From 0b3668c39d9a854984be1a6bb55d437de31eb57d Mon Sep 17 00:00:00 2001
From: Marten Muru <marten.muru@nortal.com>
Date: Mon, 1 Apr 2024 08:10:46 +0300
Subject: [PATCH] AUT-1735 Add representee.* scope option when logging in and
 optional scope input when refreshing govsso session

---
 .../GovssoRefreshTokenTokenResponseClient.java       |  7 ++++++-
 .../govsso/filter/GovssoRefreshTokenFilter.java      | 12 +++++++-----
 .../static/scripts/govsso-session-update.js          |  6 +++++-
 src/main/resources/templates/dashboard.html          |  9 +++++++++
 src/main/resources/templates/loginView.html          |  7 +++++++
 5 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/src/main/java/ee/ria/govsso/client/govsso/configuration/GovssoRefreshTokenTokenResponseClient.java b/src/main/java/ee/ria/govsso/client/govsso/configuration/GovssoRefreshTokenTokenResponseClient.java
index 958554f..89c1a4a 100644
--- a/src/main/java/ee/ria/govsso/client/govsso/configuration/GovssoRefreshTokenTokenResponseClient.java
+++ b/src/main/java/ee/ria/govsso/client/govsso/configuration/GovssoRefreshTokenTokenResponseClient.java
@@ -67,6 +67,9 @@ private RequestEntity<?> toRequestEntity(Request request) {
         MultiValueMap<String, String> params = new LinkedMultiValueMap<>();
         params.add(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.REFRESH_TOKEN.getValue());
         params.add(OAuth2ParameterNames.REFRESH_TOKEN, request.getOAuth2RefreshToken().getTokenValue());
+        if (request.getScope() != null) {
+            params.add(OAuth2ParameterNames.SCOPE, request.getScope());
+        }
 
         HttpHeaders headers = new HttpHeaders();
         headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
@@ -90,10 +93,12 @@ private RequestEntity<?> toRequestEntity(Request request) {
     public static class Request extends AbstractOAuth2AuthorizationGrantRequest {
 
         private final OAuth2RefreshToken oAuth2RefreshToken;
+        private final String scope;
 
-        public Request(ClientRegistration clientRegistration, OAuth2RefreshToken oAuth2RefreshToken) {
+        public Request(ClientRegistration clientRegistration, OAuth2RefreshToken oAuth2RefreshToken, String scope) {
             super(AuthorizationGrantType.REFRESH_TOKEN, clientRegistration);
             this.oAuth2RefreshToken = oAuth2RefreshToken;
+            this.scope = scope;
         }
     }
 
diff --git a/src/main/java/ee/ria/govsso/client/govsso/filter/GovssoRefreshTokenFilter.java b/src/main/java/ee/ria/govsso/client/govsso/filter/GovssoRefreshTokenFilter.java
index 346efbf..3c7a341 100644
--- a/src/main/java/ee/ria/govsso/client/govsso/filter/GovssoRefreshTokenFilter.java
+++ b/src/main/java/ee/ria/govsso/client/govsso/filter/GovssoRefreshTokenFilter.java
@@ -70,14 +70,14 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
             return;
         }
         try {
-            handleRefresh(response);
+            handleRefresh(response, request.getParameter("scope"));
         } catch (Exception e) {
             log.error("Refresh token request failed", e);
             response.setStatus(HttpServletResponse.SC_FORBIDDEN);
         }
     }
 
