Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#5851] Add error messages on authentication failures with username and password #6212

Merged
merged 10 commits into from
Dec 4, 2023
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
- Add `rpc-gas-cap` to allow users to set gas limit to the RPC methods used to simulate transactions[#6156](https://github.com/hyperledger/besu/pull/6156)
- Fix the unavailability of `address` field when returning an `Account` entity on GraphQL in case of unreachable world state [#6198](https://github.com/hyperledger/besu/pull/6198)
- Update OpenJ9 Docker image to latest version [#6226](https://github.com/hyperledger/besu/pull/6226)
- Add error messages on authentication failures with username and password [#6212](https://github.com/hyperledger/besu/pull/6212)

### Bug fixes
- Fix Docker image name clash between Besu and evmtool [#6194](https://github.com/hyperledger/besu/pull/6194)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
public class DefaultAuthenticationService implements AuthenticationService {

public static final String USERNAME = "username";
public static final String PASSWORD = "password";
private final JWTAuth jwtAuthProvider;
@VisibleForTesting public final JWTAuthOptions jwtAuthOptions;
private final Optional<AuthenticationProvider> credentialAuthProvider;
Expand Down Expand Up @@ -171,19 +172,21 @@ private void login(
final RoutingContext routingContext, final AuthenticationProvider credentialAuthProvider) {
final JsonObject requestBody = routingContext.body().asJsonObject();

if (requestBody == null) {
if (requestBody == null
|| requestBody.getValue(USERNAME) == null
|| requestBody.getValue(PASSWORD) == null) {
routingContext
.response()
.setStatusCode(HttpResponseStatus.BAD_REQUEST.code())
.setStatusMessage(HttpResponseStatus.BAD_REQUEST.reasonPhrase())
.end();
.end("Authentication failed: username and password are required.");
return;
}

// Check user
final JsonObject authParams = new JsonObject();
authParams.put(USERNAME, requestBody.getValue(USERNAME));
authParams.put("password", requestBody.getValue("password"));
authParams.put(PASSWORD, requestBody.getValue(PASSWORD));
final Credentials credentials = new UsernamePasswordCredentials(authParams);

credentialAuthProvider.authenticate(
Expand All @@ -194,7 +197,7 @@ private void login(
.response()
.setStatusCode(HttpResponseStatus.UNAUTHORIZED.code())
.setStatusMessage(HttpResponseStatus.UNAUTHORIZED.reasonPhrase())
.end();
.end("Authentication failed: the username or password is incorrect.");
} else {
final User user = r.result();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,18 @@ public static void shutdownServer() {
service.stop().join();
}

@Test
public void loginWithEmptyCredentials() throws IOException {
final RequestBody body = RequestBody.create("{}", JSON);
final Request request = new Request.Builder().post(body).url(baseUrl + "/login").build();
try (final Response resp = client.newCall(request).execute()) {
assertThat(resp.code()).isEqualTo(400);
assertThat(resp.message()).isEqualTo("Bad Request");
final String bodyString = resp.body().string();
assertThat(bodyString).containsIgnoringCase("username and password are required");
}
}

@Test
public void loginWithBadCredentials() throws IOException {
final RequestBody body =
Expand All @@ -211,6 +223,8 @@ public void loginWithBadCredentials() throws IOException {
try (final Response resp = client.newCall(request).execute()) {
assertThat(resp.code()).isEqualTo(401);
assertThat(resp.message()).isEqualTo("Unauthorized");
final String bodyString = resp.body().string();
assertThat(bodyString).containsIgnoringCase("the username or password is incorrect");
}
}

Expand Down
Loading