feat: Set the auth cookie with expiration and when the token is valid on GET /v2/authentication (DEV-5783) (#3925)

<!-- Important! Please follow the guidelines for naming Pull Requests:
https://docs.dasch.swiss/latest/developers/contribution/ -->

### Description

<!-- Please add a short description of the changes -->

<!-- * **What kind of change does this PR introduce?** (Bug fix,
feature, docs update, ...) -->

<!-- * **What is the current behavior?** (You can also link to an open
issue here) -->

<!-- * **What is the new behavior (if this is a feature change)?** -->

<!-- * **Does this PR introduce a breaking change?**
(What changes might users need to make in their application due to this
PR?) -->

<!-- * **Other information**: -->

Author: seakayone

modules/test-e2e/src/test/scala/org/knora/webapi/slice/security/api/AuthenticationEndpointsV2E2ESpec.scala

@@ -20,6 +20,7 @@ import org.knora.webapi.slice.api.v2.authentication.AuthenticationEndpointsV2.Lo
 import org.knora.webapi.slice.api.v2.authentication.AuthenticationEndpointsV2.TokenResponse
 import org.knora.webapi.testservices.ResponseOps.*
 import org.knora.webapi.testservices.TestApiClient
+
 object AuthenticationEndpointsV2E2ESpec extends E2EZSpec {
 
   private val validPassword = "test"
@@ -85,7 +86,7 @@ object AuthenticationEndpointsV2E2ESpec extends E2EZSpec {
           checkAfterLogout <- TestApiClient.getJson[CheckResponse](uri"/v2/authentication", _.auth.bearer(token))
         } yield assertTrue(
           checkAfterLogout.code == StatusCode.Unauthorized,
-          checkAfterLogout.body == Right(CheckResponse("Invalid credentials.")),
+          checkAfterLogout.body == Right(CheckResponse("bad credentials: not valid")),
         )
       },
     ),

webapi/src/main/scala/org/knora/webapi/slice/api/v2/authentication/AuthenticationEndpointsV2.scala

@@ -10,6 +10,8 @@ import sttp.tapir.*
 import sttp.tapir.codec.refined.*
 import sttp.tapir.generic.auto.*
 import sttp.tapir.json.zio.jsonBody
+import sttp.tapir.model.UsernamePassword
+import sttp.tapir.ztapir.auth
 import zio.*
 import zio.json.*
 import zio.json.internal.Write
@@ -21,16 +23,19 @@ import org.knora.webapi.slice.common.api.BaseEndpoints
 import org.knora.webapi.slice.infrastructure.Jwt
 import org.knora.webapi.slice.security.Authenticator
 
-case class AuthenticationEndpointsV2(
-  private val baseEndpoints: BaseEndpoints,
-  private val authenticator: Authenticator,
+final class AuthenticationEndpointsV2(
+  baseEndpoints: BaseEndpoints,
+  authenticator: Authenticator,
 ) {
 
   private val basePath: EndpointInput[Unit] = "v2" / "authentication"
   private val cookieName                    = authenticator.calculateCookieName()
 
-  val getV2Authentication = baseEndpoints.securedEndpoint.get
+  val getV2Authentication = baseEndpoints.publicEndpoint.get
     .in(basePath)
+    .in(auth.bearer[Option[String]](WWWAuthenticateChallenge.bearer))
+    .in(auth.basic[Option[UsernamePassword]](WWWAuthenticateChallenge.basic("realm")))
+    .out(setCookieOpt(cookieName))
     .out(jsonBody[CheckResponse])
 
   val postV2Authentication = baseEndpoints.publicEndpoint.post
@@ -53,6 +58,7 @@ object AuthenticationEndpointsV2 {
 
   final case class CheckResponse(message: String)
   object CheckResponse {
+    val OK                         = CheckResponse("credentials are OK")
     given JsonCodec[CheckResponse] = DeriveJsonCodec.gen[CheckResponse]
   }
 

webapi/src/main/scala/org/knora/webapi/slice/api/v2/authentication/AuthenticationRestService.scala

