_CLIENT_ID_MSG                 = "[" + WRONG_CLIENT_ID                 + "] Wrong client ID";
 	// @formatter:on
 
 	/**

src/main/java/it/pagopa/swclient/mil/auth/admin/bean/AdminJsonPropertyName.java

@@ -159,7 +159,7 @@ public class AdminJsonPropertyName {
 	 * </p>
 	 */
 	public static final String PASSWORD = "password";
-	
+
 	/**
 	 * <p>
 	 * Secretless flag.

src/main/java/it/pagopa/swclient/mil/auth/admin/bean/CreateClientRequest.java

@@ -58,7 +58,7 @@ public class CreateClientRequest {
 	@JsonProperty(value = AdminJsonPropertyName.SUBJECT)
 	@Pattern(regexp = AdminValidationPattern.SUBJECT, message = AdminErrorCode.SUBJECT_MUST_MATCH_REGEXP_MSG)
 	private String subject;
-	
+
 	/**
 	 * <p>
 	 * If true the secret will not be generated.

src/main/java/it/pagopa/swclient/mil/auth/admin/bean/CreateUserRequest.java

@@ -71,7 +71,7 @@ public class CreateUserRequest {
 	@JsonProperty(value = AdminJsonPropertyName.MERCHANT_ID)
 	@Pattern(regexp = ValidationPattern.MERCHANT_ID, message = ErrorCode.MERCHANT_ID_MUST_MATCH_REGEXP_MSG)
 	private String merchantId;
-	
+
 	/**
 	 * <p>
 	 * Client ID.

src/main/java/it/pagopa/swclient/mil/auth/admin/resource/ClientResource.java

@@ -20,8 +20,8 @@
 import it.pagopa.swclient.mil.auth.admin.AdminErrorCode;
 import it.pagopa.swclient.mil.auth.admin.bean.AdminPathParamName;
 import it.pagopa.swclient.mil.auth.admin.bean.Client;
-import it.pagopa.swclient.mil.auth.admin.bean.CreateClientResponse;
 import it.pagopa.swclient.mil.auth.admin.bean.CreateClientRequest;
+import it.pagopa.swclient.mil.auth.admin.bean.CreateClientResponse;
 import it.pagopa.swclient.mil.auth.admin.bean.PageMetadata;
 import it.pagopa.swclient.mil.auth.admin.bean.PageOfClients;
 import it.pagopa.swclient.mil.auth.admin.bean.ReadClientsRequest;

src/main/java/it/pagopa/swclient/mil/auth/bean/AuthCookieParamName.java

@@ -0,0 +1,17 @@
+/*
+ * AuthCookieParamName.java
+ *
+ * 3 jan 2025
+ */
+package it.pagopa.swclient.mil.auth.bean;
+
+/**
+ * 
+ * @author Antonio Tarricone
+ */
+public class AuthCookieParamName {
+	public static final String REFRESH_COOKIE = "refresh_cookie";
+
+	private AuthCookieParamName() {
+	}
+}

src/main/java/it/pagopa/swclient/mil/auth/bean/AuthValidationPattern.java

@@ -10,7 +10,7 @@
  * @author Antonio Tarricone
  */
 public class AuthValidationPattern {
-	public static final String GRANT_TYPE = "^" + GrantType.PASSWORD + "|" + GrantType.REFRESH_TOKEN + "|" + GrantType.POYNT_TOKEN + "|" + GrantType.CLIENT_CREDENTIALS + "$";
+	public static final String GRANT_TYPE = "^" + GrantType.PASSWORD + "|" + GrantType.REFRESH_TOKEN + "|" + GrantType.CLIENT_CREDENTIALS + "$";
 	public static final String USERNAME = "^[ -~]{1,64}$";
 	public static final String PASSWORD = "^[ -~]{1,64}$"; // NOSONAR This isn't a password!!!
 	public static final String REFRESH_TOKEN = "^[a-zA-Z0-9_-]{1,1024}\\.[a-zA-Z0-9_-]{1,1024}\\.[a-zA-Z0-9_-]{1,1024}$";

src/main/java/it/pagopa/swclient/mil/auth/bean/GetAccessTokenRequest.java

@@ -5,6 +5,9 @@
  */
 package it.pagopa.swclient.mil.auth.bean;
 
