afet-yonetim-sistemi · agitrubard · Dec 10, 2024 · Nov 12, 2024 · Nov 12, 2024 · Nov 12, 2024
@@ -2,7 +2,9 @@
 
 import lombok.RequiredArgsConstructor;
 import org.ays.auth.filter.AysBearerTokenAuthenticationFilter;
+import org.ays.auth.filter.AysRateLimitFilter;
 import org.ays.auth.security.AysAuthenticationEntryPoint;
+import org.ays.common.filter.AysAuditLogFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
@@ -58,15 +60,19 @@ SessionAuthenticationStrategy sessionAuthenticationStrategy() {
      * Returns the {@link SecurityFilterChain} instance that defines the security configuration for HTTP requests.
      *
      * @param httpSecurity                    the {@link HttpSecurity} instance to configure
+     * @param auditLogFilter                  the {@link AysAuditLogFilter} instance to log audit information
+     * @param rateLimitFilter                 the {@link AysRateLimitFilter} instance to rate limit requests
      * @param bearerTokenAuthenticationFilter the {@link AysBearerTokenAuthenticationFilter} instance to authenticate bearer tokens
      * @param customAuthenticationEntryPoint  the {@link AysAuthenticationEntryPoint} instance to handle authentication errors
      * @return the {@link SecurityFilterChain} instance
      * @throws Exception if there is an error setting up the filter chain
      */
     @Bean
-    SecurityFilterChain filterChain(HttpSecurity httpSecurity,
-                                    AysBearerTokenAuthenticationFilter bearerTokenAuthenticationFilter,
-                                    AysAuthenticationEntryPoint customAuthenticationEntryPoint)
+    SecurityFilterChain filterChain(final HttpSecurity httpSecurity,
+                                    final AysAuditLogFilter auditLogFilter,
+                                    final AysRateLimitFilter rateLimitFilter,
+                                    final AysBearerTokenAuthenticationFilter bearerTokenAuthenticationFilter,
+                                    final AysAuthenticationEntryPoint customAuthenticationEntryPoint)
             throws Exception {
 
         httpSecurity
@@ -83,6 +89,8 @@ SecurityFilterChain filterChain(HttpSecurity httpSecurity,
                         .anyRequest().authenticated()
                 )
                 .sessionManagement(customizer -> customizer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .addFilterBefore(auditLogFilter, BearerTokenAuthenticationFilter.class)
+                .addFilterBefore(rateLimitFilter, BearerTokenAuthenticationFilter.class)
                 .addFilterBefore(bearerTokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
 
         return httpSecurity.build();

@@ -1,41 +1,40 @@
 package org.ays.auth.filter;
 
-import com.google.common.cache.CacheBuilder;
-import com.google.common.cache.CacheLoader;
-import com.google.common.cache.LoadingCache;
-import io.github.bucket4j.Bandwidth;
-import io.github.bucket4j.Bucket;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.constraints.NotNull;
 import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
-import org.ays.auth.model.AysToken;
 import org.ays.auth.service.AysInvalidTokenService;
 import org.ays.auth.service.AysTokenService;
-import org.ays.common.util.HttpServletRequestUtil;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.HttpHeaders;
+import org.ays.common.model.request.AysHttpHeader;
+import org.ays.common.model.request.AysHttpServletRequest;
+import org.ays.common.model.response.AysHttpServletResponse;
+import org.springframework.core.annotation.Order;
 import org.springframework.lang.NonNull;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
-import java.time.Duration;
-import java.util.List;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.TimeUnit;
 