@@ -12,6 +12,8 @@ import java.time.Instant
 
 import dsp.errors.BadCredentialsException
 import org.knora.webapi.config.AppConfig
+import org.knora.webapi.slice.admin.domain.model.Email
+import org.knora.webapi.slice.api.v2.authentication.AuthenticationEndpointsV2.CheckResponse
 import org.knora.webapi.slice.api.v2.authentication.AuthenticationEndpointsV2.LoginPayload
 import org.knora.webapi.slice.api.v2.authentication.AuthenticationEndpointsV2.LoginPayload.EmailPassword
 import org.knora.webapi.slice.api.v2.authentication.AuthenticationEndpointsV2.LoginPayload.IriPassword
@@ -22,47 +24,83 @@ import org.knora.webapi.slice.infrastructure.Jwt
 import org.knora.webapi.slice.security.Authenticator
 import org.knora.webapi.slice.security.Authenticator.BAD_CRED_NOT_VALID
 
-final case class AuthenticationRestService(
-  private val authenticator: Authenticator,
-  private val appConfig: AppConfig,
+final class AuthenticationRestService(
+  authenticator: Authenticator,
+  appConfig: AppConfig,
 ) {
 
+  def checkAuthentication(
+    token: Option[String],
+    usernamePassword: Option[sttp.tapir.model.UsernamePassword],
+  ): IO[BadCredentialsException, (Option[CookieValueWithMeta], CheckResponse)] =
+    (token, usernamePassword) match {
+      case (None, None)            => ZIO.fail(BadCredentialsException(BAD_CRED_NOT_VALID))
+      case (Some(jwtString), None) =>
+        authenticator
+          .parseToken(jwtString)
+          .mapBoth(
+            _ => BadCredentialsException(BAD_CRED_NOT_VALID),
+            jwt => (Some(setCookie(jwt)), CheckResponse.OK),
+          )
+      case (None, Some(usernamePassword)) =>
+        for {
+          email <- ZIO
+                     .fromEither(Email.from(usernamePassword.username))
+                     .orElseFail(BadCredentialsException(BAD_CRED_NOT_VALID))
+          password <- ZIO
+                        .fromOption(usernamePassword.password)
+                        .orElseFail(BadCredentialsException(BAD_CRED_NOT_VALID))
+          resp <- authenticator
+                    .authenticate(email, password)
+                    .mapBoth(
+                      _ => BadCredentialsException(BAD_CRED_NOT_VALID),
+                      _ => (None, CheckResponse.OK),
+                    )
+        } yield resp
+      case (Some(_), Some(_)) =>
+        ZIO.fail(BadCredentialsException("Provide either a JWT token or basic auth credentials, not both."))
+    }
+
+  private def setCookie(jwt: Jwt) = {
+    val expiresAt     = Instant.ofEpochSecond(jwt.expiration)
+    val maxAgeSeconds = jwt.expiration - Instant.now().getEpochSecond
+    CookieValueWithMeta.unsafeApply(
+      domain = Some(appConfig.cookieDomain),
+      expires = Some(expiresAt),
+      maxAge = Some(maxAgeSeconds),
+      httpOnly = true,
+      path = Some("/"),
+      value = jwt.jwtString,
+    )
+  }
+
+  private val removeCookie = CookieValueWithMeta.unsafeApply(
+    domain = Some(appConfig.cookieDomain),
+    expires = Some(Instant.EPOCH),
+    httpOnly = true,
+    maxAge = Some(0),
+    path = Some("/"),
+    value = "",
+  )
+
   def authenticate(login: LoginPayload): IO[BadCredentialsException, (CookieValueWithMeta, TokenResponse)] =
     (login match {
       case IriPassword(iri, password)           => authenticator.authenticate(iri, password)
       case UsernamePassword(username, password) => authenticator.authenticate(username, password)
       case EmailPassword(email, password)       => authenticator.authenticate(email, password)
-    }).mapBoth(_ => BadCredentialsException(BAD_CRED_NOT_VALID), (_, token) => setCookieAndResponse(token))
-
-  private def setCookieAndResponse(token: Jwt) =
-    (
-      CookieValueWithMeta.unsafeApply(
-        domain = Some(appConfig.cookieDomain),
-        httpOnly = true,
-        path = Some("/"),
-        value = token.jwtString,
-      ),
-      TokenResponse(token.jwtString),
+    }).mapBoth(
+      _ => BadCredentialsException(BAD_CRED_NOT_VALID),
+      (_, jwt) => (setCookie(jwt), TokenResponse(jwt)),
     )
 
