delete duplicate jwt cookie if present (#209)

cabinetoffice · Apr 26, 2024 · 552268a · 552268a
1 parent bd68d98
commit 552268a
Showing 1 changed file with 28 additions and 4 deletions.
diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java
@@ -35,10 +35,8 @@
 import org.springframework.web.util.WebUtils;
 
 import java.net.MalformedURLException;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Optional;
+import java.util.*;
+import java.util.stream.Collectors;
 
 import static net.logstash.logback.argument.StructuredArguments.entries;
 
@@ -103,6 +101,7 @@ public RedirectView login(
             final HttpServletRequest request,
             final HttpServletResponse response) throws MalformedURLException {
         final Cookie customJWTCookie = WebUtils.getCookie(request, userServiceCookieName);
+
         final boolean isTokenValid = customJWTCookie != null
                 && customJWTCookie.getValue() != null
                 && customJwtService.isTokenValid(customJWTCookie.getValue());
@@ -113,6 +112,8 @@ public RedirectView login(
         }
 
         if (!isTokenValid) {
+            deleteDuplicateJWTCookieIfPresent(request, response);
+
             final String nonce = oneLoginService.generateAndStoreNonce();
             String saltId = encryptionService.generateAndStoreSalt();
             final String encodedState = oneLoginService.generateAndStoreState(response, redirectUrl, saltId);
@@ -172,6 +173,7 @@ public RedirectView redirectAfterLogin(
 
         final StateCookieDto stateCookieDto = oneLoginService.decodeStateCookie(stateCookie);
         final String redirectUrl = stateCookieDto.getRedirectUrl();
+
         oneLoginService.verifyStateAndNonce(decodedIdToken.getNonce(), stateCookieDto, state);
 
         final OneLoginUserInfoDto userInfo = oneLoginService.getOneLoginUserInfoDto(authToken);
@@ -292,6 +294,28 @@ private void deleteStateCookie(HttpServletResponse response) {
         response.addCookie(stateCookieReplacement);
     }
 
+    // This shouldn't be required going forward, and can be removed in the next release.
+    //
+    // This is needed for the Apr 2024 deployment, as we're changing the domain the cookie is issued against to allow
+    // it to persist across both production domains. This can result in clients storing two cookies with the same name
+    // and sending them both in requests, which can then lead to an infinite redirect loop on login as we continually
+    // read the old, expired token and issue a new valid one. This function removes the old cookie (which didn't allow
+    // subdomains) if it is present.
+    private void deleteDuplicateJWTCookieIfPresent(final HttpServletRequest request, final HttpServletResponse response) {
+        final Cookie[] cookies = request.getCookies();
+
+        if (cookies == null) return;
+
+        final Cookie[] customJWTCookies = Arrays.stream(cookies).filter(cookie ->
+                cookie.getName().equals(userServiceCookieName)
+        ).toArray(Cookie[]::new);
+
+        if (customJWTCookies.length > 1) {
+            Cookie nullCustomJWTCookie = WebUtil.buildNullCookie(userServiceCookieName);
+            response.addCookie(nullCustomJWTCookie);
+        }
+    }
+
     private String generate404UrlBasedOnHighestRole(List<String> roles) {
         final String PAGE_404 = "/404";
         if (roles.contains(RoleEnum.SUPER_ADMIN.name()) || roles.contains(RoleEnum.ADMIN.name()))