+import com.nimbusds.jwt.SignedJWT;
+
+import io.quarkus.logging.Log;
 import io.quarkus.runtime.annotations.RegisterForReflection;
 import it.pagopa.swclient.mil.ErrorCode;
 import it.pagopa.swclient.mil.auth.AuthErrorCode;
@@ -13,6 +16,7 @@
 import it.pagopa.swclient.mil.bean.ValidationPattern;
 import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Pattern;
+import jakarta.ws.rs.CookieParam;
 import jakarta.ws.rs.FormParam;
 import jakarta.ws.rs.HeaderParam;
 import lombok.AllArgsConstructor;
@@ -88,24 +92,8 @@ public class GetAccessTokenRequest {
 	 * refresh_token
 	 */
 	@FormParam(AuthFormParamName.REFRESH_TOKEN)
-	@Pattern(regexp = AuthValidationPattern.REFRESH_TOKEN, message = AuthErrorCode.REFRESH_TOKEN_MUST_MATCH_REGEXP_MSG)
 	@ToString.Exclude
-	private String refreshToken;
-
-	/*
-	 * poynt_token
-	 */
-	@FormParam(AuthFormParamName.EXT_TOKEN)
-	@Pattern(regexp = AuthValidationPattern.EXT_TOKEN, message = AuthErrorCode.EXT_TOKEN_MUST_MATCH_REGEXP_MSG)
-	@ToString.Exclude
-	private String extToken;
-
-	/*
-	 * add_data
-	 */
-	@FormParam(AuthFormParamName.ADD_DATA)
-	@Pattern(regexp = AuthValidationPattern.ADD_DATA, message = AuthErrorCode.ADD_DATA_MUST_MATCH_REGEXP_MSG)
-	private String addData;
+	private SignedJWT refreshToken;
 
 	/*
 	 * client_id
@@ -137,4 +125,21 @@ public class GetAccessTokenRequest {
 	@Pattern(regexp = AuthValidationPattern.FISCAL_CODE, message = AuthErrorCode.FISCAL_CODE_MUST_MATCH_REGEXP_MSG)
 	@ToString.Exclude
 	private String fiscalCode;
+
+	/*
+	 * refresh_cookie
+	 */
+	@CookieParam(AuthCookieParamName.REFRESH_COOKIE)
+	private SignedJWT refreshCookie;
+
+	/**
+	 * 
+	 */
+	public GetAccessTokenRequest normalize() {
+		if (refreshToken == null && refreshCookie != null) {
+			Log.debug("The request to refresh tokens contains a refresh cookie");
+			refreshToken = refreshCookie;
+		}
+		return this;
+	}
 }

src/main/java/it/pagopa/swclient/mil/auth/bean/GetAccessTokenResponse.java

@@ -8,8 +8,11 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonInclude.Include;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.nimbusds.jwt.SignedJWT;
 
 import io.quarkus.runtime.annotations.RegisterForReflection;
+import it.pagopa.swclient.mil.auth.util.SignedJWTSerializer;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
@@ -31,14 +34,16 @@ public class GetAccessTokenResponse {
 	 */
 	@JsonProperty(AuthJsonPropertyName.ACCESS_TOKEN)
 	@ToString.Exclude
-	private String accessToken;
+	@JsonSerialize(using = SignedJWTSerializer.class)
+	private SignedJWT accessToken;
 
 	/*
 	 * refresh_token
 	 */
 	@JsonProperty(AuthJsonPropertyName.REFRESH_TOKEN)
 	@ToString.Exclude
-	private String refreshToken;
+	@JsonSerialize(using = SignedJWTSerializer.class)
+	private SignedJWT refreshToken;
 
 	/*
 	 * token_type
@@ -57,7 +62,7 @@ public class GetAccessTokenResponse {
 	 * @param refreshToken
 	 * @param expiresIn
 	 */
-	public GetAccessTokenResponse(String accessToken, String refreshToken, long expiresIn) {
+	public GetAccessTokenResponse(SignedJWT accessToken, SignedJWT refreshToken, long expiresIn) {
 		this.accessToken = accessToken;
 		this.refreshToken = refreshToken;
 		this.expiresIn = expiresIn;

src/main/java/it/pagopa/swclient/mil/auth/bean/GrantType.java

@@ -11,7 +11,6 @@
 public class GrantType {
 	public static final String PASSWORD = "password";
 	public static final String REFRESH_TOKEN = "refresh_token";
-	public static final String POYNT_TOKEN = "poynt_token";
 	public static final String CLIENT_CREDENTIALS = "client_credentials";
 
 	private GrantType() {

src/main/java/it/pagopa/swclient/mil/auth/dao/UserEntity.java

@@ -84,7 +84,7 @@ public class UserEntity {
 	 */
 	@BsonProperty(value = MERCHANT_ID_PRP)
 	public String merchantId;
-	
+
 	/*
 	 *
 	 */

src/main/java/it/pagopa/swclient/mil/auth/dao/UserRepository.java

@@ -26,7 +26,7 @@ public class UserRepository implements ReactivePanacheMongoRepository<UserEntity
 		"%s = ?1 and %s = ?2",
 		UserEntity.USERNAME_PRP,
 		UserEntity.CLIENT_ID_PRP);
-	
+
 	/**
 	 * 
 	 * @param username