-  def logout(tokenFromBearer: Option[String], tokenFromCookie: Option[String]) =
+  def logout(
+    tokenFromBearer: Option[String],
+    tokenFromCookie: Option[String],
+  ): UIO[(CookieValueWithMeta, LogoutResponse)] =
     ZIO
       .foreachDiscard(Set(tokenFromBearer, tokenFromCookie).flatten)(authenticator.invalidateToken)
       .ignore
-      .as {
-        (
-          CookieValueWithMeta.unsafeApply(
-            domain = Some(appConfig.cookieDomain),
-            expires = Some(Instant.EPOCH),
-            httpOnly = true,
-            maxAge = Some(0),
-            path = Some("/"),
-            value = "",
-          ),
-          LogoutResponse(0, "Logout OK"),
-        )
-      }
-
+      .as((removeCookie, LogoutResponse(0, "Logout OK")))
 }
 
 object AuthenticationRestService {

webapi/src/main/scala/org/knora/webapi/slice/api/v2/authentication/AuthenticationServerEndpoints.scala

@@ -8,14 +8,12 @@ package org.knora.webapi.slice.api.v2.authentication
 import sttp.tapir.ztapir.*
 import zio.*
 
-import org.knora.webapi.slice.api.v2.authentication.AuthenticationEndpointsV2.CheckResponse
-
 final class AuthenticationServerEndpoints(
   restService: AuthenticationRestService,
   endpoints: AuthenticationEndpointsV2,
 ) {
   val serverEndpoints: List[ZServerEndpoint[Any, Any]] = List(
-    endpoints.getV2Authentication.serverLogic(_ => _ => ZIO.succeed(CheckResponse("credentials are OK"))),
+    endpoints.getV2Authentication.zServerLogic(restService.checkAuthentication),
     endpoints.postV2Authentication.zServerLogic(restService.authenticate),
     endpoints.deleteV2Authentication.zServerLogic(restService.logout),
   )

webapi/src/main/scala/org/knora/webapi/slice/infrastructure/JwtService.scala

@@ -11,6 +11,7 @@ import pdi.jwt.JwtHeader
 import pdi.jwt.JwtZIOJson
 import zio.Clock
 import zio.Duration
+import zio.IO
 import zio.Random
 import zio.Task
 import zio.UIO
@@ -21,6 +22,7 @@ import zio.json.ast.Json
 
 import scala.util.Success
 
+import dsp.errors.BadCredentialsException
 import dsp.valueobjects.Iri
 import dsp.valueobjects.UuidUtil
 import org.knora.webapi.IRI
@@ -54,7 +56,7 @@ trait JwtService {
    * @param token  the JWT.
    * @return a [[Boolean]].
    */
-  def isTokenValid(token: String): Boolean
+  def parseToken(token: String): IO[BadCredentialsException, Jwt]
 
   /**
    * Extracts the encoded user IRI. This method also makes sure that the required headers and claims are present.
@@ -115,9 +117,19 @@ final case class JwtServiceLive(
    * present.
    *
    * @param token  the JWT.
-   * @return a [[Boolean]].
+   * @return the Jwt or fails with BadCredentialsException.
    */
-  override def isTokenValid(token: String): Boolean = !cache.contains(token) && decodeToken(token).isDefined
+  override def parseToken(str: String): IO[BadCredentialsException, Jwt] =
+    if (cache.contains(str)) {
+      ZIO.fail(BadCredentialsException("Invalid JWT token"))
+    } else {
+      decodeToken(str) match {
+        case Some((_, claim)) =>
+          ZIO.succeed(Jwt(str, claim.expiration.getOrElse(0L)))
+        case None =>
+          ZIO.fail(BadCredentialsException("Invalid JWT token"))
+      }
+    }
 
   /**
    * Extracts the encoded user IRI. This method also makes sure that the required headers and claims are present.

webapi/src/main/scala/org/knora/webapi/slice/security/Authenticator.scala

@@ -45,6 +45,7 @@ trait Authenticator {
   def calculateCookieName(): String
 
   def invalidateToken(jwt: String): IO[AuthenticatorError, Unit]
+  def parseToken(jwt: String): IO[AuthenticatorError, Jwt]
   def authenticate(userIri: UserIri, password: String): IO[AuthenticatorError, (User, Jwt)]
   def authenticate(username: Username, password: String): IO[AuthenticatorError, (User, Jwt)]
   def authenticate(email: Email, password: String): IO[AuthenticatorError, (User, Jwt)]
@@ -64,6 +65,11 @@ final case class AuthenticatorLive(
   private val invalidTokens: InvalidTokenCache,
 ) extends Authenticator {
 
