From 7feea547eb41621a26b17841154d86f0370e7982 Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 15:36:06 +0100 Subject: [PATCH] [#5851] Add error messages on authentication failures with username and password (#6212) * Add error messages on authentication failures with username and password Signed-off-by: David Lutzardo * Add a constant for the 'password' Signed-off-by: David Lutzardo * Add test to check empty login and check response in body is not empty Signed-off-by: David Lutzardo * Correct format (spotless) Signed-off-by: David Lutzardo * Update ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java Co-authored-by: Fabio Di Fabio Signed-off-by: David Lutzardo * Update ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java Co-authored-by: Fabio Di Fabio Signed-off-by: David Lutzardo * Update JsonRpcHttpServiceLoginTest.java use containsIgnoringCase Signed-off-by: David Lutzardo * Add a CHANGELOG entry for PR 6212 Signed-off-by: David Lutzardo --------- Signed-off-by: David Lutzardo Co-authored-by: Fabio Di Fabio --- CHANGELOG.md | 1 + .../DefaultAuthenticationService.java | 11 +++++++---- .../api/jsonrpc/JsonRpcHttpServiceLoginTest.java | 14 ++++++++++++++ 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eaa028a84a0..f0a00eda376 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - Add `rpc-gas-cap` to allow users to set gas limit to the RPC methods used to simulate transactions[#6156](https://github.com/hyperledger/besu/pull/6156) - Fix the unavailability of `address` field when returning an `Account` entity on GraphQL in case of unreachable world state [#6198](https://github.com/hyperledger/besu/pull/6198) - Update OpenJ9 Docker image to latest version [#6226](https://github.com/hyperledger/besu/pull/6226) +- Add error messages on authentication failures with username and password [#6212](https://github.com/hyperledger/besu/pull/6212) ### Bug fixes - Fix Docker image name clash between Besu and evmtool [#6194](https://github.com/hyperledger/besu/pull/6194) diff --git a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java index 96a1a2d023f..89f747d1710 100644 --- a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java +++ b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java @@ -46,6 +46,7 @@ public class DefaultAuthenticationService implements AuthenticationService { public static final String USERNAME = "username"; + public static final String PASSWORD = "password"; private final JWTAuth jwtAuthProvider; @VisibleForTesting public final JWTAuthOptions jwtAuthOptions; private final Optional credentialAuthProvider; @@ -171,19 +172,21 @@ private void login( final RoutingContext routingContext, final AuthenticationProvider credentialAuthProvider) { final JsonObject requestBody = routingContext.body().asJsonObject(); - if (requestBody == null) { + if (requestBody == null + || requestBody.getValue(USERNAME) == null + || requestBody.getValue(PASSWORD) == null) { routingContext .response() .setStatusCode(HttpResponseStatus.BAD_REQUEST.code()) .setStatusMessage(HttpResponseStatus.BAD_REQUEST.reasonPhrase()) - .end(); + .end("Authentication failed: username and password are required."); return; } // Check user final JsonObject authParams = new JsonObject(); authParams.put(USERNAME, requestBody.getValue(USERNAME)); - authParams.put("password", requestBody.getValue("password")); + authParams.put(PASSWORD, requestBody.getValue(PASSWORD)); final Credentials credentials = new UsernamePasswordCredentials(authParams); credentialAuthProvider.authenticate( @@ -194,7 +197,7 @@ private void login( .response() .setStatusCode(HttpResponseStatus.UNAUTHORIZED.code()) .setStatusMessage(HttpResponseStatus.UNAUTHORIZED.reasonPhrase()) - .end(); + .end("Authentication failed: the username or password is incorrect."); } else { final User user = r.result(); diff --git a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java index a00e7ed7cb8..8d087bbd4e9 100644 --- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java +++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java @@ -203,6 +203,18 @@ public static void shutdownServer() { service.stop().join(); } + @Test + public void loginWithEmptyCredentials() throws IOException { + final RequestBody body = RequestBody.create("{}", JSON); + final Request request = new Request.Builder().post(body).url(baseUrl + "/login").build(); + try (final Response resp = client.newCall(request).execute()) { + assertThat(resp.code()).isEqualTo(400); + assertThat(resp.message()).isEqualTo("Bad Request"); + final String bodyString = resp.body().string(); + assertThat(bodyString).containsIgnoringCase("username and password are required"); + } + } + @Test public void loginWithBadCredentials() throws IOException { final RequestBody body = @@ -211,6 +223,8 @@ public void loginWithBadCredentials() throws IOException { try (final Response resp = client.newCall(request).execute()) { assertThat(resp.code()).isEqualTo(401); assertThat(resp.message()).isEqualTo("Unauthorized"); + final String bodyString = resp.body().string(); + assertThat(bodyString).containsIgnoringCase("the username or password is incorrect"); } }