Skip to content

Putting back auth requirement for verify user credentials. More Log but throw in Direct Login. More logging in create consent #2719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
simonredfern merged 5 commits into from
Mar 5, 2026
Merged

Putting back auth requirement for verify user credentials. More Log but throw in Direct Login. More logging in create consent #2719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
869e830
Removing Role requirement from Get Providers. Add logging to
simonredfern Mar 4, 2026
780366e
Added public_rabbit_cats_adapter_url to App Directory
simonredfern Mar 4, 2026
103bca4
Merge remote-tracking branch 'upstream/develop' into develop
simonredfern Mar 5, 2026
f7070aa
Put back authcheck + role check for verifyUserCredentials
simonredfern Mar 5, 2026
a310df7
In direct login, log the error but re throw the failure.
simonredfern Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion obp-api/src/main/resources/props/sample.props.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1632,7 +1632,7 @@ regulated_entities = []
# "grantee_consumer_id": "fb327484-94d7-44d2-83e5-8d27301e8279" \
#}]

# Bootstrap Super User
# Bootstrap Super User / Break Glass
# Given the following credentials, OBP will create a user if they do not already exist.
# This user's password will be valid for a limited time.
# This user will be granted ONLY the CanCreateEntitlementAtAnyBank permission.
Expand Down
16 changes: 8 additions & 8 deletions obp-api/src/main/scala/code/api/directlogin.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -352,10 +352,10 @@ object DirectLogin extends RestHelper with MdcLoggable {
case false => false
}*/
case _ => false
} recover {
} recoverWith {
case e: Throwable =>
logger.error(s"validatorFuture.validAccessTokenFuture failed: ${e.getMessage}", e)
false
Future.failed(e)
}
}

Expand Down Expand Up @@ -431,10 +431,10 @@ object DirectLogin extends RestHelper with MdcLoggable {
Tokens.tokens.vend.getTokenByKeyAndTypeFuture(tokenKey, TokenType.Access) map {
case Full(token) => token.isValid
case _ => false
} recover {
} recoverWith {
case e: Throwable =>
logger.error(s"validatorFutureWithParams.validAccessTokenFuture failed: ${e.getMessage}", e)
false
Future.failed(e)
}
}

Expand Down Expand Up @@ -638,10 +638,10 @@ object DirectLogin extends RestHelper with MdcLoggable {
Tokens.tokens.vend.getTokenByKeyFuture(token) map {
case Full(t) => t.consumerId.foreign
case _ => Empty
} recover {
} recoverWith {
case e: Throwable =>
logger.error(s"getConsumerFromDirectLoginToken failed: ${e.getMessage}", e)
Empty
Future.failed(e)
}
}

Expand All @@ -661,10 +661,10 @@ object DirectLogin extends RestHelper with MdcLoggable {
}
} yield {
user
}) recover {
}) recoverWith {
case e: Throwable =>
logger.error(s"getUserFromDirectLoginToken failed: ${e.getMessage}", e)
Empty
Future.failed(e)
}
}
}
3 changes: 2 additions & 1 deletion obp-api/src/main/scala/code/api/util/APIUtil.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3998,7 +3998,8 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
"public_keycloak_url" -> getPropsValue("public_keycloak_url").openOr("http://localhost:7787"),
"public_obp_hola_url" -> getPropsValue("public_obp_hola_url").openOr("http://localhost:8087"),
"public_obp_mcp_url" -> getPropsValue("public_obp_mcp_url").openOr("http://localhost:9100"),
"public_obp_opey_url" -> getPropsValue("public_obp_opey_url").openOr("http://localhost:5000")
"public_obp_opey_url" -> getPropsValue("public_obp_opey_url").openOr("http://localhost:5000"),
"public_rabbit_cats_adapter_url" -> getPropsValue("public_rabbit_cats_adapter_url").openOr("http://localhost:8089")
)
val publicAppUrlPropNames: List[String] = publicAppUrlDefaults.keys.toList.sorted
// Register defaults so they appear in getConfigPropsPairs
Expand Down
13 changes: 13 additions & 0 deletions obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2374,6 +2374,19 @@ trait APIMethods510 {
}
requestedEntitlements = consentJson.entitlements
myEntitlements <- Entitlement.entitlement.vend.getEntitlementsByUserIdFuture(user.userId)
_ = logger.info(s"createConsent says: userId=${user.userId}, userName=${user.name}, requestedEntitlements=${requestedEntitlements.map(re => s"(role_name=${re.role_name}, bank_id=${re.bank_id})")}, myEntitlements=${myEntitlements.getOrElse(Nil).map(e => s"(roleName=${e.roleName}, bankId=${e.bankId})")}")
_ = {
val myEnts = myEntitlements.getOrElse(Nil)
requestedEntitlements.foreach { re =>
val matched = myEnts.exists(e => e.roleName == re.role_name && e.bankId == re.bank_id)
logger.info(s"createConsent says: checking requested role_name=${re.role_name}, bank_id='${re.bank_id}' => matched=$matched")
if (!matched) {
myEnts.foreach { e =>
logger.info(s"createConsent says: comparing with roleName=${e.roleName}, bankId='${e.bankId}' => nameMatch=${e.roleName == re.role_name}, bankIdMatch=${e.bankId == re.bank_id}")
}
}
}
}
_ <- Helper.booleanToFuture(RolesAllowedInConsent, cc = callContext) {
requestedEntitlements.forall(
re => myEntitlements.getOrElse(Nil).exists(
Expand Down
20 changes: 11 additions & 9 deletions obp-api/src/main/scala/code/api/v6_0_0/APIMethods600.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2253,19 +2253,17 @@
JSONFactory600.createProvidersJson(List("http://127.0.0.1:8080", "OBP", "google.com")),
List(
$AuthenticatedUserIsRequired,
UserHasMissingRoles,
UnknownError
),
List(apiTagUser),
Some(List(canGetProviders))
None
)