 /**
- * AysBearerTokenAuthenticationFilter is a filter that intercepts HTTP requests and processes the Bearer tokens included in the Authorization headers.
- * If the token is valid, the user is authenticated and added to the SecurityContext for the duration of the request.
- * If the token is invalid, a 401 Unauthorized response is returned.
- * <p>The filter uses an instance of AysTokenService to verify and validate the token and retrieve the user authentication.
+ * Filter responsible for handling Bearer token-based authentication in incoming HTTP requests.
+ * <p>
+ * This filter intercepts requests and checks for the presence of a Bearer token in the `Authorization` header.
+ * If a valid token is found:
+ * <ul>
+ *     <li>The token is verified and validated using {@link AysTokenService}.</li>
+ *     <li>The token's payload is retrieved, and its validity is checked using {@link AysInvalidTokenService}.</li>
+ *     <li>An {@link org.springframework.security.core.Authentication} object is created and added to the {@link SecurityContextHolder} for the current request.</li>
+ * </ul>
+ * If the token is invalid, the filter does not authenticate the request, and a 401 Unauthorized response may be returned.
+ * <p>
+ * This filter ensures that only authenticated users can access secured resources in the application.
+ * It runs with an order of {@code 3}, which allows it to be executed after other filters with lower order values.
  */
-@Slf4j
+@Order(3)
 @Component
 @RequiredArgsConstructor
 public class AysBearerTokenAuthenticationFilter extends OncePerRequestFilter {
@@ -44,141 +43,31 @@ public class AysBearerTokenAuthenticationFilter extends OncePerRequestFilter {
     private final AysInvalidTokenService invalidTokenService;
 
 
-    @Value("${ays.rate-limit.authorized.enabled}")
-    private boolean isAuthorizedRateLimitEnabled;
-
-    private static final int MAXIMUM_AUTHORIZED_REQUESTS_COUNTS = 20;
-    private static final int MAXIMUM_AUTHORIZED_REQUESTS_DURATION_MINUTES = 1;
-    private static final Duration MAXIMUM_AUTHORIZED_REQUESTS_DURATION = Duration.ofMinutes(MAXIMUM_AUTHORIZED_REQUESTS_DURATION_MINUTES);
-    private final LoadingCache<String, Bucket> authorizedBuckets = CacheBuilder.newBuilder()
-            .expireAfterWrite(MAXIMUM_AUTHORIZED_REQUESTS_DURATION_MINUTES, TimeUnit.MINUTES)
-            .build(new CacheLoader<>() {
-                @Override
-                public @NotNull Bucket load(@NotNull String key) {
-                    return newBucket(
-                            MAXIMUM_AUTHORIZED_REQUESTS_COUNTS,
-                            MAXIMUM_AUTHORIZED_REQUESTS_DURATION
-                    );
-                }
-            });
-
-
-    @Value("${ays.rate-limit.unauthorized.enabled}")
-    private boolean isUnauthorizedRateLimitEnabled;
-
-    private static final int MAXIMUM_UNAUTHORIZED_REQUESTS_COUNTS = 5;
-    private static final int MAXIMUM_UNAUTHORIZED_REQUESTS_DURATION_MINUTES = 10;
-    private static final Duration MAXIMUM_UNAUTHORIZED_REQUESTS_DURATION = Duration.ofMinutes(MAXIMUM_UNAUTHORIZED_REQUESTS_DURATION_MINUTES);
-    private final LoadingCache<String, Bucket> unauthorizedBuckets = CacheBuilder.newBuilder()
-            .expireAfterWrite(MAXIMUM_UNAUTHORIZED_REQUESTS_DURATION_MINUTES, TimeUnit.MINUTES)
-            .build(new CacheLoader<>() {
-                @Override
-                public @NotNull Bucket load(@NotNull String key) {
-                    return newBucket(
-                            MAXIMUM_UNAUTHORIZED_REQUESTS_COUNTS,
-                            MAXIMUM_UNAUTHORIZED_REQUESTS_DURATION
-                    );
-                }
-            });
-
-
-    private static final List<String> ALLOWED_PATHS = List
-            .of("/public/actuator");
-
-
     @Override
     protected void doFilterInternal(@NotNull HttpServletRequest httpServletRequest,
                                     @NonNull HttpServletResponse httpServletResponse,
                                     @NonNull FilterChain filterChain) throws ServletException, IOException {
 