+  override def parseToken(jwt: String): IO[AuthenticatorError, Jwt] = for {
+    _   <- ZIO.fail(BadCredentials).when(invalidTokens.contains(jwt))
+    jwt <- jwtService.parseToken(jwt).orElseFail(AuthenticatorError.BadCredentials)
+  } yield jwt
+
   override def authenticate(userIri: UserIri, password: String): IO[AuthenticatorError, (User, Jwt)] = for {
     user <- getUserByIri(userIri)
     _    <- ensurePasswordMatch(user, password)

webapi/src/test/scala/org/knora/webapi/slice/admin/domain/service/DspIngestClientLiveSpec.scala

@@ -21,6 +21,7 @@ import com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo
 import com.github.tomakehurst.wiremock.core.WireMockConfiguration.options
 import com.github.tomakehurst.wiremock.matching.RequestPatternBuilder
 import zio.Console
+import zio.IO
 import zio.Random
 import zio.Scope
 import zio.Task
@@ -40,6 +41,7 @@ import zio.test.TestEnvironment
 import zio.test.ZIOSpecDefault
 import zio.test.assertTrue
 
+import dsp.errors.BadCredentialsException
 import org.knora.webapi.IRI
 import org.knora.webapi.config.DspIngestConfig
 import org.knora.webapi.slice.admin.domain.model.KnoraProject.Shortcode
@@ -137,7 +139,7 @@ object DspIngestClientLiveSpecLayers {
     new JwtService {
       override def createJwtForDspIngest(): UIO[Jwt]                                                = ZIO.succeed(Jwt("mock-jwt-string-value", Long.MaxValue))
       override def createJwt(user: UserIri, scope: AuthScope, content: Map[String, Json]): UIO[Jwt] = unsupported
-      override def isTokenValid(token: String): Boolean                                             = throw new UnsupportedOperationException("not implemented")
+      override def parseToken(token: String): IO[BadCredentialsException, Jwt]                      = unsupported
       override def extractUserIriFromToken(token: String): Task[Option[IRI]]                        = unsupported
     }
   }

webapi/src/test/scala/org/knora/webapi/slice/infrastructure/JwtServiceLiveSpec.scala

@@ -22,6 +22,7 @@ import zio.test.Spec
 import zio.test.TestAspect
 import zio.test.TestEnvironment
 import zio.test.ZIOSpecDefault
+import zio.test.assertCompletes
 import zio.test.assertTrue
 import zio.test.check
 
@@ -146,9 +147,9 @@ object JwtServiceLiveSpec extends ZIOSpecDefault {
     },
     test("validate a self issued token") {
       for {
-        token   <- JwtService(_.createJwt(user.userIri, AuthScope.empty))
-        isValid <- ZIO.serviceWith[JwtService](_.isTokenValid(token.jwtString))
-      } yield assertTrue(isValid)
+        token <- JwtService(_.createJwt(user.userIri, AuthScope.empty))
+        _     <- ZIO.serviceWith[JwtService](_.parseToken(token.jwtString))
+      } yield assertCompletes
     },
     test("fail to validate an invalid token") {
       def createClaim(
@@ -176,10 +177,10 @@ object JwtServiceLiveSpec extends ZIOSpecDefault {
         Gen.fromIterable(Seq(issuerMissing, invalidSubject, missingAudience, missingIat, expired, missingJwtId)),
       ) { claim =>
         for {
-          secret  <- ZIO.serviceWith[JwtConfig](_.secret)
-          token    = JwtZIOJson.encode("""{"typ":"JWT","alg":"HS256"}""", claim.toJson, secret, JwtAlgorithm.HS256)
-          isValid <- ZIO.serviceWith[JwtService](_.isTokenValid(token))
-        } yield assertTrue(!isValid)
+          secret <- ZIO.serviceWith[JwtConfig](_.secret)
+          token   = JwtZIOJson.encode("""{"typ":"JWT","alg":"HS256"}""", claim.toJson, secret, JwtAlgorithm.HS256)
+          exit   <- ZIO.serviceWithZIO[JwtService](_.parseToken(token).exit)
+        } yield assertTrue(exit.isFailure)
       }
     },
   ) @@ TestAspect.withLiveEnvironment @@ TestAspect.beforeAll(ZIO.serviceWith[CacheManager](_.clearAll())))