-    private void handleRefresh(HttpServletResponse response) throws IOException {
+    private void handleRefresh(HttpServletResponse response, String scope) throws IOException {
         Authentication previousAuthentication =
                 SecurityContextHolder.getContext().getAuthentication();
         if (!(previousAuthentication instanceof GovssoAuthentication previousGovssoAuthentication)) {
@@ -94,7 +94,7 @@ private void handleRefresh(HttpServletResponse response) throws IOException {
         ClientRegistration clientRegistration =
                 clientRegistrationRepository.findByRegistrationId(GOVSSO_REGISTRATION_ID);
         OAuth2AccessTokenResponse tokenResponse =
-                performRefreshTokenGrantRequest(clientRegistration, previousGovssoAuthentication.getRefreshToken());
+                performRefreshTokenGrantRequest(clientRegistration, previousGovssoAuthentication.getRefreshToken(), scope);
         GovssoAuthentication newAuthToken =
                 createNewAuthentication(clientRegistration, tokenResponse);
         SecurityContextHolder.getContext().setAuthentication(newAuthToken);
@@ -135,10 +135,12 @@ private void writeResponse(HttpServletResponse response, OidcIdToken idToken, St
 
     private OAuth2AccessTokenResponse performRefreshTokenGrantRequest(
             ClientRegistration clientRegistration,
-            OAuth2RefreshToken refreshToken) {
+            OAuth2RefreshToken refreshToken,
+            String scope) {
         GovssoRefreshTokenTokenResponseClient.Request tokenRequest = new GovssoRefreshTokenTokenResponseClient.Request(
                 clientRegistration,
-                refreshToken);
+                refreshToken,
+                scope);
         return refreshTokenResponseClient.getTokenResponse(tokenRequest);
     }
 
diff --git a/src/main/resources/static/scripts/govsso-session-update.js b/src/main/resources/static/scripts/govsso-session-update.js
index ac70b96..4c2797b 100644
--- a/src/main/resources/static/scripts/govsso-session-update.js
+++ b/src/main/resources/static/scripts/govsso-session-update.js
@@ -35,8 +35,12 @@ function updateGovSsoSession() {
     $('#updateButton').prop('disabled',true);
     const csrfToken = $('meta[name="_csrf"]').attr('content');
     const csrfHeader = $('meta[name="_csrf_header"]').attr('content');
+    var scope = '';
+    if ($('#scope').val()) {
+        scope = '?scope=' + $('#scope').val();
+    }
     (async () => {
-        await fetch('/oauth2/refresh/govsso', {
+        await fetch('/oauth2/refresh/govsso' + scope, {
             method: 'POST',
             headers: {
                 [csrfHeader]: csrfToken,
diff --git a/src/main/resources/templates/dashboard.html b/src/main/resources/templates/dashboard.html
index 76baf93..053ff8c 100644
--- a/src/main/resources/templates/dashboard.html
+++ b/src/main/resources/templates/dashboard.html
@@ -59,6 +59,15 @@ <h1 class="h2">Dashboard</h1>
                             Update GovSSO session
                         </button>
                     </div>
+                    <div th:if="${authentication_provider == 'govsso'}"
+                         class="d-flex justify-content-between flex-wrap flex-md-nowrap align-items-center mb-2 mb-md-0">
+                        <div class="mx-2">
+                            <span>scopes: </span>
+                        </div>
+                        <div>
+                            <input class="form-control form-control-sm" type="text" id="scope" name="scope"/>
+                        </div>
+                    </div>
                 </div>
             </div>
             <div class="card mb-2">
diff --git a/src/main/resources/templates/loginView.html b/src/main/resources/templates/loginView.html
index 259000a..3227e2b 100644
--- a/src/main/resources/templates/loginView.html
+++ b/src/main/resources/templates/loginView.html
@@ -148,6 +148,13 @@ <h4>Authentication Request</h4>
                                     phone
                                 </label>
                             </div>
+                            <div class="form-check">
+                                <input class="form-check-input" type="checkbox" id="authScopeRepresentee"
+                                       name="scope" value="representee.*"/>
+                                <label class="form-check-label" for="authScopeRepresentee">
+                                    representee.*
+                                </label>
+                            </div>
                             <div class="form-row">
                                 <div class="col-sm-3">
                                     <input class="form-control form-control-sm" type="text" id="authScopeCustom"