-        final String authorizationHeader = httpServletRequest.getHeader(HttpHeaders.AUTHORIZATION);
+        final AysHttpServletRequest aysHttpServletRequest = (AysHttpServletRequest) httpServletRequest;
+        final AysHttpHeader aysHttpHeader = aysHttpServletRequest.getHeader();
 
-        boolean rateLimitExceeded = this.isRateLimitExceeded(
-                authorizationHeader,
-                httpServletRequest,
-                httpServletResponse
-        );
+        if (aysHttpHeader.hasBearerToken()) {
 
-        if (rateLimitExceeded) {
-            return;
-        }
-
-        if (AysToken.isBearerToken(authorizationHeader)) {
-
-            final String jwt = AysToken.getJwt(authorizationHeader);
+            final String token = aysHttpHeader.getBearerToken();
 
-            tokenService.verifyAndValidate(jwt);
+            tokenService.verifyAndValidate(token);
 
-            final String tokenId = tokenService.getPayload(jwt).getId();
+            final String tokenId = tokenService.getPayload(token).getId();
             invalidTokenService.checkForInvalidityOfToken(tokenId);
 
-            final var authentication = tokenService.getAuthentication(jwt);
+            final var authentication = tokenService.getAuthentication(token);
             SecurityContextHolder.getContext().setAuthentication(authentication);
             filterChain.doFilter(httpServletRequest, httpServletResponse);
             return;
         }
 
-        filterChain.doFilter(httpServletRequest, httpServletResponse);
-    }
-
-    private boolean isRateLimitExceeded(final String authorizationHeader,
-                                        final HttpServletRequest httpServletRequest,
-                                        final HttpServletResponse httpServletResponse) {
-
-        final String endpoint = httpServletRequest.getRequestURI();
-        boolean isAllowedPath = ALLOWED_PATHS.stream()
-                .anyMatch(endpoint::startsWith);
-
-        boolean isRateLimitEnabled = isAuthorizedRateLimitEnabled || isUnauthorizedRateLimitEnabled;
-
-        if (isAllowedPath || !isRateLimitEnabled) {
-            return false;
-        }
-
-        if (AysToken.isBearerToken(authorizationHeader)) {
-            return this.isRateLimitExceededOnBuckets(authorizedBuckets, httpServletRequest, httpServletResponse);
-        }
-
-        return this.isRateLimitExceededOnBuckets(unauthorizedBuckets, httpServletRequest, httpServletResponse);
-    }
-
-    private boolean isRateLimitExceededOnBuckets(final LoadingCache<String, Bucket> buckets,
-                                                 final HttpServletRequest httpServletRequest,
-                                                 final HttpServletResponse httpServletResponse) {
-
-        final String ipAddress = HttpServletRequestUtil.getClientIpAddress(httpServletRequest);
-
-        try {
-
-            final Bucket bucket = buckets.get(ipAddress);
-            if (bucket.tryConsume(1)) {
-                return false;
-            }
-
-        } catch (ExecutionException exception) {
-            final String method = httpServletRequest.getMethod();
-            final String endpoint = httpServletRequest.getRequestURI();
-            log.error("Error while checking rate limit by {} to {} - {}", ipAddress, method, endpoint);
-            httpServletResponse.setStatus(429);
-            return true;
-        }
-
-        final String method = httpServletRequest.getMethod();
-        final String endpoint = httpServletRequest.getRequestURI();
-        log.warn("Rate limit exceeded by {} to {} - {}", ipAddress, method, endpoint);
-        httpServletResponse.setStatus(429);
-        return true;
-    }
-
-    private static Bucket newBucket(int maximumRequestsCounts, Duration maximumDuration) {
-        final Bandwidth bandwidth = Bandwidth
-                .builder()
-                .capacity(maximumRequestsCounts)
-                .refillIntervally(maximumRequestsCounts, maximumDuration)
-                .build();
-        return Bucket.builder()
-                .addLimit(bandwidth)
-                .build();
+        final AysHttpServletResponse aysHttpServletResponse = (AysHttpServletResponse) httpServletResponse;
+        filterChain.doFilter(aysHttpServletRequest, aysHttpServletResponse);
     }
 
 }