lazy val getProviders: OBPEndpoint = {
case "providers" :: Nil JsonGet _ =>
cc => implicit val ec = EndpointContext(Some(cc))
for {
(Full(u), callContext) <- authenticatedAccess(cc)
_ <- NewStyle.function.hasEntitlement("", u.userId, canGetProviders, callContext)
providers <- Future { code.model.dataAccess.ResourceUser.getDistinctProviders }
} yield {
(JSONFactory600.createProvidersJson(providers), HttpCode.`200`(callContext))
Expand Down Expand Up @@ -8751,8 +8749,12 @@
lazy val verifyUserCredentials: OBPEndpoint = {
case "users" :: "verify-credentials" :: Nil JsonPost json -> _ => {
cc => implicit val ec = EndpointContext(Some(cc))
// TODO: Consider allowing Client Credentials (app-level) auth instead of user-level auth,

Check warning on line 8752 in obp-api/src/main/scala/code/api/v6_0_0/APIMethods600.scala

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Complete the task associated to this TODO comment. 


See more on https://sonarcloud.io/project/issues?id=OpenBankProject_OBP-API&issues=AZy8G6ER5gPz8w2kMJN7&open=AZy8G6ER5gPz8w2kMJN7&pullRequest=2719
// so the caller doesn't need to be logged in as a user (which is circular for credential verification).
// TODO: Add rate limiting / anti-DOS protection for this endpoint to prevent credential enumeration/spamming.

Check warning on line 8754 in obp-api/src/main/scala/code/api/v6_0_0/APIMethods600.scala

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Complete the task associated to this TODO comment. 


See more on https://sonarcloud.io/project/issues?id=OpenBankProject_OBP-API&issues=AZy8G6ER5gPz8w2kMJN8&open=AZy8G6ER5gPz8w2kMJN8&pullRequest=2719
for {
postedData <- NewStyle.function.tryons(s"$InvalidJsonFormat The Json body should be the PostVerifyUserCredentialsJsonV600", 400, Some(cc)) {
(Full(u), callContext) <- authenticatedAccess(cc)
postedData <- NewStyle.function.tryons(s"$InvalidJsonFormat The Json body should be the PostVerifyUserCredentialsJsonV600", 400, callContext) {
json.extract[PostVerifyUserCredentialsJsonV600]
}
// Validate credentials using the existing AuthUser mechanism
Expand Down Expand Up @@ -8787,27 +8789,27 @@
}
}
// Check if account is locked
_ <- Helper.booleanToFuture(UsernameHasBeenLocked, 401, Some(cc)) {
_ <- Helper.booleanToFuture(UsernameHasBeenLocked, 401, callContext) {
resourceUserIdBox != Full(code.model.dataAccess.AuthUser.usernameLockedStateCode)
}
// Check if credentials are valid
resourceUserId <- Future {
resourceUserIdBox
} map {
x => unboxFullOrFail(x, Some(cc), s"$InvalidLoginCredentials Failed to authenticate user credentials.", 401)
x => unboxFullOrFail(x, callContext, s"$InvalidLoginCredentials Failed to authenticate user credentials.", 401)
}
// Get the user object
user <- Future {
Users.users.vend.getUserByResourceUserId(resourceUserId)
} map {
x => unboxFullOrFail(x, Some(cc), s"$InvalidLoginCredentials User account not found in system.", 401)
x => unboxFullOrFail(x, callContext, s"$InvalidLoginCredentials User account not found in system.", 401)
}
// Verify provider matches if specified and not empty
_ <- Helper.booleanToFuture(s"$InvalidLoginCredentials Authentication provider mismatch.", 401, Some(cc)) {
_ <- Helper.booleanToFuture(s"$InvalidLoginCredentials Authentication provider mismatch.", 401, callContext) {
postedData.provider.isEmpty || user.provider == postedData.provider
}
} yield {
(JSONFactory200.createUserJSON(user), HttpCode.`200`(Some(cc)))
(JSONFactory200.createUserJSON(user), HttpCode.`200`(callContext))
}
}
}
Expand Down